5

There are a few things that I dont understand about the injection.

The injection is something along this line

> .
MAIL FROM:  mail1@gmail.com
RCPT TO: mail@gmail.com
DATA
EMAIL data
.

Here are two ways to inject in an inline fashion:

%0aDATA%0afoo%0a%2e%0aMAIL+FROM:+%0aRCPT+TO:+%0aDATA%0aFrom:+%0aTo:+%0aS ubject:+test%0afoo%0a%2e%0a

or

%0d%0aDATA%0d%0afoo%0d%0a%2e%0d%0aMAIL+FROM:+%0 d%0aRCPT+TO:+%0d%0aDATA%0d%0aFrom:+% 0d%0aTo:+%0d%0aSubject:+test%0d%0 afoo%0d%0a%2e%0d%0a

Why do I use the DATA keyword, what does it do?

Suppose the injection succeeds! what can an attacker do with it, apart from spam?

Kratos
  • 301
  • 1
  • 4
  • 10
  • 2
    Make your injection human readable. – rook Nov 03 '13 at 18:16
  • The injection is teh same as the one above (well the format is the same).. I just usd %0d%0a to drop a line..same method as used with http splitting – Kratos Nov 03 '13 at 18:51

1 Answers1

4

First and foremost, in the example above your injection is URL encoded and the SMTP traffic is in plain ASCII. This is confusing, its assumed that a web application would decode the URL encoded payload prior to the injection point, also this quesiton has nothing to do with web applications.

So what about the DATA command? I can understand that RFCs can be intimidating to new comers. On the Wikipedia page for the SMTP protocol it says that the DATA command is used to specify the body of the email.

In the context of SMTP command injection a new DATA segment allows an attacker to specify a new SMTP body to terminate the previous SMTP email. SMTP command injection is always in the header of the email, and header may contain values such as a subject/from/to that is undesirable to the attacker. Therefore the previous email is terminated with a null body or a body of foo in the above injection, and a fresh email is injected.

Before working with any injection, work with the language or protocol natively. In the case SMTP use telnet to interact with an SMTP server on localhost.

rook
  • 47,238
  • 10
  • 96
  • 182
  • First problem, The server is protected by NAT..I cant reach it directly. Second comment, what does it allow an attacker to do apart from bypassing email restriction such as Captcha, number of emails to send limit and dos on the smtp server? Why would an attacker be interested in such injection ? – Kratos Nov 03 '13 at 18:31
  • @Kratos localhost is not protected by a NAT, you can interact with an SMTP server on localhost using telnet/netcat for testing purposes no problem. SMTP injection turns an SMTP server into an open gateway that can be used to send spam. If its a bank or you can use it from Phishing or delivering XSS/CSRF exploits. – rook Nov 03 '13 at 18:37
  • I know it doesnt..but the application that I do penetration testing to, has a host that is connected to a router under which there are a few more hosts..and that smtp host has internal address, it isnt externally open. How can you use SMTP for XSS/CSRF//doesnt make sense – Kratos Nov 03 '13 at 18:50
  • 1
    @Kratos How do you gain understanding of SMTP command injection? Try writing SMTP commands to a server running on localhost first. I can't spoon feed you ability, you have to go out and do it. – rook Nov 03 '13 at 18:52
  • I know what SMTP injection does. you mentioned that you can use XSS/CSRF.. who asked for a proof of concept..how is spoon feeding is anything to do with anything. – Kratos Nov 03 '13 at 19:07