Help With Sendmail Prescan() Vulnerbility.

Full Version: Help With Sendmail Prescan() Vulnerbility.

GovernmentSecurity.org > The Archives > Exploit Articles

SmokeX

Dec 1 2003, 12:15 PM

Could someone help me understand the Sendmail prescan() vulnerbility?
when i'm tring to exploit my server,
i get the "553 5.1.0 prescan: token too long", and server still running.
after debuging it a while (w/ gdb) i found the following:

CODE

C code:

if (q - tok > MAXNAME)
{
usrerr("553 5.1.0 prescan: token too long");
goto returnnull;
}
*avp++ = tok;

Asm code:

0x807a901 <prescan+849>: movl $0x80be240,(%esp,1)
0x807a908 <prescan+856>: call 0x806bfd0 <usrerr>
0x807a90d <prescan+861>: mov 0x18(%ebp),%ebx
0x807a910 <prescan+864>: test %ebx,%ebx
0x807a912 <prescan+866>: je 0x807a91c <prescan+876>

$0x80be240, which contains "533 5.1.0 prescan: token too long" got into esp,
and then it calls usrerr that sends us the error.

but when i'm trying to break on 0x807a901 for example,
gdb wont stop.
i suppose it fork() somewhere,
but how can i debug the sub proccess?

also i know that the "rcpt to: " command to server should contain
"rcpt to: < [256 retaddr] [x "\xff\x5c"] [CR] [shellcode] >"
< from atomix's message on that topic >
i saw that my PVPBUF is 256 + 1000 (?) length.
i also dont fully understand what is the "\xff\x00\xff\x5c",
i read about it, but dunno yet the diff between pvpbuf and ebp coz i can't debug it.

btw i'm using Sendmail 8.12.8 on Gentoo.

10x 2 all helpers

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.