> These bug only affected 3.0 betas.
Bullshit ...;P
In pop_euidl() in file pop_uidl.c (qpop-2.53) :
} else {
sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
if (nl = index(buffer, NEWLINE)) *nl = 0;
sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,mp));
return (pop_msg (p,POP_SUCCESS, buffer)); <-- *here*
}
It looks good , but .... ;P
pop_msg(POP *p, int stat, const char *format,...)
So this function need format and some other data.
Luckly for the greatest Qualcomm qpop changes privs so we have only gid mail ,
but if we have a non-shell account , we can "get" a shell ...
Ofcourse it's hard to exploit . ( probably we must change some ret ...and put
there address of shellcode but there is a few problems ... but general i think
it is POSSIBLE :] )
-= SOLUTION =-
I wrote patch on qpop-2.53 ...
-> cut here <-
--- pop_uidl.c Thu Oct 7 02:02:44 1999
+++ pop_uidl.c Sat Oct 9 20:34:00 1999
@@ -59,7 +59,7 @@
sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
if (nl = index(buffer, NEWLINE)) *nl = 0;
- return (pop_msg (p,POP_SUCCESS, buffer));
+ return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d
}
} else {
/* yes, we can do this */
@@ -149,7 +149,7 @@
sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
if (nl = index(buffer, NEWLINE)) *nl = 0;
sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp));
- return (pop_msg (p,POP_SUCCESS, buffer));
+ return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d
}
} else {
/* yes, we can do this */
-> cut here <-
- Maurycy Prodeus , z33dat_private -
*******************************************************************************
*
* z33dat_private
*
* o Czyj to motor ?
* x To nie motor to Harley ...
* o Wiec czyj to Harley ?
* x Zeda ...
* <-- pulp fiction
*
*******************************************************************************
<--> I wish I was your SYSADM , just call :)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:46 PDT