> These bug only affected 3.0 betas. Bullshit ...;P In pop_euidl() in file pop_uidl.c (qpop-2.53) : } else { sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl = index(buffer, NEWLINE)) *nl = 0; sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p,mp)); return (pop_msg (p,POP_SUCCESS, buffer)); <-- *here* } It looks good , but .... ;P pop_msg(POP *p, int stat, const char *format,...) So this function need format and some other data. Luckly for the greatest Qualcomm qpop changes privs so we have only gid mail , but if we have a non-shell account , we can "get" a shell ... Ofcourse it's hard to exploit . ( probably we must change some ret ...and put there address of shellcode but there is a few problems ... but general i think it is POSSIBLE :] ) -= SOLUTION =- I wrote patch on qpop-2.53 ... -> cut here <- --- pop_uidl.c Thu Oct 7 02:02:44 1999 +++ pop_uidl.c Sat Oct 9 20:34:00 1999 @@ -59,7 +59,7 @@ sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl = index(buffer, NEWLINE)) *nl = 0; - return (pop_msg (p,POP_SUCCESS, buffer)); + return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d } } else { /* yes, we can do this */ @@ -149,7 +149,7 @@ sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl = index(buffer, NEWLINE)) *nl = 0; sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp)); - return (pop_msg (p,POP_SUCCESS, buffer)); + return (pop_msg (p,POP_SUCCESS,"%s", buffer)); // patched by z33d } } else { /* yes, we can do this */ -> cut here <- - Maurycy Prodeus , z33dat_private - ******************************************************************************* * * z33dat_private * * o Czyj to motor ? * x To nie motor to Harley ... * o Wiec czyj to Harley ? * x Zeda ... * <-- pulp fiction * ******************************************************************************* <--> I wish I was your SYSADM , just call :)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:46 PDT