lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed Jun 7 11:03:43 2006 From: kingcope at gmx.net (kcope) Subject: MDaemon NOT vulnerable .. sorry for the advisory.. QBik Wingate is vulnerable Hello this is kcope, recently I thought I had discovered a remote preauth vulnerability in MDaemon latest version (9.0.1/9.0.2). And it really looked like one in the debugger (OllyDbg) .. so I posted it to full disclosure. Afterwards I tried to write an exploit, and yes I succeeded! But the problem is the "vulnerability" is only exploitable inside the debugger for some weird reason. I guess it is not exploitable under normal conditions without a debugger attached. I guess the exception handler drops us to another place when a debugger is not attached. Because I am not in place to provide a working exploit for this I am taking back my advisory and please the vendor and you guys to forgive me about that stupid posting, shit happens. In future I will only release advisories with proven exploits :) Ok lets go QBik Wingate version 6.1.1.1077 Remote Buffer Overflow WinGate 6.1 is a sophisticated integrated Internet gateway and communications server designed to meet the control, security and email needs of today's Internet-connected businesses. Description ------------- The Wingate Product from QBik has a buffer overflow in the HTTP Proxy when handling large hosts in a HTTP request. This example will trigger an access violation due to the buffer overflow. POST http://[AAAAAAA....A]/ HTTP/1.0\r\n\r\n when a request like the one above is supplied wingate does not crash but denies service on all proxy ports. In my audit to exploit this vulnerability EIP is redirected to our own location after several exception handlers kicked in. When EIP is redirected ESI holds our buffer including the shellcode. So I chose a JMP esi in memory space for the EIP redirection and successfully executed the shellcode. Exploit for Windows 2000 is attached - - kingcope -------------- next part -------------- A non-text attachment was scrubbed... Name: wingatex.pl Type: application/x-perl Size: 4277 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060607/ba07c5a8/wingatex.bin
Powered by blists - more mailing lists