lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed Jun  7 11:03:43 2006
From: kingcope at gmx.net (kcope)
Subject: MDaemon NOT vulnerable .. sorry for the
 advisory.. QBik Wingate is vulnerable

Hello this is kcope,
recently I thought I had discovered a remote preauth vulnerability in
MDaemon latest version (9.0.1/9.0.2).
And it really looked like one in the debugger (OllyDbg) .. so I posted
it to full disclosure.
Afterwards I tried to write an exploit, and yes I succeeded! But the
problem is the "vulnerability" is only
exploitable inside the debugger for some weird reason. I guess it is not
exploitable under normal conditions
without a debugger attached. I guess the exception handler drops us to
another place when a debugger is
not attached. Because I am not in place to provide a working exploit for
this I am taking
back my advisory and please the vendor and you guys to forgive me about
that stupid posting, shit happens.
In future I will only release advisories with proven exploits :)



Ok lets go


QBik Wingate version 6.1.1.1077 Remote Buffer Overflow

WinGate 6.1 is a sophisticated integrated Internet gateway and
communications server
designed to meet the control, security and email needs of today's
Internet-connected businesses.

Description
-------------
The Wingate Product from QBik has a buffer overflow in the HTTP Proxy when
handling large hosts in a HTTP request.

This example will trigger an access violation due to the buffer overflow.
POST http://[AAAAAAA....A]/ HTTP/1.0\r\n\r\n

when a request like the one above is supplied wingate does not crash but
denies service on all proxy ports.

In my audit to exploit this vulnerability EIP is redirected to our own
location after
several exception handlers kicked in.
When EIP is redirected ESI holds our buffer including the shellcode.
So I chose a JMP esi in memory space for the EIP redirection and
successfully executed the shellcode.

Exploit for Windows 2000 is attached

- - kingcope

-------------- next part --------------
A non-text attachment was scrubbed...
Name: wingatex.pl
Type: application/x-perl
Size: 4277 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060607/ba07c5a8/wingatex.bin

Powered by blists - more mailing lists