1 / 6

Windtop bpop3d Vulnerability

Windtop bpop3d Vulnerability. timhsu @ chroot.org. July 2005. Windtop BBS. BBS developed from Maple-3 Easy install and friendly. Buffer overflow. static void cmd_user(cn) Client *cn; { int fd; ACCT acct; char *userid, *ptr, fpath[80], msg[128]; MYDOG;

havily
Download Presentation

Windtop bpop3d Vulnerability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windtop bpop3d Vulnerability timhsu @ chroot.org July 2005

  2. Windtop BBS • BBS developed from Maple-3 • Easy install and friendly

  3. Buffer overflow static void cmd_user(cn) Client *cn; { int fd; ACCT acct; char *userid, *ptr, fpath[80], msg[128]; MYDOG; if (cn->mode >= CM_LOGIN) { cmd_xxxx(cn); return; } userid = parse_token(NULL, LOWER); if (!userid || !*userid) { do_argument(cn); return; } sprintf(msg, "-ERR %s has no mail here", userid);

  4. RCVBUFSIZ • Maple-3 • #define SNDBUFSIZ (256 * 14) • #define SNDLINSIZ 256 /* Thor.990522: 註解: 送出每行最長 */ • #define RCVBUFSIZ 128 /* Thor.990522: 註解: 收到每行最長 */ • Windtop • #define SNDBUFSIZ (256 * 32) • #define SNDLINSIZ (1024) • #define RCVBUFSIZ (1024)

  5. Exploit • http://www.chroot.org/docs/2004/writing_remote_exploit.pdf • Exploit works on Linux and FreeBSD both • Test on my VMware successfully • Release the exploit after windtop fix the bug.

  6. Thank You ~ END ~

More Related