Hello this is kcope, recently I thought I had discovered a remote preauth vulnerability in MDaemon latest version (9.0.1/9.0.2). And it really looked like one in the debugger (OllyDbg) .. so I posted it to full disclosure. Afterwards I tried to write an exploit, and yes I succeeded! But the problem is the "vulnerability" is only exploitable inside the debugger for some weird reason. I guess it is not exploitable under normal conditions without a debugger attached. I guess the exception handler drops us to another place when a debugger is not attached. Because I am not in place to provide a working exploit for this I am taking back my advisory and please the vendor and you guys to forgive me about that stupid posting, shit happens. In future I will only release advisories with proven exploits :) Ok lets go QBik Wingate version 6.1.1.1077 Remote Buffer Overflow WinGate 6.1 is a sophisticated integrated Internet gateway and communications server designed to meet the control, security and email needs of today's Internet-connected businesses. Description ------------- The Wingate Product from QBik has a buffer overflow in the HTTP Proxy when handling large hosts in a HTTP request. This example will trigger an access violation due to the buffer overflow. POST http://[AAAAAAA....A]/ HTTP/1.0\r\n\r\n when a request like the one above is supplied wingate does not crash but denies service on all proxy ports. In my audit to exploit this vulnerability EIP is redirected to our own location after several exception handlers kicked in. When EIP is redirected ESI holds our buffer including the shellcode. So I chose a JMP esi in memory space for the EIP redirection and successfully executed the shellcode. Exploit for Windows 2000 is attached - - kingcope
Attachment:
wingatex.pl
Description: Perl program
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/