###################################################################### Luigi Auriemma Application: Emule (http://emule-project.net) Versions: 0.27b and previous versions Platform: Windows Bug: The program tries to read memory offset 0x00000000 if an attacker send a chat message without nickname Date: 25 Mar 2003 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ###################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ###################################################################### =============== 1) Introduction =============== Emule is an excellent OpenSource file sharign program that uses the Edonkey p2p protocol; it is not a simple clone but more and it is so much diffused that it is also in the topten of the Sourceforge downloads. It has a lot of functions and runs on Windows but exists a porting (Lmule) that runs on Linux too. ###################################################################### ====== 2) Bug ====== Very quickly, the Edonkey protocol is composed by a header to send at the beginning of the connection to the client that contains user informations like nickname, hash string, client version, client port and many other info. I call this header "identification data". After sending this header an user can send a chat message to the remote host simply sending message data (this data can also attached directly to the identification data). The problem in Emule happen when the attacker that wants to send a message doesn't send his nickname. In the Edonkey header there is a "tag" (0x01000102) that is used for specify the user nickname, so an attacker must only not send this tag and the relative nickname. Emule 0.27b will crash at EIP 0x00444200 that is the function that gets the nickname string previously stored in memory, but if the attacker has not included the nickname in his previous identification data, this function will fail because it will try to read at a memory address (0x00000000 because doesn't exist the address of the nickname string in memory) that cannot be reached by the application and this is the cause of the crash. In fact, the program try to execute the following operation: "mov cl, [eax]" but EAX is NULL, so it CANNOT read from a NULL memory position. ###################################################################### =========== 3) The Code =========== The tool for test the problem is the same of my Edonkey/Overnet DoS I have released some days ago. I have written this tool for exploit both the Edonkey and Emule bugs and it can be compiled on Win and Unix too: http://aluigi.org/poc/eddos.zip (Use: eddos -n 2 hostname if the second connection goes in timeout or is refused, the remote host is crashed) If you don't wanna use my tool, simply connect to a Emule client at port 4662 (default port) and send the following bytes (remember to convert this C string in bytes 8-): "\xE3\x24\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x00\x00\x00" \ "\x00\x00\x00\x00\x00\x00\x00\x00\x00" \ "\xE3\x03\x00\x00\x00\x4E\x00\x00" ###################################################################### ====== 4) Fix ====== Version 0.27c resolve the problem. ######################################################################