26th Mar 2003 [SBWID-6096]
	Emule 0.27b remote crash
	Emule 0.27b and previous versions
	Thank to Auriemma Luigi [[email protected]] advisory :
	1) Introduction
	Emule is an excellent OpenSource file  sharign  program  that  uses  the
	Edonkey p2p protocol; it is not a simple clone but more  and  it  is  so
	much diffused  that  it  is  also  in  the  topten  of  the  Sourceforge
	downloads. It has a lot of functions and runs on Windows  but  exists  a
	porting (Lmule) that runs on Linux too.
	2) Bug
	Very quickly, the Edonkey protocol is composed by a header  to  send  at
	the beginning of  the  connection  to  the  client  that  contains  user
	informations like nickname, hash string,  client  version,  client  port
	and many other info. I call this  header  "identification  data".  After
	sending this header an user can send a chat message to the  remote  host
	simply sending message data (this data can  also  attached  directly  to
	the identification data).
	The problem in Emule happen when the  attacker  that  wants  to  send  a
	message doesn't send his nickname. In the  Edonkey  header  there  is  a
	"tag" (0x01000102) that is used for specify the  user  nickname,  so  an
	attacker must only not send this tag and the relative nickname.
	Emule 0.27b will crash at EIP 0x00444200 that is the function that  gets
	the nickname string previously stored in memory,  but  if  the  attacker
	has not included the nickname in his previous identification data,  this
	function will fail because it will try  to  read  at  a  memory  address
	(0x00000000 because doesn't exist the address of the nickname string  in
	memory) that cannot be reached by the application and this is the  cause
	of the crash.
	In fact, the program try to execute the following operation:
	"mov cl, [eax]"
	but EAX is NULL, so it CANNOT read from a NULL memory position.
	3) The Code
	The tool for test the problem is the same of my  Edonkey/Overnet  DoS  I
	have released some days ago. I have written this tool for  exploit  both
	the Edonkey and Emule bugs and it can be compiled on Win and Unix too:
	(Use: eddos -n 2 hostname if the second connection goes  in  timeout  or
	is refused, the remote host is crashed)
	If you don't wanna use my tool, simply connect  to  a  Emule  client  at
	port 4662 (default port) and  send  the  following  bytes  (remember  to
	convert this C string in bytes 8-):
	"\xE3\x24\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x00\x00\x00" \
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
	Version 0.27c resolve the problem :