The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Хинт: BSD.opennet.ru - мини-портал с информацией по ОС FreeBSD, OpenBSD и NetBSD.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

Two more exploitable holes in the trillian irc module


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 1 Aug 2002 21:10:37 -0400 (EDT)
From: josh@pulltheplug.com
To: bugtraq@securityfocus.com
Subject: Two more exploitable holes in the trillian irc module

Sent the following advisory to trillian: Tue, 16 Jul 2002 16:49:19 -0400 (EDT)

Submitted by  : Josh (josh@pulltheplug.com),
                omega (mtwoar@hotmail.com) on July 16th, 2002
Vulnerability : Format strings bug and buffer overflow in the IRC client of Trillian
Tested On     : Trillian v0.73,0.72
Remote        : Yes
Greets to     : SooT, zen-parse, arcanum, lockdown, brian, Bryan S.,
                #social on ptp, jade, fr3n3tic

	There exists a format strings vulnerability in the way trillian handles channel
invites.  It's invoked by merely joining a channel, #%n%n%n for example, and inviting the
victim to it.  Using a specially crafted invitation it is possible to overwrite EIP or
EBP, depending on the method you chose.  While the format strings exploit would be a hard
one to write, treating this as a text book buffer overflow by using a string like
#%4095x<some 4 byte addy here>, you can overwrite EIP with ease.  The only problem with
exploitation after overwriting EIP is getting the incredibly large win32 shellcode somewhere
where it can be located, and where it's not broken up.  IRC messages allow only 448 bytes
per message.  It might be possible, though, to initiate a DCC chat with the user (which they
would have to accept) and store the shellcode there.  Another option is to store the
shellcode in multiple messages and have the shellcode itself jump around... either way
exploitation isn't trivial.
	The next overflow is entirely unrelated to the above, but exists in the DCC chat
itself.  Flooding the user with about 4282 characters in one dcc message will overwrite
EAX.


<begin how we waste our time>

<omega> why does batman always win?
<Josh> hmm, good question, it's not like he has super powers or anything
<omega> jah i know but the ppl he fights do
<Josh> like who?
<omega> well that poison ivy [respectable woman], and mr freeze, and the penguin n
        [excrement]
<Josh> wtf power does the penguin have?
<omega> omfg have you taken a look at him? hes deformed++ and he can talk to penguins
<omega> ever seen an angry group of penguins? its quite a site
<Josh> I just always wanted batman to have a bat so he could be all
       "hey robin, quick, the bat bat!"

* Text inside []s indicate a politically correct version of what was actually said

</end example of how we waste our time>



<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network. RB2 Network.