Full Disclosure mailing list archives
Re: remote mirc < 6.11 exploit
From: Stephen <alf1num3rik () yahoo com>
Date: Tue, 21 Oct 2003 12:37:39 -0700 (PDT)
what a lame exploit on a lame site, just a mirror of packetstorm and k-otic ... Peter
/** gEEk-fuck-khaled.c -- remote mirc < 6.11 exploit by blasty ** ** TESTED ON: Windows XP (No SP, Ducth) Build: 2600.xpclient.010817-1148 ** ** A few days ago, I saw a mIRC advisory on packetstorm [1] and was surprised ** nobody had written an exploit yet. So I decided to start writing one. ** Since this was my first time coding a exploit for windows, it took some ** research before I got the hang of it. (Ollydbg is much more confusing then GDB btw :P) ** ** This exploits (ab)uses the bug in irc:// URI handling. It contains a buffer- ** overflow, and when more then 998 bytes are given EIP will be overwritten. ** ** At first I was thinking of a simple solution to get this exploitable. Since ** giving an URI with > 998 chars to someone on IRC is simply NOT done :) ** Then I remember the iframe-irc:// flaw found by uuuppzz [2] ** ** This exploit will write an malicious HTML file containing an iframe executing the ** irc:// address. So you can give this to anyone on IRC for example ;) ** The shellcode included does only execute cmd.exe, because I don't want to be this ** a scriptkiddy util. But, replacing the shellcode with your own is also possible. ** An 400 bytes shellcode (bindshell etc.) easily fits in the buffer, but it may require ** some tweaking. ** After exiting the cmd.exe mIRC will crash, so shellcode its not 100% clean, but who carez :) ** ** Oh yeah, I almost forgot.. this exploit also works even if mIRC isn't started. ** mIRC will start automatically when an irc:// is executed, so you can also send somebody ** and HTML email containing the evil HTML code. (only for poor clients like Outlook Express :P) **
__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- remote mirc < 6.11 exploit Daigoku (Oct 21)
- <Possible follow-ups>
- remote mirc < 6.11 exploit test test2 (Oct 21)
- Re: remote mirc < 6.11 exploit Stephen (Oct 21)