Re: mIRC Buffer Overflow

[Syzop <syz () dds nl>]

Hi,

David Dorgan wrote:

> An error exists in mIRC's handling of certain messages from the server,
> making it possible to overflow a static buffer. With carefully constructed
> messages arbitary code can be executed.

Just wanted to let you know I discovered this bug a year ago when
I was brute forcing numerics (+random length arguments).
However it didn't seem exploitable... guess I was wrong :/... (think my arguments
were too small or something like that).
Also another bug which was obviously a buffer overflow was fixed later in
5.9 so I didn't pay attention anymore to this stuff.
However I've been using my ircop /crash command for some time >:)
                        // bitchx crash
                        sendto_one(acptr, ":blah 004 blah :blah blah");
                        // mirc crash
                        sendto_one(acptr, ":blah 001 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                                          "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                                          "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                                          "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                                          "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                                          "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                                          "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
Anyway, I didn't report it so it's your bug now :P.

Cya,

    Syzop.

PS: That bitchx bug is just because of a missing argument -> NULL pointer -> crash.