RE: mirc32 6.0x crash when resolving dns.

["Christopher Canova" <tekassist () earthlink net>]

Same here, WinXP, mIRC v6.03, no mIRC crashing..> That's not a typical mIRC
response. Are you sure you haven't a invalid hex'd mIRC such as ircN or
anything? If so, mIRC cannot guarantee the robustness of your executable. If
you have any strange errors, try going to a help channel like #mIRCHelp on
Efnet or a channel like #dmsetup if you believe you have a virus (I moderate
in both channels). If you have an invalid mIRC executable, try reinstalling
mIRC and not ircN (or whatever). 

cc
casnova on EFNet IRC network

-----Original Message-----
From: Davide Del Vecchio [mailto:dante () alighieri org] 
Sent: Tuesday, May 27, 2003 2:58 PM
To: at4r () 3wdesign es
Cc: vuln-dev () securityfocus com
Subject: Re: mirc32 6.0x crash when resolving dns.


Hi Andres, 

here Windows 98 B, mIRC v6.03 nothin happens when tryin to resolve that ip. 

[23:57] * Looking up 210.193.16.22
 -
[23:57] * Looking up 210.193.16.23
 -
[23:57] * Looking up 210.193.16.24
 -
[23:57] * Looking up 210.193.16.25
 -
[23:57] * Unable to resolve 210.193.16.22
 -
[23:57] * Looking up 210.193.16.26
 -
[23:57] * Unable to resolve 210.193.16.23
 -
[23:57] * Unable to resolve 210.193.16.24
 -
[23:57] * Unable to resolve 210.193.16.25
 -
[23:57] * Unable to resolve 210.193.16.26
 - 

Davide Del Vecchio, Dante Alighieri dante () alighieri org ~ www.alighieri.org 


aT4r InsaN3 Scrive: 

> While checking yesterday my snort database i found some attacks from 
> the
> host 210.193.16.22 so  i began to resolve the dns from the hosts with 
> mirc32 and i executed the following commands in the status window: 
>
> /dns 210.193.16.22
> /dns 210.193.16.23
> /dns 210.193.16.24
> * Looking up 210.193.16.22
> * Looking up 210.193.16.23
> * Looking up 210.193.16.24
> * Unable to resolve 210.193.16.22
> /dns 210.193.16.25
> * Looking up 210.193.16.25
> * Unable to resolve 210.193.16.23
> (** MIRC CRASH**)
>
> every time i tried to resolve a few ips mirc32 dies. the problem seems 
> to
> be in the WSAAsyncGetHostByName() call.
> i have tested this feature in both mirc  6.01 and 6.03 in diferent 
> computers. SO: winxp
> I cant give too many information about how to reproduce it, just try to 
> resolve some dns like the example.
> there are some mirc scripts that resolve dns after some events like ctcps 
> , so maybe this bug can be used remotely as a Denial of Service. 
>
> Windbg:
> 0:004> g
> ModLoad: 76ee0000 76f05000   C:\WINDOWS\System32\DNSAPI.dll
> ModLoad: 76f70000 76f77000   C:\WINDOWS\System32\winrnr.dll
> ModLoad: 76f20000 76f4d000   C:\WINDOWS\system32\WLDAP32.dll
> ModLoad: 76f80000 76f85000   C:\WINDOWS\System32\rasadhlp.dll
> (794.788): Access violation - code c0000005 (first chance) First 
> chance exceptions are reported before any exception handling. This 
> exception may be expected and handled. eax=00000000 ebx=005ea830 
> ecx=00000001 edx=71a42268 esi=005ea830 edi=71a42268
> eip=71a38d72 esp=01a8ff34 ebp=01a8ff5c iopl=0         nv up ei pl nz na pe

> nc
> cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             
> efl=00010202
> *** ERROR: Symbol file could not be found.  Defaulted to export symbols 
> for C:\WINDOWS\System32\WS2_32.dll -
> WS2_32!WSAAsyncGetHostByName+407:
> 71a38d72 8a10             mov     dl,[eax]                
> ds:0023:00000000=?? 
>
> regards
>
> Andres Tarascó Acuña
> 3W Design Security - 2003
>
> _________________________________________________________________
> MSN Compras: Veinte tiendas personales abiertas todo el día.
> http://www.msn.es/compras/