lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20031021193739.45768.qmail@web41706.mail.yahoo.com>
From: alf1num3rik at yahoo.com (Stephen)
Subject: remote mirc < 6.11 exploit

what a lame exploit on a lame site, just a mirror of
packetstorm and k-otic ...

Peter

> 
> /** gEEk-fuck-khaled.c -- remote mirc < 6.11 exploit
> by blasty
> **
> ** TESTED ON: Windows XP (No SP, Ducth) Build:
> 2600.xpclient.010817-1148
> **
> ** A few days ago, I saw a mIRC advisory on
> packetstorm [1] and was surprised
> ** nobody had written an exploit yet. So I decided
> to start writing one.
> ** Since this was my first time coding a exploit for
> windows, it took some
> ** research before I got the hang of it. (Ollydbg is
> much more confusing then GDB btw :P)
> **
> ** This exploits (ab)uses the bug in irc:// URI
> handling. It contains a buffer-
> ** overflow, and when more then 998 bytes are given
> EIP will be overwritten.
> ** 
> ** At first I was thinking of a simple solution to
> get this exploitable. Since
> ** giving an URI with > 998 chars to someone on IRC
> is simply NOT done :)
> ** Then I remember the iframe-irc:// flaw found by
> uuuppzz [2]
> **
> ** This exploit will write an malicious HTML file
> containing an iframe executing the
> ** irc:// address. So you can give this to anyone on
> IRC for example ;)
> ** The shellcode included does only execute cmd.exe,
> because I don't want to be this
> ** a scriptkiddy util. But, replacing the shellcode
> with your own is also possible.
> ** An 400 bytes shellcode (bindshell etc.) easily
> fits in the buffer, but it may require
> ** some tweaking.
> ** After exiting the cmd.exe mIRC will crash, so
> shellcode its not 100% clean, but who carez :)
> **
> ** Oh yeah, I almost forgot.. this exploit also
> works even if mIRC isn't started.
> ** mIRC will start automatically when an irc:// is
> executed, so you can also send somebody
> ** and HTML email containing the evil HTML code.
> (only for poor clients like Outlook Express :P)
> **


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ