[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20031021193739.45768.qmail@web41706.mail.yahoo.com>
From: alf1num3rik at yahoo.com (Stephen)
Subject: remote mirc < 6.11 exploit
what a lame exploit on a lame site, just a mirror of
packetstorm and k-otic ...
Peter
>
> /** gEEk-fuck-khaled.c -- remote mirc < 6.11 exploit
> by blasty
> **
> ** TESTED ON: Windows XP (No SP, Ducth) Build:
> 2600.xpclient.010817-1148
> **
> ** A few days ago, I saw a mIRC advisory on
> packetstorm [1] and was surprised
> ** nobody had written an exploit yet. So I decided
> to start writing one.
> ** Since this was my first time coding a exploit for
> windows, it took some
> ** research before I got the hang of it. (Ollydbg is
> much more confusing then GDB btw :P)
> **
> ** This exploits (ab)uses the bug in irc:// URI
> handling. It contains a buffer-
> ** overflow, and when more then 998 bytes are given
> EIP will be overwritten.
> **
> ** At first I was thinking of a simple solution to
> get this exploitable. Since
> ** giving an URI with > 998 chars to someone on IRC
> is simply NOT done :)
> ** Then I remember the iframe-irc:// flaw found by
> uuuppzz [2]
> **
> ** This exploit will write an malicious HTML file
> containing an iframe executing the
> ** irc:// address. So you can give this to anyone on
> IRC for example ;)
> ** The shellcode included does only execute cmd.exe,
> because I don't want to be this
> ** a scriptkiddy util. But, replacing the shellcode
> with your own is also possible.
> ** An 400 bytes shellcode (bindshell etc.) easily
> fits in the buffer, but it may require
> ** some tweaking.
> ** After exiting the cmd.exe mIRC will crash, so
> shellcode its not 100% clean, but who carez :)
> **
> ** Oh yeah, I almost forgot.. this exploit also
> works even if mIRC isn't started.
> ** mIRC will start automatically when an irc:// is
> executed, so you can also send somebody
> ** and HTML email containing the evil HTML code.
> (only for poor clients like Outlook Express :P)
> **
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
Powered by blists - more mailing lists