Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

Re: remote mirc < 6.11 exploit
From: Stephen <alf1num3rik () yahoo com>
Date: Tue, 21 Oct 2003 12:37:39 -0700 (PDT)
what a lame exploit on a lame site, just a mirror of
packetstorm and k-otic ...

Peter



/** gEEk-fuck-khaled.c -- remote mirc < 6.11 exploit
by blasty
**
** TESTED ON: Windows XP (No SP, Ducth) Build:
2600.xpclient.010817-1148
**
** A few days ago, I saw a mIRC advisory on
packetstorm [1] and was surprised
** nobody had written an exploit yet. So I decided
to start writing one.
** Since this was my first time coding a exploit for
windows, it took some
** research before I got the hang of it. (Ollydbg is
much more confusing then GDB btw :P)
**
** This exploits (ab)uses the bug in irc:// URI
handling. It contains a buffer-
** overflow, and when more then 998 bytes are given
EIP will be overwritten.
** 
** At first I was thinking of a simple solution to
get this exploitable. Since
** giving an URI with > 998 chars to someone on IRC
is simply NOT done :)
** Then I remember the iframe-irc:// flaw found by
uuuppzz [2]
**
** This exploit will write an malicious HTML file
containing an iframe executing the
** irc:// address. So you can give this to anyone on
IRC for example ;)
** The shellcode included does only execute cmd.exe,
because I don't want to be this
** a scriptkiddy util. But, replacing the shellcode
with your own is also possible.
** An 400 bytes shellcode (bindshell etc.) easily
fits in the buffer, but it may require
** some tweaking.
** After exiting the cmd.exe mIRC will crash, so
shellcode its not 100% clean, but who carez :)
**
** Oh yeah, I almost forgot.. this exploit also
works even if mIRC isn't started.
** mIRC will start automatically when an irc:// is
executed, so you can also send somebody
** and HTML email containing the evil HTML code.
(only for poor clients like Outlook Express :P)
**



__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]