mirc32 6.0x crash when resolving dns.

From: aT4r InsaN3 (at4r_at_hotmail.com)
Date: 05/26/03

  • Next message: Davide Del Vecchio: "Re: mirc32 6.0x crash when resolving dns." 
    To: vuln-dev@securityfocus.com
Date: Mon, 26 May 2003 23:22:37 +0200

    While checking yesterday my snort database i found some attacks from the
    host 210.193.16.22 so i began to resolve the dns from the hosts with mirc32
    and i executed the following commands in the status window:

    /dns 210.193.16.22
    /dns 210.193.16.23
    /dns 210.193.16.24
    * Looking up 210.193.16.22
    * Looking up 210.193.16.23
    * Looking up 210.193.16.24
    * Unable to resolve 210.193.16.22
    /dns 210.193.16.25
    * Looking up 210.193.16.25
    * Unable to resolve 210.193.16.23
    (** MIRC CRASH**)

    every time i tried to resolve a few ips mirc32 dies. the problem seems to be
    in the WSAAsyncGetHostByName() call.
    i have tested this feature in both mirc 6.01 and 6.03 in diferent
    computers. SO: winxp
    I cant give too many information about how to reproduce it, just try to
    resolve some dns like the example.
    there are some mirc scripts that resolve dns after some events like ctcps ,
    so maybe this bug can be used remotely as a Denial of Service.

    Windbg:
    0:004> g
    ModLoad: 76ee0000 76f05000 C:\WINDOWS\System32\DNSAPI.dll
    ModLoad: 76f70000 76f77000 C:\WINDOWS\System32\winrnr.dll
    ModLoad: 76f20000 76f4d000 C:\WINDOWS\system32\WLDAP32.dll
    ModLoad: 76f80000 76f85000 C:\WINDOWS\System32\rasadhlp.dll
    (794.788): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000000 ebx=005ea830 ecx=00000001 edx=71a42268 esi=005ea830
    edi=71a42268
    eip=71a38d72 esp=01a8ff34 ebp=01a8ff5c iopl=0 nv up ei pl nz na pe
    nc
    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
    efl=00010202
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for
    C:\WINDOWS\System32\WS2_32.dll -
    WS2_32!WSAAsyncGetHostByName+407:
    71a38d72 8a10 mov dl,[eax]
    ds:0023:00000000=??

    regards

    Andres Tarascó Acuña
    3W Design Security - 2003

    _________________________________________________________________
    MSN Compras: Veinte tiendas personales abiertas todo el día.
    http://www.msn.es/compras/

  • Next message: Davide Del Vecchio: "Re: mirc32 6.0x crash when resolving dns."

    Relevant Pages

    • Re: Need Help from DNS Expert on Subdomain DNS Records
      ... When you use nslookup to resolve these names do you get the correct internal ... domain from within and outside our firewall. ... public IP to point to the same private IP, ... You need to verify that the all DNS servers assigned to a the DNS Client be ...
      (microsoft.public.windows.server.dns)
    • Re: Cannot a DC, HOPELESS Case
      ... If the DC is not fully registered in DNS then it won't resolve ... the DCs NIC properties specify the correct DNS server. ... >>> error whenever I'm running DCpromo! ...
      (microsoft.public.win2000.active_directory)
    • Re: aol..
      ... These are all AOL's email server. ... DNS work fine. ... This newsgroup only focuses on SBS technical issues. ... If we unable to resolve this issue after steps above, ...
      (microsoft.public.windows.server.sbs)
    • Re: NS and domain A record affecting AD
      ... Clients are pointing to the local dc for both WINS and DNS, ... If the remote dc's are on a slow link you may not even get your gpo's ... If local clients can not resolve AD domain name to ...
      (microsoft.public.windows.server.active_directory)
    • Re: blocking annoying login popup applets
      ... > DNS server as centralized within my local network? ... Another machine is definitely not necessary for a local caching DNS ... Choice of djbdns vs. BIND: ... domains will resolve to 192.168.27.1. ...
      (comp.os.linux.networking)