X-chat 1.8.0/2.0.8 Socks5 Remote Buffer Overflow E

Help - Search - Member List - Calendar

Full Version: X-chat 1.8.0/2.0.8 Socks5 Remote Buffer Overflow E

GovernmentSecurity.org > The Archives > Exploit Articles

x1`

May 5 2004, 08:19 PM

http://www.k-otik.com/exploits/05042004.xxchat-socks5.c.php

Zero-X

May 5 2004, 08:51 PM

jea jsu tseen that could someone compile ?

port 2600 if I am right ?

studnikov

May 5 2004, 09:16 PM

MxMx

May 5 2004, 09:18 PM

no! not port 1080 .. this port is used for socks ...
dunno which port you have gotta scan .. but its not 1080 4 sure

Gotisch

May 5 2004, 09:24 PM

euhm, thats a fake socks5 server thats waits for a xchat client to connect to it in order to exploit it right ?

did you even bother reading any of the docs ?

QUOTE

# ./xxchat-socks5 2600
[*] X-Chat[v1.8.0-v2.0.8]: socks-5 remote buffer overflow exploit.
[*] by: by: vade79/v9 v9_at_fakehalo.deadpig.org (fakehalo)

[*] eip: 0xbffff5d2, socks-5 port: 1080, bindshell port: 7979.
[*] awaiting connection from: *:1080.
[*] socks-5 server connection established.
[*] sending specially crafted string. (exploit)
[*] socks-5 server connection closed.
[*] checking to see if the exploit was successful.
[*] attempting to connect: 127.0.0.1:7979.
[*] successfully connected: 127.0.0.1:7979.

Linux localhost 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux
uid=501(v9) gid=501(v9) groups=501(v9)

taken from http://seclists.org/lists/bugtraq/2004/May/0023.html

QUOTE

A remotely exploitable buffer overrun was reported in XChat. This issue exists in the SOCKS 5 proxy code.

This stack-based buffer overrun could be exploited by a malicious proxy server if SOCKS 5 traversal has been enabled in the client. Successful exploitation will result in execution of arbitrary code as the client user.

It should be noted that SOCKS 5 traversal is not enabled by default and this issue only poses a risk if the victim user deliberately connects to an attacker's SOCKS 5 proxy server.

http://www.securityfocus.com/bid/10168/discussion/

oh and another edit.

1. you need to get the user to connect to your proxy and not wonder why his client crashes
2. no smart guy ircs as root

Psychotec

May 6 2004, 08:34 AM

QUOTE (Zero-X @ May 5 2004, 08:51 PM)

jea jsu tseen that could someone compile ?

port 2600 if I am right ?

compiled this one and posted in the file downloads section. Thnx for the info dicky

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.