viernes, octubre 03, 2008

Mirc 6.34(last) Remote Overflow

When a PRIVMSG arrives, the vulnerable function is called to copy the nickname to a buffer:

let's see the pseudocode of the call: (dest, bytes to copy, src)

Let's see the vulnerable memory zero fill:

ESI is the "bytes to copy", we dont jump becouse is greatter than 10, and then ...
the first rep start to copy 0x00 at [edi++] ecx times (309 times) then we write in other vars and out of the page.

Explotation vector: the nick, well, you must be the server becouse servers dont allow large nicknames. (a privmsg with a 315 bytes nick -> DoS)