cbcvebase.
CVE-2003-1336
published 2003-12-31

CVE-2003-1336: Buffer overflow in mIRC before 6.11 allows remote attackers to execute arbitrary code via a long irc:// URL.

PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.71%
98.3th percentile
Buffer overflow in mIRC before 6.11 allows remote attackers to execute arbitrary code via a long irc:// URL.

Affected

1 ranges
VendorProductVersion rangeFixed in
mircmirc<= 6.1

Detection & IOCsextracted from sources · hover to see the quote

versionmIRC 6.1 (vulnerable; fixed in 6.11)
bytes
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8\x44\x80\xbf\x77
  • Payload bad characters for this exploit are: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 — shellcode in network traffic will avoid these bytes
  • SEH-based overflow: monitor for structured exception handler overwrites in mIRC process triggered by irc:// protocol handler invocation
  • Buffer overflow offset is 1442 bytes (Win2000) or 1414 bytes (WinXP SP0/SP1); alert on irc:// URLs exceeding ~1400 characters in HTTP responses or email content
  • ·Exploit targets are version- and OS-specific; return addresses differ between Windows 2000 and Windows XP SP0/SP1 — detections relying on exact return address values will not generalize across platforms
  • ·Post-exploitation stability is poor; mIRC crashes after the shellcode payload (e.g. cmd.exe) exits, which may affect persistence-oriented payloads
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.