CVE-2003-1336
published 2003-12-31CVE-2003-1336: Buffer overflow in mIRC before 6.11 allows remote attackers to execute arbitrary code via a long irc:// URL.
PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.71%
98.3th percentile
Buffer overflow in mIRC before 6.11 allows remote attackers to execute arbitrary code via a long irc:// URL.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mirc | mirc | <= 6.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x8d\x45\xf8\x50\xb8\x44\x80\xbf\x77
- →Payload bad characters for this exploit are: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 — shellcode in network traffic will avoid these bytes ↗
- →SEH-based overflow: monitor for structured exception handler overwrites in mIRC process triggered by irc:// protocol handler invocation ↗
- →Buffer overflow offset is 1442 bytes (Win2000) or 1414 bytes (WinXP SP0/SP1); alert on irc:// URLs exceeding ~1400 characters in HTTP responses or email content ↗
- ·Exploit targets are version- and OS-specific; return addresses differ between Windows 2000 and Windows XP SP0/SP1 — detections relying on exact return address values will not generalize across platforms ↗
- ·Post-exploitation stability is poor; mIRC crashes after the shellcode payload (e.g. cmd.exe) exits, which may affect persistence-oriented payloads ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
mIRC - IRC URL Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2003-1336 mIRC - IRC URL Buffer Overflow (Metasploit)
mIRC - IRC URL Buffer Overflow (Metasploit)
---
##
# $Id: mirc_irc_url.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'mIRC IRC URL Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in mIRC 6.1. By
submitting an overly long and specially crafted URL to
the 'irc' protocol, an attacker can overwrite the buffer
and control program execution.
},
'License' => MSF_LICENSE,
'Author' => 'MC',
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2003-1336'],
[ 'OSVDB', '
Exploit-DB
mIRC 6.1 - 'IRC' Protocol Remote Buffer Overflow
exploitdb·2003-10-21
CVE-2003-1336 mIRC 6.1 - 'IRC' Protocol Remote Buffer Overflow
mIRC 6.1 - 'IRC' Protocol Remote Buffer Overflow
---
/** remote mirc 998 chars to someone on IRC is simply NOT done :)
** Then I remember the iframe-irc:// flaw found by uuuppzz [2]
**
** This exploit will write an malicious HTML file containing an iframe executing the
** irc:// address. So you can give this to anyone on IRC for example ;)
** The shellcode included does only execute cmd.exe, because I don't want to be this
** a scriptkiddy util. But, replacing the shellcode with your own is also possible.
** An 400 bytes shellcode (bindshell etc.) easily fits in the buffer, but it may require
** some tweaking.
** After exiting the cmd.exe mIRC will crash, so shellcode its not 100% clean, but who carez :)
**
** Oh yeah, I almost forgot.. this exploit also works even if mIRC isn't started.
Metasploit
mIRC IRC URL Buffer Overflow
metasploit
mIRC IRC URL Buffer Overflow
mIRC IRC URL Buffer Overflow
This module exploits a stack buffer overflow in mIRC 6.1. By submitting an overly long and specially crafted URL to the 'irc' protocol, an attacker can overwrite the buffer and control program execution.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0060.htmlhttp://secunia.com/advisories/9996http://www.osvdb.org/2665http://www.securiteam.com/windowsntfocus/6M00B0U8KE.htmlhttp://www.securityfocus.com/bid/8819https://exchange.xforce.ibmcloud.com/vulnerabilities/13405http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0060.htmlhttp://secunia.com/advisories/9996http://www.osvdb.org/2665http://www.securiteam.com/windowsntfocus/6M00B0U8KE.htmlhttp://www.securityfocus.com/bid/8819https://exchange.xforce.ibmcloud.com/vulnerabilities/13405
2003-12-31
Published