Two more exploitable holes in the trillian irc module
Date: Thu, 1 Aug 2002 21:10:37 -0400 (EDT)
From: josh@pulltheplug.com
To: bugtraq@securityfocus.com
Subject: Two more exploitable holes in the trillian irc module
Sent the following advisory to trillian: Tue, 16 Jul 2002 16:49:19 -0400 (EDT)
Submitted by : Josh (josh@pulltheplug.com),
omega (mtwoar@hotmail.com) on July 16th, 2002
Vulnerability : Format strings bug and buffer overflow in the IRC client of Trillian
Tested On : Trillian v0.73,0.72
Remote : Yes
Greets to : SooT, zen-parse, arcanum, lockdown, brian, Bryan S.,
#social on ptp, jade, fr3n3tic
There exists a format strings vulnerability in the way trillian handles channel
invites. It's invoked by merely joining a channel, #%n%n%n for example, and inviting the
victim to it. Using a specially crafted invitation it is possible to overwrite EIP or
EBP, depending on the method you chose. While the format strings exploit would be a hard
one to write, treating this as a text book buffer overflow by using a string like
#%4095x<some 4 byte addy here>, you can overwrite EIP with ease. The only problem with
exploitation after overwriting EIP is getting the incredibly large win32 shellcode somewhere
where it can be located, and where it's not broken up. IRC messages allow only 448 bytes
per message. It might be possible, though, to initiate a DCC chat with the user (which they
would have to accept) and store the shellcode there. Another option is to store the
shellcode in multiple messages and have the shellcode itself jump around... either way
exploitation isn't trivial.
The next overflow is entirely unrelated to the above, but exists in the DCC chat
itself. Flooding the user with about 4282 characters in one dcc message will overwrite
EAX.
<begin how we waste our time>
<omega> why does batman always win?
<Josh> hmm, good question, it's not like he has super powers or anything
<omega> jah i know but the ppl he fights do
<Josh> like who?
<omega> well that poison ivy [respectable woman], and mr freeze, and the penguin n
[excrement]
<Josh> wtf power does the penguin have?
<omega> omfg have you taken a look at him? hes deformed++ and he can talk to penguins
<omega> ever seen an angry group of penguins? its quite a site
<Josh> I just always wanted batman to have a bat so he could be all
"hey robin, quick, the bat bat!"
* Text inside []s indicate a politically correct version of what was actually said
</end example of how we waste our time>
