Hi,
David Dorgan wrote:
> An error exists in mIRC's handling of certain messages from the server,
> making it possible to overflow a static buffer. With carefully constructed
> messages arbitary code can be executed.
Just wanted to let you know I discovered this bug a year ago when
I was brute forcing numerics (+random length arguments).
However it didn't seem exploitable... guess I was wrong :/... (think my arguments
were too small or something like that).
Also another bug which was obviously a buffer overflow was fixed later in
5.9 so I didn't pay attention anymore to this stuff.
However I've been using my ircop /crash command for some time >:)
// bitchx crash
sendto_one(acptr, ":blah 004 blah :blah blah");
// mirc crash
sendto_one(acptr, ":blah 001 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
Anyway, I didn't report it so it's your bug now :P.
Cya,
Syzop.
PS: That bitchx bug is just because of a missing argument -> NULL pointer -> crash.
This archive was generated by hypermail 2b30 : Sun Feb 03 2002 - 13:13:27 PST