Hi, David Dorgan wrote: > An error exists in mIRC's handling of certain messages from the server, > making it possible to overflow a static buffer. With carefully constructed > messages arbitary code can be executed. Just wanted to let you know I discovered this bug a year ago when I was brute forcing numerics (+random length arguments). However it didn't seem exploitable... guess I was wrong :/... (think my arguments were too small or something like that). Also another bug which was obviously a buffer overflow was fixed later in 5.9 so I didn't pay attention anymore to this stuff. However I've been using my ircop /crash command for some time >:) // bitchx crash sendto_one(acptr, ":blah 004 blah :blah blah"); // mirc crash sendto_one(acptr, ":blah 001 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"); Anyway, I didn't report it so it's your bug now :P. Cya, Syzop. PS: That bitchx bug is just because of a missing argument -> NULL pointer -> crash.
This archive was generated by hypermail 2b30 : Sun Feb 03 2002 - 13:13:27 PST