<a href="http://felinemenace.org/~andrewg/server_side_irc_client_fuzzing/"></a>
(added 2/8/2007)
Recently, a bunch of botnet channels were found on the PullThePlug IRC server, and was brought to my attention. After quickly auditing the software it claimed to be in the ctcp version result, I noticed a potentially relative standard stack smash (somewhat ugly code). To test this possible bug, it required being able to write a large string greater than 2048 bytes to the client, from the server side. Strings of this length are not generally possible to send without some hackery, as the IRC protocol dictates strings of maximum length of 512 bytes (510 bytes terminated by \r\n). So a mechanism was required to implement sending the required string/s to trigger any bugs.
One way of implementing this would be to write an ircd module to perform the required exploitation… However, I decided to write a more generic approach, that would allow for faster exploit development time :), and a more stable irc server :)
To implement this, I wrote a module which would open up a unix socket, send the client file descriptor to the socket, and wrote some code to get the socket (in python).
Under unix systems, it is possible via IPC mechanisms to send file descriptors in one process, to another process (man 7 unix, look for SCM_RIGHTS). One application of this is to implement principle of least privilege, where it is possible for a small privileged application to perform privileged operations on behalf of a much larger, untrusted program (for example, opening network sockets on ports <1024).
The ratbox 2.1.8 module can be found here, and the python code to recieve the file descriptor here The python code requires the fdcred package to recieve the file descriptor. The sample python code will print out the socket information (local and remote ip addresses and ports) and exit. To perform the actual fuzzing, I modified ilja's ircfuzz.c to use a connected socket, and to work a tad better for my purposes. The modified version is available here. The complete python script for fuzzing is here.
Once the ratbox module (a modification to the contrib/Makefile is required) has been compiled and loaded, it can be used via /quote fdsend nick /path/to/socket which is defined in the slayerforums.py above code.
All in all, this works rather well for what I wanted, however the bug didn't trigger in the package the bots claimed to be… However the above code can be reused for various future uses :)