Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   MSN666 Vendors:   Seo, Seunghyun
MSN666 Sniffer For MSN Messenger Traffic Has Buffer Overflow That Lets Remote Users Execute Arbitrary Code on the Sniffer to Gain Root Access
SecurityTracker Alert ID:  1004538
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 14 2002
Impact:   Execution of arbitrary code via network, Root access via network

Description:   GOBBLES Security Labs reported a buffer overflow vulnerability in the MSN666 network sniffer for capturing MSN Messenger traffic. A remote user can execute arbitrary code on the sniffer with root level privileges

The buffer overflow reportedly resides in the pattern2() module in the 'msn666.c' file. A sscanf() call is made that writes a string to a 16 character variable without checking the size of the string. The string is apparently based on the sniffed IP packet and may be longer than 16 characters. This section of code is reportedly triggered when a sniffed packet's TCP PSH flag is set.

A remote user can send a specially crafted TCP packet with the PSH flag set and destined for an arbitrary host on the MSN Messenger port (1863) to trigger the buffer overflow and overwrite the EIP address on the host running the MSN666 sniffer. This allows the remote user to execute arbitrary code on the vulnerable host.

Impact:   A remote user can cause arbitrary code to be executed by the sniffer. Because the sniffer runs with root level privileges, the remote user can then gain root access on the system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Exploit Code is Available) Re: MSN666 Sniffer For MSN Messenger Traffic Has Buffer Overflow That Lets Remote Users Execute Arbitrary Code on the Sniffer to Gain Root Access
Some demonstration exploit code has been released.

 Source Message Contents


Hash: SHA1



This emergency GOBBLES SECURITY LABS (GSL) release for immediate
release. Security of team bugtraq penetrator at risk@@!@! HURRY!

Moderatorz, please approve this post immediately as the dozens
of readers of your lists are probably marvelling at the function-
ality of this program right now, since it was just released, and
are at a high risk of having this dastardly backdoor exploited!


msn666 sniffer for sniffing msn is in reality malicious blackhat
root backdoor. msn666 sniffer for sniffing msn has just been rel-
eased on team bugtraq penetrator list:


GOBBLES-scan-incoming detect following in incoming backoor packag-
e e-mail of msn666 sniffer for sniffing msn:



pattern2 ( char *msg, int size )
        char opmsg[16];


        sscanf ( msg, "%s", &opmsg );


Is called like this from runpkt():


        if ( (int)htons(tcp->dest) == 1863 || ok_flg ) {


        if ( tcp->psh ) {
                memcpy ( buf, data, sizeof(buf) );
                pattern2( buf, htons(ip->tot_len)-40 );

GOBBLES think it quite obvious this is malicicous root backdoor
in msn666 sniffer for sniffing msn.


GOBBLES not going to release he exploit code. Code for this is
sloppy and contain lot of overflows. It too embarrassing to
publish to team bugtraq penetrator. But GOBBLES SECURITY LAB
(GSL) members are working on new version with -m capablities.
It utilizes libnet.

  \                                  ,+*^^*+___+++_
   \                           ,*^^^^              )
    \                       _+*                     ^**+_
     \                    +^       _ _++*+_+++_,         )
              _+^^*+_    (     ,+*^ ^          \+_        )
             {       )  (    ,(    ,_+--+--,      ^)      ^\
            { (@)    } f   ,(  ,+-^ __*_*_  ^^\_   ^\       )
           {:;-/    (_+*-+^^^^^+*+*<_ _++_)_    )    )      /
          ( /  (    (        ,___    ^*+_+* )   <    <      \
           U _/     )    *--<  ) ^\-----++__)   )    )       )
            (      )  _(^)^^))  )  )\^^^^^))^*+/    /       /
          (      /  (_))_^)) )  )  ))^^^^^))^^^)__/     +^^
         (     ,/    (^))^))  )  ) ))^^^^^^^))^^)       _)
          *+__+*       (_))^)  ) ) ))^^^^^^))^^^^^)____*^
          \             \_)^)_)) ))^^^^^^^^^^))^^^^)
           (_             ^\__^^^^^^^^^^^^))^^^^^^^)
             ^\___            ^\__^^^^^^))^^^^^^^^)\\
                     ___) >____) >___   ^\_\_\_\_\_\_\)
                    ^^^//\\_^^//\\_^       ^(\_\_\_\)
                      ^^^ ^^ ^^^ ^


First GOBBLES run msn666 sniffer for sniffin msn on secure test machine:

# ./msn666

Then GOBBLES run he GOBBLES-own-msn666.c on he Local Area Network (LAN):

# ./GOBBLES-own-msn666  xxxxxxxxxxxxxxxxxxxxxxxx
!@# GOBBLES-own-msn666 packet sent !@#

Then GOBBLES go to run to other terminal in much anticipation and notice

# ./msn666
Segmentation fault (core dumped)

Then GOBBLES get out he autographed hardcopy of Smashing the stack for
fun and the profit. And explore msn666 coredump and he notice following:

(gdb) info reg eip
eip            0x78787878       0x78787878

That mean GOBBLES now have saved team bugtraq penetrator from malicious
remote root backdoor hole in msn666 sniffer for sniffing msn. GOBBLES
expect he thank you e-mails at hehehe ;PPpPPPP

doug sniff, when are you going to quit being such a filthy blackhat and
provide the rest of the fame-seeking community with information
concerning this devestating remote bug in Epic?  Unless you were just
fabricating that as the means of penetration to your system, when in
fact you really don't know...

Tony Monroe, cowsay is the _best_ program ever written.  For those of
you who don't understand how to decypher the mystique of,
go to -- this is the best
thing you'll ever get a chance to use.

Version: Hush 2.1
Note: This signature can be verified at



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC