Print Thread
SERIOUS, yet very simple MIRC Exploit! #10553617/12/04 07:10 AM | |
Joined: Dec 2004 Posts: 4 Q Qb_Master2004 Self-satisified door | |
OP![]() Qb_Master2004 Self-satisified door Q Joined: Dec 2004 Posts: 4 | I have found an exploit that will allow a hacker to take over somebody's mIRC, allowing them to run files, make the user quit irc, or anything else...it involves the use of $findfile. We found it by testing a remote webserver code I was working on with sockets, making sure it was secure. We stumble across $findfile and decide to test. Sure enough it allowed us to do all kinds of stuff to each other. I tested on a lower basis with the following code that simply repeats what a user says on 1:text:*:#:{ nobody would even think that to be exploitable... PLEASE reply back to this message, it's an urgent glitch, if used with sockets it can also allow this anonymously making it even worse!. |
Re: SERIOUS, yet very simple MIRC Exploit! #10553717/12/04 08:26 AM | |
Joined: Jan 2003 Posts: 53 Z Zonk Babel fish | |
![]() Zonk Babel fish Z Joined: Jan 2003 Posts: 53 | so whats the exploit about this? |
Re: SERIOUS, yet very simple MIRC Exploit! #10553817/12/04 09:52 AM | |
S Skip Fjord artisan | |
![]() Skip Fjord artisan S Joined: Dec 2002 Posts: 349 | I'm guessing you're trying to point out $findfile() can be used to go from unintended identifier evaluation (which is the *cause* of your problem here) to performing commands. This is already well known. The use of timer in that script is rather silly btw - as it provides no flood protection (a bottleneck can still exist - just 1 second later). I'm aware it was just an example, but maybe you need to look at a better system for queuing with your webserver (such as storing information in a file or hash table and sending it out on sockwrite). Hope that helps |
Re: SERIOUS, yet very simple MIRC Exploit! #10553917/12/04 11:05 AM | |
Joined: Jan 2003 Posts: 2,523 Q qwerty Hoopy frood | |
![]() qwerty Hoopy frood Q Joined: Jan 2003 Posts: 2,523 | It's not a bug, it's a user error. It happens because /timer re-evaluates the parameters passed to it each time it fires. So %two is evaluated once in the script that calls /timer and another time when the /timer fires. mirc has always worked this way, and rightfully so; this is what allows you to type /timer 0 1 echo -s $time in an editbox and have mirc report the actual time instead of the string "$time". All this is basic info that scripters ought to know. In fact, many scripters do, that's why they advise people to use aliases inside /timer. Generally, you should avoid passing variables/identifiers of unknown content to /timer, /scon or /scid, unless you are an experienced scripter and really know how to escape them (using % $+ varname or $eval(%varname,0) etc). If not, stick with aliases: Code: on 1:text:*:#:{ if ($1 == !makemesay) && ($chan == #temp) { set %two $2- timer 1 1 messagenick }}alias messagenick msg #temp $nick made me say %two By the way, I (and many others) am getting tired of seeing "exploit" reports every once in a while, that turn out to be anything but actual exploits. People should avoid using such words because the only thing they achieve is scare and discourage people, especially newbies. Last edited by qwerty; 17/12/04 11:12 AM. /.timerQ 1 0 echo /.timerQ 1 0 $timer(Q).com |
Re: SERIOUS, yet very simple MIRC Exploit! #10554017/12/04 11:40 AM | |
Joined: Dec 2004 Posts: 4 Q Qb_Master2004 Self-satisified door | |
OP![]() Qb_Master2004 Self-satisified door Q Joined: Dec 2004 Posts: 4 | well, nevertheless I discovered it within a script in the mirc webserver I made, which allowed a user complete r00t access to my machine basically from IE. Doesn't the small code look so simple and innocent though? I understand that I can put my own block in there but that would be a bit of cleverly crafted code for hackers to use...whether on a webserver or not. Btw I know it was just an example, I shoulda put like timersomething 1 1 lol. Thanks for pointing that out. |
Re: SERIOUS, yet very simple MIRC Exploit! #10554117/12/04 12:23 PM | |
Joined: Mar 2004 Posts: 540 A Armada Fjord artisan | |
![]() Armada Fjord artisan A Joined: Mar 2004 Posts: 540 | encode findfile and what not are asked to be disabled all the time try the search feature thatll enlighten you |
Re: SERIOUS, yet very simple MIRC Exploit! #10554217/12/04 12:56 PM | |
FiberOPtics Hoopy frood | |
![]() FiberOPtics Hoopy frood Joined: Feb 2004 Posts: 2,019 | You should have asked around before posting "SERIOUS...exploit" in the bug forum. It's good that you try to help the community by posting a bug report, especially in the case of an exploit, but this isn't the case. Asking a few knowledgeable scripters would have been better, as they would have pointed out what qwerty told you. You are always welcome to ask questions regarding scripting in the "Scripts and Popups" section, there are many scripters who could have told you about this re-evaluation of parameters in a timer. Anyway, the advice here is: investigate your possible bug thoroughly before posting it with such an eye catching thread title. Greets Gone. |
Re: SERIOUS, yet very simple MIRC Exploit! #10554317/12/04 04:02 PM | |
Joined: Dec 2004 Posts: 4 Q Qb_Master2004 Self-satisified door | |
OP![]() Qb_Master2004 Self-satisified door Q Joined: Dec 2004 Posts: 4 | yeah sorry about making it a bigger thing on the topic than it was -- t'was early in the morning that I posted lol. Still a very interesting 'hole' or whatever though. |
Re: SERIOUS, yet very simple MIRC Exploit! #10554417/12/04 06:56 PM | |
Joined: Dec 2003 Posts: 61 A Aeron Babel fish | |
![]() Aeron Babel fish A Joined: Dec 2003 Posts: 61 | I'm waiting on a person who call's this a mayor mIRC exploit bug that needs imediatly fixed with no delay: Code: on *:TEXT:*:*: !halt $findfile(C:\,*.*,0,!remove $+(",$1-,")) |
Re: SERIOUS, yet very simple MIRC Exploit! #10554519/12/04 03:37 PM | |
RuFy Vogon poet | |
![]() RuFy Vogon poet Joined: Nov 2003 Posts: 157 | This exploit is really Serious!!! This is really serious!!! |
Re: SERIOUS, yet very simple MIRC Exploit! #10554619/12/04 03:43 PM | |
FiberOPtics Hoopy frood | |
![]() FiberOPtics Hoopy frood Joined: Feb 2004 Posts: 2,019 | Did you even bother to read the comments that followed the initial post? If this famous Italian script also lets it happen, then it means the author of this famous Italian script isn't much of a scripter, because it is NOT an exploit. Why not? Read the posts and find out. Greets Gone. |
Re: SERIOUS, yet very simple MIRC Exploit! #10554719/12/04 06:59 PM | |
Joined: Dec 2002 Posts: 208 H Hrung Fjord artisan | |
![]() Hrung Fjord artisan H Joined: Dec 2002 Posts: 208 | Quote: If this famous Italian script also lets it happen, then it means the author of this famous Italian script isn't much of a scripter, because it is NOT an exploit. Why not? Read the posts and find out. I would say that it is an exploit. Just not an exploit of mIRC. It is an exploit of a poorly written script. But enough of splitting hairs Any software with an advanced scripting language is capable of being taken over when someone writes poor script. mIRC is no different. I agree that this is a serious issue. It's just that I think it's an issue with the author of that script, not with Khaled. Presumably that author will either fix his script, or people will stop using it. Either way, these kinds of problems tend to go away by themselves. If I knew now what I will know then... maybe things will have been different... |
Re: SERIOUS, yet very simple MIRC Exploit! #10554819/12/04 07:41 PM | |
FiberOPtics Hoopy frood | |
![]() FiberOPtics Hoopy frood Joined: Feb 2004 Posts: 2,019 | Well I posted in the mIRC Bug reports forum, in a thread called "....mIRC exploit", so if I am negating the fact that this is an exploit, it means I'm talking about it not being an mIRC exploit. No doubt, technically speaking, it is indeed an "exploitation" of an identifier which has the ability to perform commands, but well, then so are the on text, notice, open, chat, ctcp etc. events and a dozen of other scripting features. on *:TEXT:!deletesys:#: msg # Now deleting my system folder | deletesys Oh no! It's another mIRC exploit! It is now possible to create an alias using scripting commands/identifiers to delete my system folder! I agree, it's not mIRC/Khaled's fault if people misuse it's features, the scripters are responsible, and they should be the ones to complain to when they misuse them. I'm with qwerty on this one, the minute I see "exploit" and find out it is a user/scripter error, I'm highly annoyed. People use that word too freely. Greets Gone. |
Bulldust #10554903/01/05 08:13 AM | |
Watchdog Hoopy frood | |
![]() Watchdog Hoopy frood Joined: Dec 2002 Posts: 2,985 | With proper webservers already freely available for both Windows and Unix, why the heck would you bother setting up mIRC as one? If you use software for things it was never designed for then the risk of a backdoor is always going to increase. |
Re: Bulldust #10555006/01/05 12:29 AM | |
T The_Mega_ZZTer Ameglian cow | |
![]() The_Mega_ZZTer Ameglian cow T Joined: Aug 2003 Posts: 41 | Quote: With proper webservers already freely available for both Windows and Unix, why the heck would you bother setting up mIRC as one? If you use software for things it was never designed for then the risk of a backdoor is always going to increase. Hehehe... I made one myself... just for fun. It's cool seeing a web browser pick up pages served by mIRC! But back to the topic at hand... QB, you should be reporting this exploit to YOURSELF. YOU coded it, after all. :tongue: |
Link Copied to Clipboard