DK, you've failed to see the problem here. #$version evaluates the same as $version, so it's the _channel_ that can evaluate too. Regardless of Linux, mIRC commands can be executed and that is the problem. I gave an irrelevant Linux example so s'kiddies wouldn't take it and run rampage, but it's remarkably easy to convert to windows.
Here's an example for you:
1. /write -c C:\text.txt $version (note the use of only 1 slash so no evaluation)
2. //echo -a -- $read(C:\text.txt) <--- the literal text '$version' is evaluated as code, thus this is unsafe.
3. //echo -a -- $read(C:\text.txt,n) <--- the literal text '$version' is not evaluated as code, thus this is safe.
How could your example be used to take over someone's computer? Well, I already demonstrated that in the simpler way. Using the same method as above:
1. /write -c C:\text.txt #$findfile($mircdir,*.*,1,1,run cmd.exe)
2. //echo -a -- $read(C:\text.txt) <--- you now have cmd.exe open
According to the IRC draft a channel can't have spaces or commas in it so #$findfile($mircdir,*.*,1,1,run cmd.exe) is an illegal channel name. To avoid that issue the malicious administrator could write a script that acts as an IRCd and allows the commas (against standards). $+ can be used to remove the spaces. Other mIRC commands can be used, scripts can be written and loaded, etc, etc.
Last edited by s00p; 10/11/09 11:17 PM.
