mIRC Home    About    Download    Register    News    Help

Print Thread
Page 1 of 2 1 2
text event q, exploit #185954 16/09/07 02:46 PM
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
Code:
on *:TEXT:!page*:#:{ 
  write page.txt Page By $nick $+ : $2- 
  msg $chan Page added $nick
} 


i don't really output the result of the page.txt to the channel at all, but i just want to make sure im safe

Re: can this text event be exploited? [Re: pouncer] #185955 16/09/07 02:51 PM
Joined: Dec 2002
Posts: 2,021
R
RoCk Offline
Hoopy frood
Offline
Hoopy frood
R
Joined: Dec 2002
Posts: 2,021
Someone could type...

edited by author

That could cause you some problems. smirk

Last edited by RoCk; 16/09/07 03:03 PM.
Re: can this text event be exploited? [Re: pouncer] #185956 16/09/07 02:52 PM
Joined: Jan 2006
Posts: 111
N
noMen Offline
Vogon poet
Offline
Vogon poet
N
Joined: Jan 2006
Posts: 111
No, this text event (or better: this write statement) cannot be exploited. But, in another event where you're gonna read the page, you MUST use the n parameter (like in $read(page.txt, n, ....) to prevent any commands in the page text being evaluated.

Edit: I just read Rock's reply. I am not sure whether $findfile is being eveluated during a write operation, but if so he is right that it can be dangerous! Test this one carefully, but replace the remove command in the timer by some echo command, otherwise you're in trouble.

Last edited by noMen; 16/09/07 02:55 PM.
Re: can this text event be exploited? [Re: RoCk] #185958 16/09/07 03:00 PM
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
hmm wow rock, i will test that fr the exploit

Re: can this text event be exploited? [Re: noMen] #185959 16/09/07 03:00 PM
Joined: Dec 2002
Posts: 2,021
R
RoCk Offline
Hoopy frood
Offline
Hoopy frood
R
Joined: Dec 2002
Posts: 2,021
I just tested it and it did not work, he would have to use $eval for it to work that way I guess...

write page.txt Page By $nick $+ : $eval($2-,2)

Re: can this text event be exploited? [Re: pouncer] #185960 16/09/07 03:00 PM
Joined: Oct 2004
Posts: 8,330
Riamus2 Offline
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
Like RoCk said, that could easily remove your files.

**Be careful NOT to test what he showed you. If you want to test it, change "remove" to "echo".

You may want to prevent problems by automatically removing $'s, but I'm not sure of a better solution or if that catches all possible problems.


Invision Support
#Invision on irc.irchighway.net
Re: can this text event be exploited? [Re: RoCk] #185961 16/09/07 03:01 PM
Joined: Oct 2004
Posts: 8,330
Riamus2 Offline
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
Originally Posted By: RoCk
I just tested it and it did not work, he would have to use $eval for it to work that way I guess...

write page.txt Page By $nick $+ : $eval($2-,2)


I tested it by just changing "remove" to "echo" to make sure nothing was removed and it did echo all of the found files.


Invision Support
#Invision on irc.irchighway.net
Re: can this text event be exploited? [Re: Riamus2] #185962 16/09/07 03:04 PM
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
ok guys, thanks

so this seems perfectly safe. just wanted to make sure!

Re: can this text event be exploited? [Re: pouncer] #185964 16/09/07 03:04 PM
Joined: Oct 2004
Posts: 8,330
Riamus2 Offline
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
I didn't say it was safe...


Invision Support
#Invision on irc.irchighway.net
Re: can this text event be exploited? [Re: Riamus2] #185965 16/09/07 03:05 PM
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
rock why did you remove that code, i wanted to test it for exploit

can someone please paste the $findfile thing again?

Re: text event q, exploit [Re: pouncer] #185966 16/09/07 03:05 PM
Joined: Sep 2005
Posts: 2,881
H
hixxy Offline
Hoopy frood
Offline
Hoopy frood
H
Joined: Sep 2005
Posts: 2,881
That can't be exploited.

The main things you have to watch out for are $readini, $read, /scon, /scid, /flash and /timer. If you $read() that file without using the 'n' flag, then identifiers within the file will be evaluated, which means people could use $findfile() to execute commands.

Re: text event q, exploit [Re: hixxy] #185967 16/09/07 03:06 PM
Joined: Oct 2004
Posts: 8,330
Riamus2 Offline
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
Then why did it work with changing remove to echo?


Invision Support
#Invision on irc.irchighway.net
Re: text event q, exploit [Re: Riamus2] #185969 16/09/07 03:07 PM
Joined: Sep 2005
Posts: 2,881
H
hixxy Offline
Hoopy frood
Offline
Hoopy frood
H
Joined: Sep 2005
Posts: 2,881
Eh? There isn't a remove command in his original post confused

Re: text event q, exploit [Re: Riamus2] #185970 16/09/07 03:08 PM
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
riamus can you please put that $findfile line up again? so i can test it myself?

Re: text event q, exploit [Re: hixxy] #185971 16/09/07 03:09 PM
Joined: Oct 2004
Posts: 8,330
Riamus2 Offline
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
RoCk gave an example of how it can be exploited.

Last edited by Riamus2; 16/09/07 03:34 PM.

Invision Support
#Invision on irc.irchighway.net
Re: text event q, exploit [Re: Riamus2] #185972 16/09/07 03:09 PM
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
PM me the exploit please, thanks. he edited his post to remove it and when i didnt have it pasted before

Re: text event q, exploit [Re: Riamus2] #185973 16/09/07 03:11 PM
Joined: Sep 2005
Posts: 2,881
H
hixxy Offline
Hoopy frood
Offline
Hoopy frood
H
Joined: Sep 2005
Posts: 2,881
Nothing in the user's text is evaluated, so it cannot be exploited. IF he was using $eval($2-,2), then of course people would be able to exploit it by using $findfile(), but as it is now it's perfectly now.

Re: text event q, exploit [Re: hixxy] #185974 16/09/07 03:12 PM
Joined: Oct 2004
Posts: 8,330
Riamus2 Offline
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
Then why did it work for me? Or is that just because of doing it from the editbox?

**EDIT: which it probably is now that I'm thinking about it.

Last edited by Riamus2; 16/09/07 03:13 PM.

Invision Support
#Invision on irc.irchighway.net
Re: text event q, exploit [Re: Riamus2] #185975 16/09/07 03:13 PM
Joined: Sep 2005
Posts: 2,881
H
hixxy Offline
Hoopy frood
Offline
Hoopy frood
H
Joined: Sep 2005
Posts: 2,881
Just to show you..

Quote:
(16:12:58) * Now talking in #hixxytest
(16:13:26) <hixxy_> !page $findfile(c:,*,1,msg #hixxytest t!)
(16:13:28) <@hixxy> Page added hixxy_


No 't!' there.

Edit:

Originally Posted By: Riamus2
Then why did it work for me? Or is that just because of doing it from the editbox?

**EDIT: which it probably is now that I'm thinking about it.


Are you using Rock's version? Which uses $eval($2-,2) instead of just $2-?

Last edited by hixxy; 16/09/07 03:14 PM.
Re: text event q, exploit [Re: Riamus2] #185976 16/09/07 03:13 PM
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
i just tried

!page $findfile($left($mircdir,3),*,0,.timer -io 1 0 echo -a $qt($1-))


it didnt echo anything on my script

Page 1 of 2 1 2