mIRC Home    About    Download    Register    News    Help

Print Thread
Page 1 of 2 1 2
Allow DCC reception with exploit blocking (ver. 2) #54130 13/10/03 07:51 AM
Joined: Sep 2003
Posts: 38
O
Olathe Offline OP
Ameglian cow
OP Offline
Ameglian cow
O
Joined: Sep 2003
Posts: 38
You can allow DCC reception with exploit blocking by using /debug -i filterfunction, if you know what you're doing. You simply make the filterfunction ignore -du2 the person. Removes the need to ignore -wd *.

Example code is here.

Update: Code now just ignores exploits and lets mIRC operate normally. Thanks to TheJerk for the idea.

Last edited by Olathe; 13/10/03 09:38 AM.
Re: Allow DCC reception with exploit blocking #54131 13/10/03 08:58 AM
Joined: Feb 2003
Posts: 2,669
Raccoon Offline
Hoopy frood
Offline
Hoopy frood
Joined: Feb 2003
Posts: 2,669
Not a bad idea, except that all files get dumped to $getdir/$me folder instead of a folder named after $nick.

I wrote a script for ops and opers to monitor mangled DCC packets via .debug -i _dccbug.null dccbugproc and might consider adding this to it. Or perhaps it's possble to .ignore -xu120 $nick in dccbugproc allowing mIRC to receive the DCC normally if it's safe.

* Raccoon ponders . . .


Well. At least I won lunch.
Good philosophy, see good in bad, I like!
Re: Allow DCC reception with exploit blocking #54132 13/10/03 09:01 AM
Joined: Dec 2002
Posts: 169
J
Jerk Offline
Vogon poet
Offline
Vogon poet
J
Joined: Dec 2002
Posts: 169
You can just add the nick/address to your ignore exceptions. The debug alias gets done first.

Re: Allow DCC reception with exploit blocking #54133 13/10/03 09:31 AM
Joined: Sep 2003
Posts: 38
O
Olathe Offline OP
Ameglian cow
OP Offline
Ameglian cow
O
Joined: Sep 2003
Posts: 38
Thanks to the help of TheJerk, I now have a much better version of it (see link above). mIRC works exactly like normal. laugh

Re: Allow DCC reception with exploit blocking #54134 13/10/03 09:38 AM
Joined: Feb 2003
Posts: 2,669
Raccoon Offline
Hoopy frood
Offline
Hoopy frood
Joined: Feb 2003
Posts: 2,669
Yep, my version now works seamlessly.

I wont share it here because it contains other code not suitable for public distribution, but ponderings were correct.

on invalid DCC packets, /ignore -du120 %nick
on valid DCC packets, /ignore -xu120 %nick

This way it automatically ignores (incase you hadn't /ignore -dw * already), and it automatically excludes (incase you had). Now Chats and Files can be received effortlessly without risk. grin

- Raccoon

PS. Hey, I suggested it before TheJerk :tongue:... notice the -x flag in my ponderings. crazy


Well. At least I won lunch.
Good philosophy, see good in bad, I like!
Re: Allow DCC reception with exploit blocking #54135 13/10/03 10:03 AM
Joined: Sep 2003
Posts: 38
O
Olathe Offline OP
Ameglian cow
OP Offline
Ameglian cow
O
Joined: Sep 2003
Posts: 38
Quote:
on valid DCC packets, /ignore -xu120 %nick


Just a small nitpick.

With the new version of my script, /ignore -wd * is no longer needed because no exploits can get through, so /ignore -xu120 wouldn't be needed to undo that.

Try it out without anyone DCC banned and you'll see (if you DCC ban exploiters in the debug filter function).

Re: Allow DCC reception with exploit blocking #54136 13/10/03 10:05 AM
Joined: Dec 2002
Posts: 169
J
Jerk Offline
Vogon poet
Offline
Vogon poet
J
Joined: Dec 2002
Posts: 169
psst, go look in the general forums :tongue:

Re: Allow DCC reception with exploit blocking (ver. 2) #54137 13/10/03 10:47 AM
Joined: Oct 2003
Posts: 1
E
EkriirkE Offline
Mostly harmless
Offline
Mostly harmless
E
Joined: Oct 2003
Posts: 1
It works blush Thanks

mIRC version requirement #54138 13/10/03 11:00 AM
Joined: Sep 2003
Posts: 38
O
Olathe Offline OP
Ameglian cow
OP Offline
Ameglian cow
O
Joined: Sep 2003
Posts: 38
Someone else had this problem also. In their case, they were using mIRC 6.03; the exploit protection requires 6.1 or better, due to debug -i support being added in 6.1.

I have a new version up that blocks DCC resume attacks.

Re: Allow DCC reception with exploit blocking (ver. 2) #54139 13/10/03 11:55 AM
Joined: Oct 2003
Posts: 1
M
Magickian Offline
Mostly harmless
Offline
Mostly harmless
M
Joined: Oct 2003
Posts: 1
For anyone wishing to see where the code goes awry, it has to do with how MIRC parses the different params for the DCC. Specifically, for MIRC 6.11 at offset
:00456690 83FE28 cmp esi, 00000028
After parsing 40 (28 hex) spaces, it will stop inserting nulls and then end up dying in function 4ede70 (and will ultimately die on 4edf60). Enlarging the 0x28 comparison will fix the problems. I have not really researched the 4ede70 function, as I had traced it back to the NULL insertion routine and decided that was the main culprit.

-- Edit --
Process patcher code that I tested on 6.11, should work for other vers cause I doubt the code has been changed. Also I had the original offset in here incorrect since I hastily wrote out my findings. Unless if you're interested in programming, I'd just stick with the scripts posted above.
HWND mircwnd=FindWindow("mIRC",NULL);
char magickbytes[9]="\x8b\xff\x83\xfe\x28\x7f\x17\x68";
char tempmem[0x10000];
HANDLE prochandle;
DWORD procid;
DWORD x,y;
if(mircwnd!=NULL) {
GetWindowThreadProcessId(mircwnd,&procid);
prochandle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,procid);
if(prochandle!=NULL) {
for(x=0x400000;x<0x540000;x+=0xfff6) {
if(ReadProcessMemory(prochandle,(void *)x,tempmem,0x10000,NULL)!=NULL) {
for(y=0;y<0xfff6;y++) {
if(!memcmp(tempmem+y,magickbytes,8)) {
printf("Magick bytes found at: %X",x+y);
WriteProcessMemory(prochandle,(void *)(x+y+4),"\x7e",1,NULL);
}
}
}
}
}
else printf("Unable to open MIRC process\n");
}
else printf("Unable to find MIRC window\n");
return 0;

Last edited by Magickian; 13/10/03 12:29 PM.
Re: Allow DCC reception with exploit blocking (ver #54140 13/10/03 12:04 PM
Joined: Feb 2003
Posts: 810
C
cold Offline
Hoopy frood
Offline
Hoopy frood
C
Joined: Feb 2003
Posts: 810
eh... what? confused crazy


* cold edits his posts 24/7
Re: Allow DCC reception with exploit blocking (ver #54141 13/10/03 12:15 PM
Joined: Jan 2003
Posts: 3,012
KingTomato Offline
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2003
Posts: 3,012
I think it means its put you in a memory location that it shouldn't allow you in >:D


-KingTomato
Re: mIRC version requirement #54142 13/10/03 01:49 PM
Joined: Dec 2002
Posts: 62
lonesome Offline
Babel fish
Offline
Babel fish
Joined: Dec 2002
Posts: 62
I'm using mIRC 6.03, so it does not have the /debug -i switch..
is there any other codes that can help workabout this exploit?

Re: mIRC version requirement #54143 13/10/03 03:53 PM
Joined: May 2003
Posts: 161
A
Ashkrynt Offline
Vogon poet
Offline
Vogon poet
A
Joined: May 2003
Posts: 161
You can ignore dccs completely... /ignore -wd *

then if you want to dcc with someone, to allow it /ignore -x theirnick

Last edited by Ashkrynt; 13/10/03 03:53 PM.
Re: Allow DCC reception with exploit blocking (ver #54144 13/10/03 06:10 PM
Joined: Aug 2003
Posts: 7
ailin Offline
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
Joined: Aug 2003
Posts: 7
nice one. unfortunately blocks normal DCC Sends as well, quotation marks are used when sending files whose filename contains spaces.
Code:
*** DCC rejected: &lt;- :ai!~user@guide.me.through.eternity PRIVMSG ai :DCC SEND "Baracuda - Damn! [Short Cut].mp3" 2130706433 5432 3594240

I'm looking forward to your next version smile

Re: Allow DCC reception with exploit blocking (ver. 2) #54145 13/10/03 06:22 PM
Joined: Oct 2003
Posts: 1
I
ItsMeBaby Offline
Mostly harmless
Offline
Mostly harmless
I
Joined: Oct 2003
Posts: 1

Why don't you just use This?

Re: Allow DCC reception with exploit blocking (ver #54146 13/10/03 06:35 PM
Joined: Aug 2003
Posts: 7
ailin Offline
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
Joined: Aug 2003
Posts: 7
that's exactly the one I'm talking about. try using Threaded view

strange #54147 13/10/03 07:12 PM
Joined: Oct 2003
Posts: 1
L
LLoydBates Offline
Mostly harmless
Offline
Mostly harmless
L
Joined: Oct 2003
Posts: 1
well, i downloaded the script just now ...
after loading it i wasn't able to get any DCC send ...
i thought this script filters the bad from the good DCCs confused

oh well .. after putting a nick on the exclusion list it works ...

(* FYI: yes, i loaded it correctly, no i didn't close the raw windows. i'm using 6.11, before loading i made cleared my ingnorelist /ignore -r *)

Re: strange #54148 13/10/03 07:25 PM
Joined: Oct 2003
Posts: 3,918
A
argv0 Offline
Hoopy frood
Offline
Hoopy frood
A
Joined: Oct 2003
Posts: 3,918
To be honest with you guys i think that code is a bit..shall we say... overcomplicated. a REGEX match is not required here, it slows down the script for nothing.

My solution is a lot simpler, but feel free to criticize

Code:
on 1:CONNECT { write -c dccexploitcatch.log | debug -i dccexploitcatch.log dccexploitcatch }
alias dccexploitcatch { 
  if ((&lt;- :*!*@* PRIVMSG * :DCC * iswm $1) &amp;&amp; ($numtok($1-, 32) &gt;= 34)) {
    var %address = $gettok($gettok($1, 2, 32), 1, 58)
    var %nick = $gettok(%address, 1, 33)
    ignore -du5 %nick
    linesep -a 
    echo 4 -at * DCC Exploit attempt by %address
    linesep -a
  }
  return $1-
}


- argv[0] on EFnet #mIRC
- "Life is a pointer to an integer without a cast"
Re: Allow DCC reception with exploit blocking (ver. 2) #54149 13/10/03 08:01 PM
Joined: Oct 2003
Posts: 6
S
skulldog Offline
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
S
Joined: Oct 2003
Posts: 6
Could someone tell me how to load the script and/or how to make it work correctly? Cause I used /load -rs "exploit fix.mrc" on mIRC 6.11 and it loaded the RAW window for the server, then I saw the some text/code/whatever there, but after a while I got crashed like before loading the script... So... Am I doing something wrong, or are there more exploits?

P.S. I'm staying far away from EFNet, took me 40 secs to get "crashed" there...

Page 1 of 2 1 2