mIRC Home    About    Download    Register    News    Help

Print Thread
Page 1 of 2 1 2
Joined: Sep 2003
Posts: 38
O
Olathe Offline OP
Ameglian cow
OP Offline
Ameglian cow
O
Joined: Sep 2003
Posts: 38
You can allow DCC reception with exploit blocking by using /debug -i filterfunction, if you know what you're doing. You simply make the filterfunction ignore -du2 the person. Removes the need to ignore -wd *.

Example code is here.

Update: Code now just ignores exploits and lets mIRC operate normally. Thanks to TheJerk for the idea.

Last edited by Olathe; 13/10/03 09:38 AM.
Joined: Feb 2003
Posts: 2,812
Hoopy frood
Offline
Hoopy frood
Joined: Feb 2003
Posts: 2,812
Not a bad idea, except that all files get dumped to $getdir/$me folder instead of a folder named after $nick.

I wrote a script for ops and opers to monitor mangled DCC packets via .debug -i _dccbug.null dccbugproc and might consider adding this to it. Or perhaps it's possble to .ignore -xu120 $nick in dccbugproc allowing mIRC to receive the DCC normally if it's safe.

* Raccoon ponders . . .


Well. At least I won lunch.
Good philosophy, see good in bad, I like!
Joined: Dec 2002
Posts: 169
J
Vogon poet
Offline
Vogon poet
J
Joined: Dec 2002
Posts: 169
You can just add the nick/address to your ignore exceptions. The debug alias gets done first.

Joined: Sep 2003
Posts: 38
O
Olathe Offline OP
Ameglian cow
OP Offline
Ameglian cow
O
Joined: Sep 2003
Posts: 38
Thanks to the help of TheJerk, I now have a much better version of it (see link above). mIRC works exactly like normal. laugh

Joined: Feb 2003
Posts: 2,812
Hoopy frood
Offline
Hoopy frood
Joined: Feb 2003
Posts: 2,812
Yep, my version now works seamlessly.

I wont share it here because it contains other code not suitable for public distribution, but ponderings were correct.

on invalid DCC packets, /ignore -du120 %nick
on valid DCC packets, /ignore -xu120 %nick

This way it automatically ignores (incase you hadn't /ignore -dw * already), and it automatically excludes (incase you had). Now Chats and Files can be received effortlessly without risk. grin

- Raccoon

PS. Hey, I suggested it before TheJerk :tongue:... notice the -x flag in my ponderings. crazy


Well. At least I won lunch.
Good philosophy, see good in bad, I like!
Joined: Sep 2003
Posts: 38
O
Olathe Offline OP
Ameglian cow
OP Offline
Ameglian cow
O
Joined: Sep 2003
Posts: 38
Quote:
on valid DCC packets, /ignore -xu120 %nick


Just a small nitpick.

With the new version of my script, /ignore -wd * is no longer needed because no exploits can get through, so /ignore -xu120 wouldn't be needed to undo that.

Try it out without anyone DCC banned and you'll see (if you DCC ban exploiters in the debug filter function).

Joined: Dec 2002
Posts: 169
J
Vogon poet
Offline
Vogon poet
J
Joined: Dec 2002
Posts: 169
psst, go look in the general forums :tongue:

Joined: Oct 2003
Posts: 1
E
Mostly harmless
Offline
Mostly harmless
E
Joined: Oct 2003
Posts: 1
It works blush Thanks

#54138 13/10/03 11:00 AM
Joined: Sep 2003
Posts: 38
O
Olathe Offline OP
Ameglian cow
OP Offline
Ameglian cow
O
Joined: Sep 2003
Posts: 38
Someone else had this problem also. In their case, they were using mIRC 6.03; the exploit protection requires 6.1 or better, due to debug -i support being added in 6.1.

I have a new version up that blocks DCC resume attacks.

Joined: Oct 2003
Posts: 1
M
Mostly harmless
Offline
Mostly harmless
M
Joined: Oct 2003
Posts: 1
For anyone wishing to see where the code goes awry, it has to do with how MIRC parses the different params for the DCC. Specifically, for MIRC 6.11 at offset
:00456690 83FE28 cmp esi, 00000028
After parsing 40 (28 hex) spaces, it will stop inserting nulls and then end up dying in function 4ede70 (and will ultimately die on 4edf60). Enlarging the 0x28 comparison will fix the problems. I have not really researched the 4ede70 function, as I had traced it back to the NULL insertion routine and decided that was the main culprit.

-- Edit --
Process patcher code that I tested on 6.11, should work for other vers cause I doubt the code has been changed. Also I had the original offset in here incorrect since I hastily wrote out my findings. Unless if you're interested in programming, I'd just stick with the scripts posted above.
HWND mircwnd=FindWindow("mIRC",NULL);
char magickbytes[9]="\x8b\xff\x83\xfe\x28\x7f\x17\x68";
char tempmem[0x10000];
HANDLE prochandle;
DWORD procid;
DWORD x,y;
if(mircwnd!=NULL) {
GetWindowThreadProcessId(mircwnd,&procid);
prochandle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,procid);
if(prochandle!=NULL) {
for(x=0x400000;x<0x540000;x+=0xfff6) {
if(ReadProcessMemory(prochandle,(void *)x,tempmem,0x10000,NULL)!=NULL) {
for(y=0;y<0xfff6;y++) {
if(!memcmp(tempmem+y,magickbytes,8)) {
printf("Magick bytes found at: %X",x+y);
WriteProcessMemory(prochandle,(void *)(x+y+4),"\x7e",1,NULL);
}
}
}
}
}
else printf("Unable to open MIRC process\n");
}
else printf("Unable to find MIRC window\n");
return 0;

Last edited by Magickian; 13/10/03 12:29 PM.
Joined: Feb 2003
Posts: 810
C
Hoopy frood
Offline
Hoopy frood
C
Joined: Feb 2003
Posts: 810
eh... what? confused crazy


* cold edits his posts 24/7
Joined: Jan 2003
Posts: 3,012
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2003
Posts: 3,012
I think it means its put you in a memory location that it shouldn't allow you in >:D


-KingTomato
#54142 13/10/03 01:49 PM
Joined: Dec 2002
Posts: 62
Babel fish
Offline
Babel fish
Joined: Dec 2002
Posts: 62
I'm using mIRC 6.03, so it does not have the /debug -i switch..
is there any other codes that can help workabout this exploit?

#54143 13/10/03 03:53 PM
Joined: May 2003
Posts: 161
A
Vogon poet
Offline
Vogon poet
A
Joined: May 2003
Posts: 161
You can ignore dccs completely... /ignore -wd *

then if you want to dcc with someone, to allow it /ignore -x theirnick

Last edited by Ashkrynt; 13/10/03 03:53 PM.
Joined: Aug 2003
Posts: 7
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
Joined: Aug 2003
Posts: 7
nice one. unfortunately blocks normal DCC Sends as well, quotation marks are used when sending files whose filename contains spaces.
Code:
*** DCC rejected: &lt;- :ai!~user@guide.me.through.eternity PRIVMSG ai :DCC SEND "Baracuda - Damn! [Short Cut].mp3" 2130706433 5432 3594240

I'm looking forward to your next version smile

Joined: Oct 2003
Posts: 1
I
Mostly harmless
Offline
Mostly harmless
I
Joined: Oct 2003
Posts: 1

Why don't you just use This?

Joined: Aug 2003
Posts: 7
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
Joined: Aug 2003
Posts: 7
that's exactly the one I'm talking about. try using Threaded view

#54147 13/10/03 07:12 PM
Joined: Oct 2003
Posts: 1
L
Mostly harmless
Offline
Mostly harmless
L
Joined: Oct 2003
Posts: 1
well, i downloaded the script just now ...
after loading it i wasn't able to get any DCC send ...
i thought this script filters the bad from the good DCCs confused

oh well .. after putting a nick on the exclusion list it works ...

(* FYI: yes, i loaded it correctly, no i didn't close the raw windows. i'm using 6.11, before loading i made cleared my ingnorelist /ignore -r *)

#54148 13/10/03 07:25 PM
Joined: Oct 2003
Posts: 3,918
A
Hoopy frood
Offline
Hoopy frood
A
Joined: Oct 2003
Posts: 3,918
To be honest with you guys i think that code is a bit..shall we say... overcomplicated. a REGEX match is not required here, it slows down the script for nothing.

My solution is a lot simpler, but feel free to criticize

Code:
on 1:CONNECT { write -c dccexploitcatch.log | debug -i dccexploitcatch.log dccexploitcatch }
alias dccexploitcatch { 
  if ((&lt;- :*!*@* PRIVMSG * :DCC * iswm $1) &amp;&amp; ($numtok($1-, 32) &gt;= 34)) {
    var %address = $gettok($gettok($1, 2, 32), 1, 58)
    var %nick = $gettok(%address, 1, 33)
    ignore -du5 %nick
    linesep -a 
    echo 4 -at * DCC Exploit attempt by %address
    linesep -a
  }
  return $1-
}


- argv[0] on EFnet #mIRC
- "Life is a pointer to an integer without a cast"
Joined: Oct 2003
Posts: 6
S
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
S
Joined: Oct 2003
Posts: 6
Could someone tell me how to load the script and/or how to make it work correctly? Cause I used /load -rs "exploit fix.mrc" on mIRC 6.11 and it loaded the RAW window for the server, then I saw the some text/code/whatever there, but after a while I got crashed like before loading the script... So... Am I doing something wrong, or are there more exploits?

P.S. I'm staying far away from EFNet, took me 40 secs to get "crashed" there...

Page 1 of 2 1 2

Link Copied to Clipboard