mIRC Homepage

Allow DCC reception with exploit blocking (ver. 2)

Posted By: Olathe

Allow DCC reception with exploit blocking (ver. 2) - 13/10/03 07:51 AM

You can allow DCC reception with exploit blocking by using /debug -i filterfunction, if you know what you're doing. You simply make the filterfunction ignore -du2 the person. Removes the need to ignore -wd *.

Example code is here.

Update: Code now just ignores exploits and lets mIRC operate normally. Thanks to TheJerk for the idea.
Posted By: Raccoon

Re: Allow DCC reception with exploit blocking - 13/10/03 08:58 AM

Not a bad idea, except that all files get dumped to $getdir/$me folder instead of a folder named after $nick.

I wrote a script for ops and opers to monitor mangled DCC packets via .debug -i _dccbug.null dccbugproc and might consider adding this to it. Or perhaps it's possble to .ignore -xu120 $nick in dccbugproc allowing mIRC to receive the DCC normally if it's safe.

* Raccoon ponders . . .
Posted By: Jerk

Re: Allow DCC reception with exploit blocking - 13/10/03 09:01 AM

You can just add the nick/address to your ignore exceptions. The debug alias gets done first.
Posted By: Olathe

Re: Allow DCC reception with exploit blocking - 13/10/03 09:31 AM

Thanks to the help of TheJerk, I now have a much better version of it (see link above). mIRC works exactly like normal. laugh
Posted By: Raccoon

Re: Allow DCC reception with exploit blocking - 13/10/03 09:38 AM

Yep, my version now works seamlessly.

I wont share it here because it contains other code not suitable for public distribution, but ponderings were correct.

on invalid DCC packets, /ignore -du120 %nick
on valid DCC packets, /ignore -xu120 %nick

This way it automatically ignores (incase you hadn't /ignore -dw * already), and it automatically excludes (incase you had). Now Chats and Files can be received effortlessly without risk. grin

- Raccoon

PS. Hey, I suggested it before TheJerk :tongue:... notice the -x flag in my ponderings. crazy
Posted By: Olathe

Re: Allow DCC reception with exploit blocking - 13/10/03 10:03 AM

Quote:
on valid DCC packets, /ignore -xu120 %nick


Just a small nitpick.

With the new version of my script, /ignore -wd * is no longer needed because no exploits can get through, so /ignore -xu120 wouldn't be needed to undo that.

Try it out without anyone DCC banned and you'll see (if you DCC ban exploiters in the debug filter function).
Posted By: Jerk

Re: Allow DCC reception with exploit blocking - 13/10/03 10:05 AM

psst, go look in the general forums :tongue:
Posted By: EkriirkE

Re: Allow DCC reception with exploit blocking (ver. 2) - 13/10/03 10:47 AM

It works blush Thanks
Posted By: Olathe

mIRC version requirement - 13/10/03 11:00 AM

Someone else had this problem also. In their case, they were using mIRC 6.03; the exploit protection requires 6.1 or better, due to debug -i support being added in 6.1.

I have a new version up that blocks DCC resume attacks.
Posted By: Magickian

Re: Allow DCC reception with exploit blocking (ver. 2) - 13/10/03 11:55 AM

For anyone wishing to see where the code goes awry, it has to do with how MIRC parses the different params for the DCC. Specifically, for MIRC 6.11 at offset
:00456690 83FE28 cmp esi, 00000028
After parsing 40 (28 hex) spaces, it will stop inserting nulls and then end up dying in function 4ede70 (and will ultimately die on 4edf60). Enlarging the 0x28 comparison will fix the problems. I have not really researched the 4ede70 function, as I had traced it back to the NULL insertion routine and decided that was the main culprit.

-- Edit --
Process patcher code that I tested on 6.11, should work for other vers cause I doubt the code has been changed. Also I had the original offset in here incorrect since I hastily wrote out my findings. Unless if you're interested in programming, I'd just stick with the scripts posted above.
HWND mircwnd=FindWindow("mIRC",NULL);
char magickbytes[9]="\x8b\xff\x83\xfe\x28\x7f\x17\x68";
char tempmem[0x10000];
HANDLE prochandle;
DWORD procid;
DWORD x,y;
if(mircwnd!=NULL) {
GetWindowThreadProcessId(mircwnd,&procid);
prochandle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,procid);
if(prochandle!=NULL) {
for(x=0x400000;x<0x540000;x+=0xfff6) {
if(ReadProcessMemory(prochandle,(void *)x,tempmem,0x10000,NULL)!=NULL) {
for(y=0;y<0xfff6;y++) {
if(!memcmp(tempmem+y,magickbytes,8)) {
printf("Magick bytes found at: %X",x+y);
WriteProcessMemory(prochandle,(void *)(x+y+4),"\x7e",1,NULL);
}
}
}
}
}
else printf("Unable to open MIRC process\n");
}
else printf("Unable to find MIRC window\n");
return 0;
Posted By: cold

Re: Allow DCC reception with exploit blocking (ver - 13/10/03 12:04 PM

eh... what? confused crazy
Posted By: KingTomato

Re: Allow DCC reception with exploit blocking (ver - 13/10/03 12:15 PM

I think it means its put you in a memory location that it shouldn't allow you in >:D
Posted By: lonesome

Re: mIRC version requirement - 13/10/03 01:49 PM

I'm using mIRC 6.03, so it does not have the /debug -i switch..
is there any other codes that can help workabout this exploit?
Posted By: Ashkrynt

Re: mIRC version requirement - 13/10/03 03:53 PM

You can ignore dccs completely... /ignore -wd *

then if you want to dcc with someone, to allow it /ignore -x theirnick
Posted By: ailin

Re: Allow DCC reception with exploit blocking (ver - 13/10/03 06:10 PM

nice one. unfortunately blocks normal DCC Sends as well, quotation marks are used when sending files whose filename contains spaces.
Code:
*** DCC rejected: &lt;- :ai!~user@guide.me.through.eternity PRIVMSG ai :DCC SEND "Baracuda - Damn! [Short Cut].mp3" 2130706433 5432 3594240

I'm looking forward to your next version smile
Posted By: ItsMeBaby

Re: Allow DCC reception with exploit blocking (ver. 2) - 13/10/03 06:22 PM


Why don't you just use This?
Posted By: ailin

Re: Allow DCC reception with exploit blocking (ver - 13/10/03 06:35 PM

that's exactly the one I'm talking about. try using Threaded view
Posted By: LLoydBates

strange - 13/10/03 07:12 PM

well, i downloaded the script just now ...
after loading it i wasn't able to get any DCC send ...
i thought this script filters the bad from the good DCCs confused

oh well .. after putting a nick on the exclusion list it works ...

(* FYI: yes, i loaded it correctly, no i didn't close the raw windows. i'm using 6.11, before loading i made cleared my ingnorelist /ignore -r *)
Posted By: argv0

Re: strange - 13/10/03 07:25 PM

To be honest with you guys i think that code is a bit..shall we say... overcomplicated. a REGEX match is not required here, it slows down the script for nothing.

My solution is a lot simpler, but feel free to criticize

Code:
on 1:CONNECT { write -c dccexploitcatch.log | debug -i dccexploitcatch.log dccexploitcatch }
alias dccexploitcatch { 
  if ((&lt;- :*!*@* PRIVMSG * :DCC * iswm $1) &amp;&amp; ($numtok($1-, 32) &gt;= 34)) {
    var %address = $gettok($gettok($1, 2, 32), 1, 58)
    var %nick = $gettok(%address, 1, 33)
    ignore -du5 %nick
    linesep -a 
    echo 4 -at * DCC Exploit attempt by %address
    linesep -a
  }
  return $1-
}
Posted By: skulldog

Re: Allow DCC reception with exploit blocking (ver. 2) - 13/10/03 08:01 PM

Could someone tell me how to load the script and/or how to make it work correctly? Cause I used /load -rs "exploit fix.mrc" on mIRC 6.11 and it loaded the RAW window for the server, then I saw the some text/code/whatever there, but after a while I got crashed like before loading the script... So... Am I doing something wrong, or are there more exploits?

P.S. I'm staying far away from EFNet, took me 40 secs to get "crashed" there...
Posted By: Olathe

Re: Allow DCC reception with exploit blocking (ver - 13/10/03 08:26 PM

Please get the newest version (available at link above). It fixes a few new variants going around and has excess flood protection. It also removes false positives from early versions and allows legitimate DCC sends that happen to have spaces in them.
Posted By: PiTaGoRaS

Re: Allow DCC reception with exploit blocking (ver - 13/10/03 10:06 PM

Since many of us are still using mIRC 6.03 for compatibility reasons... Is there any other solution than /ignore -wd? It'd be very useful smirk
Posted By: akab

Re: Allow DCC reception with exploit blocking (ver - 13/10/03 10:49 PM

If you do not wish to update to mIRC 6.12 and are using 6.0/6.01/6.02/6.03 please read http://www.deplish.com/mirc/

Posted By: twigboy

Re: strange - 14/10/03 01:36 AM

good work argv0
ur code rocks
Posted By: Skippy742

Re: Allow DCC reception with exploit blocking (ver - 14/10/03 06:07 AM

How do I undo igrone -wd?

I've just upgrade to version 6.22, so I want to reconvert back to how mIRC was orginally.
Posted By: landonsandor

Re: Allow DCC reception with exploit blocking (ver - 14/10/03 06:09 AM

a few ways if you DONT normally use the ignore list:

1) //ignore -wr | //ignore -r (will clean both server based ignores and global ignores)
2) ALT + B --> Control (tab) --> Ignore (dropdown list) --> CTRL + A --> Delete --> Hit OK

ALSO:

3) As above except you can choose any combination you want to delete in case you DO normally use the ignore list
© 2020 mIRC Discussion Forums