Op Commands By xTc^bLiTz

2007-12-17T18:42:38-04:00

Not quite the case. Any user input should be considdered untrusted, and thus not be allowed to be evaluated as tcl-code. That said, there is really nothing wrong in treating it as a string (which it is, regardless of what characters may be inside). Situations where there is a risk of compromise is when this string is permitted to be evaluated as tcl-code, either directly (eval $unsafe_var or [$unsafe_var]), or indirectly (utimer 10 "kickuser $badvar").

A separate case is lists. This is where you use split. You use it to convert a string into a list, nothing else. Period. You should never trust an external source to provide you with a proper list-structure, but always assume it's a string.

It all comes down to keeping track of your tcl-interpreter, and knowing what is preprocessed and when, and what will be passed to the interpreter after the preprocessing. A part of this involves understanding how the tcl-interpreter will concatenate lists into commandlines (which is why we do "utimer 10

").

All in all, considdering user input as unsafe is good, but you should also think of when, how, and why it may cause exploitable code.

As for this script, there is no way the contents of anything written by a user may be further preprocessed, hence [die] is not a problem. Furthermore, there is no commands expecting lists where user-input is provided, hence {nick is not a problem.
The closest thing you get to exploit is the gban command, that has a weak test for wether the user tries to gban the bot.

Statistics: Posted by nml375 — Mon Dec 17, 2007 6:42 pm

Op Commands By xTc^bLiTz

2007-12-17T15:19:58-04:00

My understanding is that ANY unchecked input is inherently unsafe, and feeding it any tcl special chars will at the very least cause the script to throw an error.

Statistics: Posted by rosc2112 — Mon Dec 17, 2007 3:19 pm

Op Commands By xTc^bLiTz

2007-12-17T10:04:14-04:00

@rosc:
Why use split? There is'nt a single list-command within the script...
As for checking "bad input", I can't see anything that would cause "odd" behaviour, or anything making it sensitive to "special characters"?
Public commands are "unsafe", as it allows anyone in the channel to see what you write (hence making it difficult to authenticate the user by means of password or such), but I must say your criticism regarding split, unsafe for [], etc. is unjustified.

Statistics: Posted by nml375 — Mon Dec 17, 2007 10:04 am

Op Commands By xTc^bLiTz

2007-12-16T23:01:59-04:00

Besides the fact it duplicates built in commands and therefore is a waste of resources and probably gives way too much power to people? And doesn't do anything to protect from bad input (doesn't even split input, so go feed it some tcl special chars and watch it blow up

Statistics: Posted by rosc2112 — Sun Dec 16, 2007 11:01 pm

Op Commands By xTc^bLiTz

2007-12-16T22:13:55-04:00

Thanks for your reply, and yes when a user is added the bot messages the channel, that's pretty annoying.

Statistics: Posted by starpossen — Sun Dec 16, 2007 10:13 pm

Op Commands By xTc^bLiTz

2007-12-16T19:50:22-04:00

The only problem I can see, is that the script solely relies on flag permissions. It does not challenge the user to prove his identity ("logon", submit passwd, or such). Main impact of that, is you'll have to be very careful setting up users hostmasks.

Other worth noting, I personally think this script uses too highly prioritized queues for alot of its operations. Informative messages really should'nt use anything but puthelp in pretty much all cases. The security-impact of this does not go beyond that using the !list command might delay important actions such as kicking flooders, etc.

Statistics: Posted by nml375 — Sun Dec 16, 2007 7:50 pm

Op Commands By xTc^bLiTz

2007-12-16T22:10:34-04:00

I found this script, and it works nicely, however, I was wondering if anyone could tak a look at it, and see if there are any "abusive" risk in it, since its from 2005 which is not totally new, also, if it's not too much to ask, how would I add a !addvoice command.

I really hope I havent asked to much, and to stupid.

script:

Code:

# Op Commands By xTc^bLiTz# Gonna Ask You Not To Rip This, But Since Half Of You Probably Are Not To# Much I Can Do About It.  Just Remember That Ripping This For Yourself# Takes Away From The Statisfaction Of Making Something Like This Yourself.# Also If I Find People Ripping My Work, I Will No Longer Post Other# Scripts, And You Will Have To Start Making Everything For Yourself# Give Credit Where Credit Is Due.# This Script Contains A Bunch Of Commands To Be Used By Op/Master Flagged # Users To Better Control The Channel And Other Users.  You Can Use # !commands In The Channel To List All Available Commands# NOTE:  Not All Commands Listed When You Use !commands Are Available From # This Script, You May Have To Edit The Commands List At The Bottom Of This # Script, There Is Notation There On How To Edit It.# This Script Was Not Written Originally For Distribution, But By Popular # Demand/Request I Have Released It On www.egghelp.org, So Forgive Me If # It's Not Laid Out Entirely User Friendly-Like# Set Up Instructions.# Copy opcmds.tcl To Your eggdrop/scripts Directory, Then Edit Your # eggdrop.conf File And Add source scripts/opcmds.tcl To The Bottom In Your # Source Section# Command Bindingsbind pub n|n !die proc_diebind pub n|n !restart proc_restartbind pub m|m !addop proc_addopbind pub m|m !delop proc_delopbind pub m|m !deluser proc_deluserbind pub m|m !adduser proc_adduserbind pub m|m !jump proc_jumpbind pub m|m !gban proc_gbanbind pub o|o !lc proc_lcbind pub o|o !uc proc_ucbind pub o|o !ban proc_banbind pub o|o !unban proc_unbanbind pub o|o !whois proc_whoisbind pub o|o !opme proc_opmebind pub o|o !op proc_opbind pub o|o !deop proc_deopbind pub o|o !deopme proc_deopmebind pub o|o !kick proc_kickbind pub o|o !voice proc_voicebind pub o|o !devoice proc_devoicebind pub o|o !server proc_serverbind pub -|- !commands proc_commands# Processes# Process lcproc proc_lc { nick uhost hand chan args } {  putquick "PRIVMSG $chan :Locking Channel"  putquick "MODE $chan +im"}proc proc_uc { nick uhost hand chan args } {  putquick "PRIVMSG $chan :UnLocking Channel"  putquick "MODE $chan -im"}# Process dieproc proc_die { nick uhost hand chan text } { if {$text == ""} {  die $nick } else { die $text }}# Process Restartproc proc_restart { nick uhost hand chan text } {  putquick "PRIVMSG $chan :Restart Requested By \002$nick\002. Restarting BRB... (hopefully..)"  restart}# Op Processproc proc_op { nick uhost hand chan text } {  putserv "MODE $chan +o $text"}# DeOp Processproc proc_deop { nick uhost hand chan text } {  global botnick  if {$text == $botnick} {    putserv "MSG $chan :umm.. no"    return 0  }  putserv "MODE $chan -o $text"}# Process Global Banproc proc_gban { nick uhost hand chan text } {global botnick#  if {@ isin $text} {#    +ban $text Auto-Kicked#    stick ban $text#    return 0#  }  if {[onchan $text]} {    if {$text == $botnick} { return 0 }    set banmask [getchanhost $text $chan]    newchanban $chan $banmask $nick Auto-Kicked 0 sticky    putkick $chan $text Auto-Kicked    putlog "\002$nick\002 Globally Banned \002$text\($banmask\)\002"  } else { putserv "PRIVMSG $chan :$text Not In Channel." } }# Proces Jumpproc proc_jump { nick uhost hand chan text } {  jump $text}# Process Serverproc proc_server { nick uhost hand chan text } {  global serveraddress  putserv "PRIVMSG $chan :I Am Current Connected To \002$serveraddress\002"}# Addop Processproc proc_addop { nick uhost hand chan text } {  set addopnick [nick2hand $text]  if {[validuser $addopnick]} {    chattr $addopnick +o    putserv "PRIVMSG $chan :$text Has Been Giving Auto-Op Access"    putlog "$nick added $addopnick to Auto-Op"    putquick "MODE $chan +o $text"    putserv "NOTICE $text :You Have Been Givin Auto-Op Access For Channel: \002$chan\002 use \002!commands\002 To List New Channel Commands Available To You"  } else { putserv "PRIVMSG $chan :$text Not Found In User Database, Use !whois " }  unset addopnick}# Delop Processproc proc_delop { nick uhost hand chan text } {  set delopnick [nick2hand $text]  if {[validuser $delopnick]} {    chattr $delopnick  -o    putserv "PRIVMSG $chan :$text Removed From Auto-Op Access"    putlog "$nick removed $delopnick from Auto-Op"    putquick "MODE $chan -o $text"  } else { putserv "PRIVMSG $chan :$text Not Found In User Database, Use !whois " }  unset delopnick}# Ban Processproc proc_ban { nick uhost hand chan text } {  global botnick  if {[onchan $text]} {    if {$text == $botnick} { return 0 }    set banmask [getchanhost $text $chan]    putquick "MODE $chan +b $banmask"    putkick $chan $text :Requested  } else { putserv "PRIVMSG $chan :$text Is Not In The Channel" }}# Unban Processproc proc_unban { nick uhost hand chan text } {  if {[ischanban $text $chan]} {    pushmode $chan -b $text  } else { putserv "PRIVMSG $chan :$text Is Not In The Ban List" }}proc proc_whois { nick uhost hand chan text } {  set whoisnick [nick2hand $text]  if {$whoisnick == ""} {    putserv "PRIVMSG $chan :\002$text\002 Not Currently In Channel: \002$chan\002"  } elseif {$whoisnick == "*"} {     putserv "PRIVMSG $chan :\002$text\002 Not Found In User Database, Use \002!adduser $text\002"   } else { putserv "PRIVMSG $chan :I Recognize \002$text\002 As \002$whoisnick\002" }}  # Process Opmeproc proc_opme { nick uhost hand chan text } {  putquick "MODE $chan +o $nick"}# Process Deopmeproc proc_deopme { nick uhost hand chan text } {  putquick "MODE $chan -o $nick"  putquick "MODE $chan +v $nick"}# Process AddUserproc proc_adduser { nick uhost hand chan text } {  set addusernick [nick2hand $text]  if {[validuser $addusernick]} {   putserv "PRIVMSG $chan :\002$text\002 Is Already In User Database As \002$addusernick\002"  } else  {   unset addusernick   set addusermask [maskhost $text![getchanhost $text $chan]]   adduser $text $addusermask   set addusernick [nick2hand $text]   putlog "\002$nick\002 Added \002$addusernick\($text\)\002 To User Database"   putserv "PRIVMSG $chan :\002$text\002 Added To User Database As \002$addusernick\002"   unset addusermask   unset addusernick  }}# Process DelUserproc proc_deluser { nick uhost hand chan text } {  set delusernick [nick2hand $text]  if {[validuser $delusernick]} {    deluser $delusernick    putserv "PRIVMSG $chan :\002$text \($delusernick\)\002 Has Been Removed From User Database"    putlog "$nick Removed $delusernick From user Database"  } else { putserv "PRIVMSG $chan :\002$text\002 Not Found In User Database, Use !whois " }}# Process Kickproc proc_kick { nick uhost hand chan text } {  if {[onchan $text]} {    putquick "KICK $chan $text :Requested"  } else { putserv "PRIVMSG $chan :\002$text\002 Not In Channel: \002$chan\002" }}# Voice Processproc proc_voice { nick uhost hand chan text } {  if {[onchan $text]} {    set voicenick [nick2hand $text]    if {[validuser $voicenick]} {      chattr $voicenick +v      putquick "MODE $chan +v $text"      putserv "PRIVMSG $chan :\002$text\002 Added To Auto-Voice List"      putlog "$nick Added $voicenick To Auto-Voice List"    } else {      putquick "MODE $chan +v $text"    }  } else { putserv "PRIVMSG $chan :\002$text\002 Not Found In Channel: \002$chan\002"  }}# DeVoice Processproc proc_devoice { nick uhost hand chan text } {  if {[onchan $text]} {    set devoicenick [nick2hand $text]    if {[validuser $devoicenick]} {      chattr $devoicenick -v      putquick "MODE $chan -v $text"      putserv "PRIVMSG $chan :\002$text\002 Removed From Auto-Voice List"      putlog "$nick Removed $devoicenick From Auto-Voice List"    } else {      putquick "MODE $chan -v $text"    }   } else { putserv "PRIVMSG $chan :\002$text\002 Not Found In Channel: \002$chan\002" }}# Commands Processproc proc_commands { nick uhost hand chan text } {  if {[matchattr $hand m|m $chan]} {   putserv "NOTICE $nick :You Are Currently Bot Master, And Have Access To The Following Commands"   proc_listcommands $nick $uhost $hand $chan   return 0  } elseif {[matchattr $hand o|o $chan]} {   putserv "NOTICE $nick :You Are Currently Auto-Op, And Have Access To The Following Commands"   proc_listcommands $nick $uhost $hand $chan   return 0  } else {      putserv "NOTICE $nick :You Are A Basic User, And Have Access To Teh Following Commands"      proc_listcommands $nick $uhost $hand $chan      return 0 }}# List Commands Process - This Process Is Where You Can Enter The Commands # For The !commands List, Just Follow The Format That Is Listed Below, Also # If You Have Commands Listing That You Do Not Have Available On Your Bot, # Then You Can Remove The Line For That Command.  Feel Free To Add Any # Commands You Have Listed For Your Bot In Here. The Command List Is Broken # Down According To Flags In This Order# Basic - People No Op/Master Flags# Auto-Op - People Who Have Op Flag. I Used The Default o Flag, You Will #  Have To Edit The Flags In Both This Process And The Above Process If You #  Use A Different Flag.# Master - People Who Have Master Flag. Again I Used Default m Flag.proc proc_listcommands { nick uhost hand chan } {  global botnick  putserv "NOTICE $nick :\002Basic User\002 Commands"  putserv "NOTICE $nick :!seen  - See When The Last Time  Was Online"  putserv "NOTICE $nick :!seennick  - Search For A Specific Nickname"  putserv "NOTICE $nick :!google  - Search Google And Return Top Result"  putserv "NOTICE $nick :!statsite - Get The Link To The $chan Stats Site"  putserv "NOTICE $nick :!vibrate - Gets The Bot Vibrating For You"  putserv "NOTICE $nick :!unf  - Give Someone A Good Unfin"  putserv "NOTICE $nick :!slap  - Slap Someone Around A Bit, DO NOT Abuse This Or You Will Be Banned"  putserv "NOTICE $nick :!spork  - Give Someone A Good Sporking"  putserv "NOTICE $nick :!Top - Returns The Top Statistics For The  Type.  Stat Types Are: talk lol smile swear kick time speed"  putserv "NOTICE $nick :!My - Returns Your Rating In The Statistics For The  Type. Stat Types Are: talk lol smile swear kick time speed stat total."  putserv "NOTICE $nick : - Users Found Abusing The !Top And !My Commands Will Be Banned From The Bot And Stats Will Not Be Recorded For Them.  Please Use Some Courtesy Here."  putserv "NOTICE $nick :End Of Basic User Commands"  if {[matchattr $hand o|o $chan]} {    putserv "NOTICE $nick :\002Auto-Op\002 Commands"    putserv "NOTICE $nick :!commands - Kinda Obvious Don't Ya Think.."    putserv "NOTICE $nick :!opme - Have The Bot Op You"    putserv "NOTICE $nick :!deopme - Have The Bot De-Op You"    putserv "NOTICE $nick :!op  - Have The Bot Op Someone"    putserv "NOTICE $nick :!deop  - Have Tbe Bot DeOp Someone"    putserv "NOTICE $nick :!whois  - Find Out If The Nickname Is In The Bots User Database"    putserv "NOTICE $nick :!kick  - Have The Bot To A Quick Kick Of Nickname"    putserv "NOTICE $nick :!ban  - Have The Bot Do A Quick Kick/Ban Of Nickname"    putserv "NOTICE $nick :!server - Find Out What Server:Port The Bot Is On"    putserv "NOTICE $nick :!lc - Lock The Channel To Prevent Flooding"    putserv "NOTICE $nick :!uc - Unlock The Channel"    putserv "NOTICE $nick :!seenstats - Display Database Information For !seen Database"    putserv "NOTICE $nick :End Of Auto-Op Commands"  }  if {[matchattr $hand m|m $chan]} {    putserv "NOTICE $nick :\002Bot Master\002 Commands"    putserv "NOTICE $nick :!addop  - Add The Nickname To The Bots Auto-Op List"    putserv "NOTICE $nick :!delop  - Remove The Nickname From The Bots Auto-Op List"    putserv "NOTICE $nick :!adduser  - Add  User To The User Database With Default Flags"    putserv "NOTICE $nick :!deluser  - Remove A User From The Bots Database, Can Be Used If User Needs To Re-Register With The Bot"    putserv "NOTICE $nick :!jump  - Forces The Bot To Change Servers To Server Entered"    putserv "NOTICE $nick :!update - Manually Update The Stats Site"    putserv "NOTICE $nick :getlog  - Have A Logfile From A Certain Date Sent To You.  Usage: /msg $botnick  getlog  \(ie getlog 01Jul2005\) Month MUST Have A Capital First Letter"    putserv "NOTICE $nick :!gban  - Add A Global Ban To The Bots Internal Ban List (ie: akick)"    putserv "NOTICE $nick :!noop  - Adds A Flag To The Nickname That Prevets The Person From Being Op\'d"    putserv "NOTICE $nick :!allowop  - Removes The Flag That Prevents People From Getting Op\'d"    putserv "NOTICE $nick :End Of Bot Master Commands"  }}putlog "*** Op Commands by xTc^bLiTz   Loaded"

*EDIT* I guess im to tired, the command I wanted: !addvoice is there, its just called: !voice
sorry hehe.

Statistics: Posted by starpossen — Sun Dec 16, 2007 4:50 pm

egghelp/eggheads community

Op Commands By xTc^bLiTz

Op Commands By xTc^bLiTz

Op Commands By xTc^bLiTz

Op Commands By xTc^bLiTz

Op Commands By xTc^bLiTz

Op Commands By xTc^bLiTz

Op Commands By xTc^bLiTz