This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

Exploiting eggdrops through CTCP PING

Website and forum-related announcements and discussion, and anything else that doesn't fit in the above forums.
Post Reply
User avatar
awyeah
Revered One
Posts: 1580
Joined: Mon Apr 26, 2004 2:37 am
Location: Switzerland
Contact:

Exploiting eggdrops through CTCP PING

Post by awyeah »

I've got a friend on a channel on DALnet, he told me this today, just wondering if this is really possible:
<tux> If you've got a channel kick script, you might add #hackers_group to it, and the ident *!Scorpioon@* to banlists.. lamers in there going around trying to exploit eggdrops.
CTCP sent to his bot and CTCR reply returned:
(Eggbot) [03:04] CTCP PING: 1111305817 from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us)
(Eggbot) [03:04] CTCP reply PING: [set notc "TCL";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan] from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us) to Eggbot
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

IF you've got a very poorly written "ctcp ping reply" script loaded, sure this might work.
However, plain vanilla eggdrops does not have any bindings to ctcr, and the only "raw" processing of ctcp-replys are in the irc- and server-module, which only identifies a notice to be a ctcp-reply and just logs the whole message.

How to identify a poor script? Here's an example:

Code: Select all

die "Do NOT run this script!!!"
proc do_ping {hand idx text} {
  puthelp "PRIVMSG $text :\001PING [unixtime]\001"
}
proc got_ping_reply {nick host hand target what time} {
  putlog "Ping reply from $nick: [expr [unixtime] - $time] seconds."
}
bind dcc - buggedping do_ping
bind ctcr - PING got_ping_reply
So what's so terribly wrong with this?
Well, this script trusts that the ping reply is "proper", that is, it returns the same timestamp that I first sent to the other client. However, a client may put whatever they wish as "timestamp", including an arbitrary string that may include nasty stuffs. But being unthoughtful, this script trusts it to be a simple integer that I can subtract from current time (now - timestamp), so I pass it unchecked to "expr". "expr" however will evaluate anything inbetween [] as tcl-code to be interpreted, and voila, the exploit you posted would work as a charm.

Lesson learned? NEVER EVER use expr with unchecked input from any untrusted source.

edit:
If you are worried wether your system is vulnerable to this, use this little script to check:

Code: Select all

proc check_ping_vulnerability {handle idx text} {
  puthelp "NOTICE $::botnick :\001PING \[putlog \"Your bot suffers from a ctcp-pingreply remote exploit. Please check your loaded scripts.\"\]\001"
}
bind dcc n testping check_ping_vulnerability
Note, the following logentry would be recieved on safe bots aswell:
[14:58] CTCP reply PING: [putlog "Your bot suffers from a ctcp-pingreply remote exploit. Please check your loaded scripts."] from botnick (ident@host) to botnick
However, you are in trouble if you find this in your logs as a single logentry:
Your bot suffers from a ctcp-pingreply remote exploit. Please check your loaded scripts.
NML_375
a
ap
Halfop
Posts: 44
Joined: Fri Jun 09, 2006 12:20 am

Post by ap »

thanks nml375,
So how would we test this? /ctcp nick ping or /ping nick

thanks
User avatar
rosc2112
Revered One
Posts: 1454
Joined: Sun Feb 19, 2006 8:36 pm
Location: Northeast Pennsylvania

Post by rosc2112 »

nml375 wrote:bind dcc n testping check_ping_vulnerability
So, in the dcc connection to your bot, testping
a
ap
Halfop
Posts: 44
Joined: Fri Jun 09, 2006 12:20 am

Post by ap »

ops, thank you
User avatar
Sir_Fz
Revered One
Posts: 3794
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:

Post by Sir_Fz »

(Eggbot) [03:04] CTCP PING: 1111305817 from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us)
(Eggbot) [03:04] CTCP reply PING: [set notc "TCL";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan] from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us) to Eggbot
Now that's just lame, he adds his handle and channel three times lol :lol: maybe to be sure? or just a "good" luck thingie :roll: :P

You could've simply checked if that handle and channel have been added to your bot after it received this CTCP reply and told us whether it's effecting your bot or not ;)

I'd go with nml375's advice on this (great example). Check out "Script security" from the FAQ forum.
User avatar
ZEXEL
Halfop
Posts: 45
Joined: Tue Jun 27, 2006 10:47 pm
Contact:

worst!

Post by ZEXEL »

(Eggbot) [03:04] CTCP PING: 1111305817 from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us)
(Eggbot) [03:04] CTCP reply PING: [set notc "TCL";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan;adduser TezDhaar TezDhaar*!*@*;chattr TezDhaar "fhjlmnoptxQZ";channel add #hackers_group;savechan] from TezDhaar (Scorpioon@BaCk.To.DarkneS.Us) to Eggbot
That's request CTCP PING exploit would be work with NETGATE tcl version 9.x before and the all of the variants, please disable any CTCP PING request if you use that tcl! It can be effect of taking over fully the bot from your hand!

Please, becareful and disable any trigger CTCP PING request inside NETGATE tcl. :wink:
Thank you...
.:[ Knowledge Is The Power ]:.
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Never heard of that script before, but bothered to search and dl 9.1..
And to be honest, any script that puts such efforts in making it hard to read/search for keywords/etc really makes me really wonder how many nasties are hidden in there.
Besides, I really don't see any other point in all that "encryption" (other than hiding trojans, etc), as most of it would be decrypted once loaded. Run it in a sandbox and you'd have most of it decoded.
Nice alert tho, Zexel.
NML_375
User avatar
user
&nbsp;
Posts: 1452
Joined: Tue Mar 18, 2003 9:58 pm
Location: Norway

Post by user »

Have you ever read "The Manual"?
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Guess my gut-feeling was right then..
Reading that thread, ctcp-backdoor is the least of your problems with that script...
NML_375
User avatar
Alchera
Revered One
Posts: 3344
Joined: Mon Aug 11, 2003 12:42 pm
Location: Ballarat Victoria, Australia
Contact:

Post by Alchera »

user wrote:don't use netgate.tcl - http://forum.egghelp.org/viewtopic.php?t=6708#43430
After all the posts here (and the fact I alerted all the founders of the appropriate channels on DALnet) I am amazed that people still get hold of it.
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
Post Reply