This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

Suitable binding to check for DCC send/resume

Help for those learning Tcl or writing their own scripts.
User avatar
awyeah
Revered One
Posts: 1580
Joined: Mon Apr 26, 2004 2:37 am
Location: Switzerland
Contact:

Suitable binding to check for DCC send/resume

Post by awyeah »

I was wondering what binding will be used to check if someone is sending the bot a file? via DCC. I'm looking for file extensions, that I will use regexp later, to find for DCC exploit. Currently I only have this.

Code: Select all

LOST (stackable)

bind lost <flags> <mask> <proc>
proc-name <handle> <nick> <path> <bytes-transferred> <length-of-file>

Description: triggered when a DCC SEND transfer gets lost, such as when the connection is terminated before all data was successfully sent/received. This is typically caused by a user abort.

Module: transfer

TOUT (stackable)

bind tout <flags> <mask> <proc>
proc-name <handle> <nick> <path> <bytes-transferred> <length-of-file>

Description: triggered when a DCC SEND transfer times out. This may either happen because the dcc connection was not accepted or because the data transfer stalled for some reason.

Module: transfer
Would bind RAW work? If so, with what keyword? any example? Also bind DCC is only limited to the partyline I noticed.

How about bind CTCP with keyword DCC?
All help would be appreciated in this matter, Thanks!
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
User avatar
Sir_Fz
Revered One
Posts: 3794
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:

Post by Sir_Fz »

When someone sends the bot a file, the bot receives a notice containing:
DCC Send <file-name> (<IP>)
So you can bind to notc and use "DCC Send * (%)" as its mask to catch a dcc send.
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

A notice is not mandatory, and will not work reliably with some clients..
As for raw vs. ctcp bindings, ctcp would probably be easier, as you won't have to extract all the bits and pieces to figure out it's a ctcp-message, or that the keyword is "DCC". Both bindings do allow you to prevent further processing using returncodes.

As for the format of the actual transfer negotiation, it's a ctcp with keyword "DCC" and parameters "SEND <filename> <ipaddress> <port> <filesize>". IP and port are expected to be unsigned integers (aka "longip").

http://www.kvirc.de/docu/doc_dcc_connection.html provides some further info on the dcc subprotocol
NML_375
User avatar
Sir_Fz
Revered One
Posts: 3794
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:

Post by Sir_Fz »

Yes indeed, I forgot to mention. So you can do something like:

Code: Select all

bind ctcp - DCC dcc:send

proc dcc:send {nick uhost hand dest kw arg} {
 if {[isbotnick $dest] && [string match "SEND *" $arg]} {
  # DCC SEND detected
 }
}
User avatar
awyeah
Revered One
Posts: 1580
Joined: Mon Apr 26, 2004 2:37 am
Location: Switzerland
Contact:

Post by awyeah »

DALnet is a bit different, dealing with DCC sends on the bahamut IRCd. I tried bind ctcp with DCC as the keyword, got no response when I sent a file to the bot via DCC.

The only response was from Notice. So there are two options either use bind raw with the keyword NOTICE or just simply bind notc. Hence for simplicity I used bind notc.

These were the responses on bind notc when I send a file to the bot.
($nick) ($uhost) ($hand) ($text) ($dest)

<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send mirc.exe (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send spamrem.zvk (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send servers.ini (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send aliases.ini (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send remote.ini (219.92.24.7)) (adapter)
So if anyone sends you bot a file, the bot will remove that person found on any of the channels the bot is on. This is the script for DALnet, utilizing bind notc.

Code: Select all

bind notc - "*" dcc:exploit:check

proc dcc:exploit:check {nick uhost hand text {dest ""}} {
 global botnick
 if {[isbotnick $nick] || [string equal $nick "ChanServ"] || [string equal $nick "NickServ"] || [string equal $nick "MemoServ"] || ($nick == "") || [matchattr $hand mnof|mnof]} { return 0 }
 if {[string equal "@" [string index $dest 0]] && [string equal "#" [string index $dest 1]]} { return 0 }
 if {[string equal "#" [string index $dest 0]] && [string match "#*" $dest]} { return 0 }
 if {[isbotnick $dest]} {
  if {[string equal "4" [split [llength $text]]] && [string equal "DCC Send" [lrange $text 0 1]] && ([regexp -all {\.} [lindex $text 2]] <= 3) && [string match "(%)" [lindex $text 3]]} {
  foreach chan [channels] {
   if {[botisop $chan] && [onchan $nick $chan] && ![isop $nick $chan] && ![isvoice $nick $chan]} {
    putquick "MODE $chan +b *!*@[lindex [split $uhost @] 1]" -next
    putquick "KICK $chan $nick :DCC Exploit Infected File  - You are sending a infected file to channel users. You are infected with a DCC exploit. Please join #nohack to clean your infected PC."
    }
   }
  }
 }
}
Thanks for your help on this nml375 and Sir_Fz! Really appreciate it :D
So I guess Sir_Fz was right using notc and the matching keyword. Sorry, since I intially forgot to mention this is to be used for DALnet. :P
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Once again, however, I must stress that this notice is mainly a feature of mIRC (and a few other clients). This will most likely not prevent any more advanced viruses utilizing irc to spread itself.

As for using ctcp-binding, It works just fine for me. Which network you are using really should'nt matter at all, as any and all ircd's should simply forward PRIVMSG's from client to client, without interfering or altering the message. Also, not even mIRC will try to recieve a dcc transfer if you simply send the notice (especially since it lacks information on which port to connect to).
NML_375
User avatar
Sir_Fz
Revered One
Posts: 3794
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:

Post by Sir_Fz »

Actually, I tested it on my Eggdrop on DALnet and the ctcp worked just fine. This is what a user receives when a DCC send is requested (raw):
:<nick>!<user>@<host> NOTICE <receiver> :DCC Send dalnet.txt (<ip>)
:<nick>!<user>@<host> PRIVMSG <receiver> :☺DCC SEND dalnet.txt 32322483 21 4602 374☺
on DALnet. The '☺' character is \001.
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Oh, also forgot, I doubt this is what you actually intended:

Code: Select all

[string equal "4" [split [llength $text]]]
More likely you're trying to split $text into a list, and then get the lenght of the list... also, since you're comparing integers, == would suffice, so no need for string equal.

Next,

Code: Select all

[regexp -all {\.} [lindex $text 2]] <= 3
$text is a string, not a list :p And why are you counting the number of dots in the filename? *confused*

Finally, this is just overkill, the second test catches any and all conditions of the first one, making it obsolete.

Code: Select all

[string equal "#" [string index $dest 0]] && [string match "#*" $dest]
I also do not get why you are checking for @ as the first character of dest... But maybe that's something I've forgotten from the rfc's...
NML_375
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Ohh, also, when you tried the ctcp-approach, did you make sure you used "DCC" as keyword and nothing else (such as "DCC Send")?
NML_375
r
r0t3n
Owner
Posts: 507
Joined: Tue May 31, 2005 6:56 pm
Location: UK

Post by r0t3n »

Who say's that the file being sent/sender is infected? Maybe it's just a normal user sending a file.....
r0t3n @ #r0t3n @ Quakenet
User avatar
awyeah
Revered One
Posts: 1580
Joined: Mon Apr 26, 2004 2:37 am
Location: Switzerland
Contact:

Post by awyeah »

Tosser^^ wrote:Who say's that the file being sent/sender is infected? Maybe it's just a normal user sending a file.....
I added it on join a channel, if a user sends a file almost immediately on join then definately user is infected. And then I also added file extension checks also using regexp.
Last edited by awyeah on Mon Jun 04, 2007 2:06 am, edited 1 time in total.
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
User avatar
awyeah
Revered One
Posts: 1580
Joined: Mon Apr 26, 2004 2:37 am
Location: Switzerland
Contact:

Post by awyeah »

nml375 wrote:Ohh, also, when you tried the ctcp-approach, did you make sure you used "DCC" as keyword and nothing else (such as "DCC Send")?
Yes I tried:

Code: Select all

bind ctcp - DCC proc_here
I didnt use "DCC Send" as the keyword however.

The weird thing is, I didn't see the proc being executed, so I checked it with putlog also, the same thing ah, the proc didn't fire. Anyway PRIVMSG also worked yeap, but NOTICE was more relevant so stuck with it.
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
User avatar
awyeah
Revered One
Posts: 1580
Joined: Mon Apr 26, 2004 2:37 am
Location: Switzerland
Contact:

Post by awyeah »

nml375 wrote:Oh, also forgot, I doubt this is what you actually intended:

Code: Select all

[string equal "4" [split [llength $text]]]
More likely you're trying to split $text into a list, and then get the lenght of the list... also, since you're comparing integers, == would suffice, so no need for string equal.

Next,

Code: Select all

[regexp -all {\.} [lindex $text 2]] <= 3
$text is a string, not a list :p And why are you counting the number of dots in the filename? *confused*

Finally, this is just overkill, the second test catches any and all conditions of the first one, making it obsolete.

Code: Select all

[string equal "#" [string index $dest 0]] && [string match "#*" $dest]
I also do not get why you are checking for @ as the first character of dest... But maybe that's something I've forgotten from the rfc's...
As for this:

Code: Select all

[string equal "4" [split [llength $text]]]
Yes i'll try to omit the split. But I am matching 4 parameteres here, so there always should be 4, else stop there immediately.

The "==" sign is also recommended for this case, but I overlooked it, anyway both would produce the same result. Well the one thing I will observe is the equality (==) will execute faster than string equal, if I am correct.

For this:

Code: Select all

[regexp -all {\.} [lindex $text 2]] <= 3]
I am trying to match:
DCC Send mirc.exe (219.92.24.7)
DCC Send remote.txt.ini (219.92.24.7)
DCC Send versions.tar.gz (219.92.24.7)
DCC Send alias.ini.scr.com (219.92.24.7)
The letters in bold, meaning the file name. These are very good examples of infected files. The extension of the file name is changed or additional extension is added to cloack the original file being sent. This is encountered mostly on DALnet.

Thirdly:

Code: Select all

[string equal "#" [string index $dest 0]] && [string match "#*" $dest]
Yeah I guess I overlooked this. After seeing the complete proc, this statement is redundant and already implemented, so it should be removed.

Checking @ as first character.. remember OPNOTICE? Sometimes channel ops us opnotice so dest is like "@#channel" and even ChanServ on DALnet uses opnotices for VERBOSE commands mostly.
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
User avatar
awyeah
Revered One
Posts: 1580
Joined: Mon Apr 26, 2004 2:37 am
Location: Switzerland
Contact:

Post by awyeah »

This should be the final code:

Code: Select all

bind notc - "*" dcc:exploit:check 

proc dcc:exploit:check {nick uhost hand text {dest ""}} { 
 if {[isbotnick $nick] || [string equal $nick "ChanServ"] || [string equal $nick "NickServ"] || [string equal $nick "MemoServ"] || ($nick == "") || [matchattr $hand mnof|mnof]} { return 0 }
 if {[string equal "#" [string index $dest 0]] || [string equal "@" [string index $dest 0]] && [string equal "#" [string index $dest 1]]} { return 0 } 
 if {[isbotnick $dest]} {
  if {([llength $text] == "4") && [string equal "DCC Send" [lrange $text 0 1]] && ([regexp -all {\.} [lindex $text 2]] >= 1) && ([regexp -all {\.} [lindex $text 2]] <= 3) && [string match "(%)" [lindex $text 3]]} { 
  foreach chan [channels] { 
   if {[botisop $chan] && [onchan $nick $chan] && ![isop $nick $chan] && ![isvoice $nick $chan]} { 
    putquick "MODE $chan +b *!*@[lindex [split $uhost @] 1]" -next 
    putquick "KICK $chan $nick :DCC Exploit Infected File  - You are sending a infected file to channel users. You are infected with a DCC exploit. Please join #nohack to clean your infected PC." 
    } 
   } 
  } 
 } 
}
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Still, $text is not a list, so can't use llength, lindex or lrange here without split.

Never heard of opnotice, but then again I do not use services such as chanserv... However, this being a service, means that it will not trigger notc-bindings, virtually making the @#-matching useless...

I still don't see the point in counting number of dots, as "valid" files seldom would have 4 or more dots, and for someone malicious it'd be merely a matter of adding another dot in the filename.

Finally, would'nt it just be simpler matching something like this?:

Code: Select all

string match "DCC Send % (%)" $text
I'd probably implement it roughly like this tho:

Code: Select all

bind ctcp -of&-of DCC check_send
bind ctcp -of&-of XDCC check_send
proc check_send {nick host hand dest key text} {
 set subkey [lindex [split $text] 0]
 if {[string equal -nocase $subkey "send"]} {
  foreach chan [channels] {
   pushmode $chan +b "*!*@[lindex [split $host "@"] end]"
   putkick $chan $nick "Unsolisticed dcc send requested. Banning..."
  }
  return 1
 }
 return 0
}
NML_375
Post Reply