ExploitLabs - URGENT 0day Alert!!

["Donnie Weiner" <s2_pi_di_ty () hotmail com>]

------------------------------------------------------------------
EXPL-NOTHCKR-A1-31337-2003-00010 exploitlabs.com Advisory 00000010
------------------------------------------------------------------
                -= How To Make A mIRC Bot =-



morning_wood
June 16, 2003
exploitlabs.com


Vunerability(s):
----------------
1. Backdoor/Remote Shell/Default Password



Product:
--------

How To Make A mIRC Bot
http://www.mishscript.de/help/mircbot.htm


Description of product:
-----------------------

How To Make A mIRC Bot - Freeware
"There is so much you can write into a bot, and you can only learn how 
through asking people, reading FAQ's like this one and doing it for you
rself. So anyway, this FAQ will try to take you through the basics of making 
your own bot."

Download:

http://exploitlabs.com/fylez/Wood-bot_tut.txt <-- dont work
http://www.howtomakeabircbot.com <-- also dont work, domain doesnt exist
http://www.mishscript.de/help/404.htm <-- dont work, says not found
http://www.mishscript.de/help/mircbot.htm



VUNERABILITY / EXPLOIT
======================
Remote:
-------
yup!

exploit code ( basicly shows what an attacker types to do a 0day attack )

----0day----- snippy ----0day---------
To add and remove user levels, we use the /auser and /ruser commands. There 
are others such as /guser, but they make use of mIRC's Internal Ad
dress List, which we'll come to later. To cut a long story short, /auser and 
/ruser are the simplest.

/auser <level> <nick> will give a nick a certain userlevel. The one you want 
to use is:

/auser 100 Merlin (please, put YOUR OWN nick instead of "Merlin". You want 
your usual nick to be in there, NOT the nick of the bot. That would
be pointless. If YOU want to access the commands, YOU must have a high user 
level in the eyes of the bot.
----------- end snippy ---------------

here we see that 0day is possible because since this is basicly a tutorial 
and when we read tutorials we do it because we cant find code to co
py and paste (isnt that right illwill [aka  "w g" aka xillwillx () yahoo com 
aka o0oillwillo0o @ aim aka xXxXxXx_iLLWiLL_420_31337_SuPA_MaSTA_HaC
KSTA_2005_xXxXxXx @ dalnet #teens4fun] lol me and illwill are buds he cant 
code and its well known he basicly rips from planetsourcecode etc b
ut its all good) newayz if we cant find anything to copy and paste then we 
need to look for tutorials and im not very good with english so i d
ont really read what it says i just do it and probly everyone does that

basicly since it says

"/auser 100 Merlin (please, put YOUR OWN nick instead of "Merlin"."

we do a 0day attack by using the exploit (provided below) which allows us to 
gain privileges at level 100. from there we can tell the bot to d
cc file transfer us a copy of cmd.exe (hense - remote shell)

exploitlabs 0day exploit team (currently just me, coinsidently im the only 
one on all the exploitlabs teams actually, since im the only employ
ee) has written some 0day to exploit this 0day

-------0day alert------
# EXPL-0DY-000000000000001-2003-31337
# this is a 0day to exploit aforementioned 0day
# this is to be pasted directly into the mirc chat window
# you may hilite the 0day portion of this exploit to prepare for copy
# then press ctrl-c to copy, move the cursor to the mirc window
# then press ctrl-v to paste
# this exploit currently only has targets to work on windows OS
# exploitlabs 0day team ( again, just me ) is researching how to port
# these instructions to multiple platforms (for some reason my irc program
# closes when i keep trying to copy, i press ctrl-c like 6 times and still
# wont work, irc program crashes...future 0day advisory by exploit labs
# to dislcose this strange 0day crash is being made) so it will soon be
# portable. exploit follows

/NICK Merlin

-end---0day alert------

after using this 0day exploit create in the labs of exploitlabs, wait for 
the
reader of the tutorial to type the /auser 100 Merlin portion of the default 
implementation of this tutorial

after using this 0day exploit create in the labs of exploitlabs, wait for 
the
reader of the tutorial to type the /auser 100 Merlin portion of the default 
implementation of this tutorial

Vendor Fix:
-----------
No fix on 0day
I disclosed the 0day to my friends on irc (irc.euyulio.org #subseven / 
#euyulio)approx 4 weeks ago, has been on our website since last week, a
nd i told the vendor - so really this wouldnt be '0day' more like '28day' 
but i dont really know what 0day means (as you can see from all my a
dvisories) and i think it sounds cool so i say 0day whenever i can.



Vendor Contact:
---------------
merlin () mishscript de - Concurrent with this 0day


Credits:
--------

morning_wood ( surprise, seeing as im the only one here at exploitlabs! )
http://exploitlabs.com "where thinking up lame advisories is one job, and 
writing them is half the fun"
morning_wood () frame4 com - get tested


----------------------------------------

be a good vendor... test your tutorials first, it is your problem, fix
it. users shouldnt be expected to configure your products or read any 
documentation.

http://nothackers.org - it's t0day

_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html