============================ PTT.yu Guestbook Vulnebility ============================ Discovered by: us3rg0d Mail: us3r_g0d@xxxxxxxxx Site: www.us3rg0d.tk www.cformatkrew.tk greetz: m3t4b0l1c,Fu3g0,DELTA,Phantom,NeshYu, skull_boy,Orwell,MetalBOY,[YesPeace],Intruder, Loading_3rr0r,DrNoise fuckz: PC_TEROR (virus-x, erol-s) ============================ PTT.yu guestbook have all ptt users which have ftp access. Here is a simple url which are using all ptt.yu users: -------------------<CUT>------------------ http://www.ptt.yu/korisnici/[1st LETTER OF USERNAME]/[2nd LETTER OF USERNAME]/[COMPLETE USERNAME]/guestbook.htm(l) -------------------</CUT>------------------ Vulnerable source code of upis.htm (which is used to sign into guestbook) looks like this: -------------------<CUT>------------------ <form action=http://www.ptt.yu/cgi-bin/guestbook.cgi method=post name=pad target=frame> <input type=hidden name=realname value=' '> <input type=hidden name=comments value=' '> <input type=hidden name=handle> <input type=hidden value=[USERNAME] name=owner> </form> -------------------</CUT>------------------ This means thats all guestbooks using guestbook.cgi to post messages.After you goes in guestbook.cgi and view a source code,you would see that this script have no flood protection,so you can flood it right afther you find out how its working. So,to sing into guestbook of some user,you just need to use: -------------------<CUT>------------------ http://www.ptt.yu/cgi-bin/guestbook.cgi?[USERNAME] -------------------</CUT>------------------ Using this kind of flood attack results a buffer overflow. So make a simple program that filling this field or use one of 3 exploits that i made in Visual Basic.You can download it from: http://us3rg0d.50webs.com/pttgdos.rar http://us3rg0d.50webs.com/massptt.zip http://us3rg0d.50webs.com/pttfl00d.zip __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com