Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

PTT.yu Guestbook Vulnebility

From: us3rg0d <us3r_g0d () yahoo com>
Date: Thu, 15 Jun 2006 14:55:50 -0700 (PDT)
============================
PTT.yu Guestbook Vulnebility
============================
Discovered by: us3rg0d 
Mail: us3r_g0d () yahoo com
Site: www.us3rg0d.tk
      www.cformatkrew.tk

greetz: m3t4b0l1c,Fu3g0,DELTA,Phantom,NeshYu,
skull_boy,Orwell,MetalBOY,[YesPeace],Intruder,

Loading_3rr0r,DrNoise
fuckz: PC_TEROR (virus-x, erol-s)
============================

PTT.yu guestbook have all ptt users which have ftp
access.
Here is a simple url which are using all ptt.yu users:
-------------------<CUT>------------------
http://www.ptt.yu/korisnici/[1st LETTER OF
USERNAME]/[2nd LETTER OF USERNAME]/[COMPLETE
USERNAME]/guestbook.htm(l)
-------------------</CUT>------------------

Vulnerable source code of upis.htm (which is used to
sign into guestbook) 
looks like this:

-------------------<CUT>------------------
<form action=http://www.ptt.yu/cgi-bin/guestbook.cgi
method=post name=pad target=frame>
        <input type=hidden name=realname value=' '>
        <input type=hidden name=comments value=' '>
        <input type=hidden name=handle>
        <input type=hidden value=[USERNAME]
name=owner>
</form>
-------------------</CUT>------------------

This means thats all guestbooks using guestbook.cgi to
post messages.After
you goes in guestbook.cgi and view a source code,you
would see that this 
script have no flood protection,so you can flood it
right afther you find out
how its working.
So,to sing into guestbook of some user,you just need
to use:
-------------------<CUT>------------------
http://www.ptt.yu/cgi-bin/guestbook.cgi?[USERNAME]
-------------------</CUT>------------------

Using this kind of flood attack results a buffer
overflow. 
So make a simple program that filling this field or
use one
of 3 exploits that i made in Visual Basic.You can
download it from:
http://us3rg0d.50webs.com/pttgdos.rar
http://us3rg0d.50webs.com/massptt.zip
http://us3rg0d.50webs.com/pttfl00d.zip

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: