Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

0day remote root BNC exploit

From: poofie () gmx net
Date: Wed, 4 Dec 2002 01:44:57 +0100 (MET)
This is in response to: 
  http://www.fatelabs.com/advisories/shoutcast-advisory.txt

_____________________________________________________________________
                 FaKe Research Laboratories
                     Security Advisory


 Package:               BNC 
 Vendor Web Site:       http://gotbnc.com/
 Versions:              < = Latest (v2.8.4)
 Platforms:             Lots of them
 Advisory Title:        Plaintext BNC Authentication Passwords
 Advisory ID:           F8K20020918:BNC
 Issue Date:            Wed Sep 18 12:34:56 PST 2002
 File(s):               bnc.conf
 Local:                 Yes
 Remote:                No
 Fix Available:         Yes
 Vendor Contacted:      No 
 Researcher:            poofie <poofie () fakelabs com>
 FaKe Web Site:         http://www.fakelabs.com ( NOT ORG! )
 _____________________________________________________________________



 1. Overview

 The password is stored in plaintext in the configuration allowing 
 hackers to use the BNC for their illegal activities. This could 
 mean the end of IRC as we know it. Please do not use this exploit for
 fun or profit.  



 2. Exploit

 Here is the 0day exploit from FaKelabs because we have the best exploit
 collection ever. 

 
 #!/bin/sh
 # 
 # PRIVATE FAKELABS EXPLOIT 0DAY HACKER EXPLOIT
 # BNC password stealing exploit by poofie () fakelabs com
 # 
 printf "Where do you want to steal the password from? "
 READ file
 echo "Stealing the password hahahahahaha"
 grep 'S:' $file



 3. Impact

 IRC will cease to exist.



 4. Greetz

               Loki - Supreme magistrate CEO flash hacker master
              ph33r - Previous research on plaintext password methods
 PhantomOfTheRouter - Blacker than Jesse Jackson crack smoking MSN hack3r
         hack3r.com - I learned everything from you guys, THANKS
            |SaMaN| -
http://online.securityfocus.com/archive/1/290114/2002-09-01/2002-09-07/0
                      Contributing useful information. Coder of the 
                      http://blackcode.tr.cx hacker team.
               ushi - Lesbian hacker slut


 (c) Copyright 1981-2002 FaKe Research Labs. All Copyrights Reserved.
 Web: http://www.fakelabs.com


-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: