<<< Date Index >>>     <<< Thread Index >>>

PTT.yu Guestbook Vulnebility



============================
PTT.yu Guestbook Vulnebility
============================
Discovered by: us3rg0d 
Mail: us3r_g0d@xxxxxxxxx
Site: www.us3rg0d.tk
      www.cformatkrew.tk

greetz: m3t4b0l1c,Fu3g0,DELTA,Phantom,NeshYu,
skull_boy,Orwell,MetalBOY,[YesPeace],Intruder,

Loading_3rr0r,DrNoise
fuckz: PC_TEROR (virus-x, erol-s)
============================

PTT.yu guestbook have all ptt users which have ftp
access.
Here is a simple url which are using all ptt.yu users:
-------------------<CUT>------------------
http://www.ptt.yu/korisnici/[1st LETTER OF
USERNAME]/[2nd LETTER OF USERNAME]/[COMPLETE
USERNAME]/guestbook.htm(l)
-------------------</CUT>------------------

Vulnerable source code of upis.htm (which is used to
sign into guestbook) 
looks like this:

-------------------<CUT>------------------
<form action=http://www.ptt.yu/cgi-bin/guestbook.cgi
method=post name=pad target=frame>
        <input type=hidden name=realname value=' '>
        <input type=hidden name=comments value=' '>
        <input type=hidden name=handle>
        <input type=hidden value=[USERNAME]
name=owner>
</form>
-------------------</CUT>------------------

This means thats all guestbooks using guestbook.cgi to
post messages.After
you goes in guestbook.cgi and view a source code,you
would see that this 
script have no flood protection,so you can flood it
right afther you find out
how its working.
So,to sing into guestbook of some user,you just need
to use:
-------------------<CUT>------------------
http://www.ptt.yu/cgi-bin/guestbook.cgi?[USERNAME]
-------------------</CUT>------------------

Using this kind of flood attack results a buffer
overflow. 
So make a simple program that filling this field or
use one
of 3 exploits that i made in Visual Basic.You can
download it from:
http://us3rg0d.50webs.com/pttgdos.rar
http://us3rg0d.50webs.com/massptt.zip
http://us3rg0d.50webs.com/pttfl00d.zip

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com