Common Booter Source Exploit

EDIT August 30: Wow, I was so tired when I wrote this, I gave the wrong URLencoded character. We want an &, not a '.

Fuck it, we're not doing anything with this... go wild.

OK, so I'm in a hurry to write this. I'll explain it better later today.
There's a pretty interesting bug in most booter sources that allows someone to gain root (yes, root) access to the backend attack servers.

These booters send a command to their servers via SSH or HTTP API, and the frontend does very little filtering on them, especially for layer7 attacks.

Code will be here later today

PHP Code:

if(filter_var($host, FILTER_VALIDATE_URL)){
$insertLogSQL -> execute(array(':user' => $_SESSION['username'], ':ip' => $host, ':port' => $port, ':time' => $time, ':method' => $method));
echo '<div class="nNote nSuccess hideit"><p><strong>SUCCESS: </strong>Attack has been sent to '.$host.':'.$port.' for '.$time.' seconds using '.$method.'</p></div>';
} 


Anyway, the bug lies in the fact that there's no actual escaping of shell metacharacters. It just checks if your input looks like a valid URL, and if it is, executes it without a second thought.

We can construct an evil payload that looks like a URL like so:

[To see links please register here]

%26commands$(IFS)gohere

The %26 gets url-decoded and becomes an & when sent to the backend attack server. The $(IFS) is used here because %20, for some reason, breaks the backend and so do raw spaces (raw spaces make it an invalid URL), so we have to use bash's Internal Field Separator.

I apologize for my brevity. I'll improve on this at some point.

About time you posted something.

So this is the exploit you were doing last time?

Actually more simple than I imagined it would be.

(03-28-2014, 10:46 PM)Satan Wrote:

[To see links please register here]

Actually more simple than I imagined it would be.

It may not seem hard, but I'm pretty sure discovering this would be a bitch

(03-29-2014, 02:23 AM)Kosaki Wrote:

[To see links please register here]

It may not seem hard, but I'm pretty sure discovering this would be a bitch

Ehh, depends how you think. If you look at something and say "this is how it functions" first, yeah, it'd take forever. If you look at it and say "I wonder how I can make it malfunction" first, you've got the right mindset for finding exploits.

Hopefully you didn't forget about this :3

(03-29-2014, 08:22 PM).Shebang Wrote:

[To see links please register here]

Hopefully you didn't forget about this :3

Haven't forgotten, just lazy

Not surprised, so many public booter sources are full of exploits. Though one that grants root to the backend servers is sexy.

Pretty nice, KMS showed me and a bunch of other people how to do this on Skype one night.