OMER

Would you like to react to this message? Create an account in a few clicks or log in to continue.

OMER_BHAR_4U@MIG33.COM

NOW WE CHANGED THE NAME OF THIS FORUM OMER.DARKBB.COM

    INVISIBLE ENTRY S0FTWARE

    Admin
    Admin
    Admin


    Number of posts : 627
    Registration date : 2008-12-25

    INVISIBLE ENTRY S0FTWARE Empty INVISIBLE ENTRY S0FTWARE

    Post  Admin Thu Feb 26, 2009 6:23 pm

    This is one of the problems in mig33 server
    Its an incorrect validation problem in mig33 server software
    Its mostly known as invisible entry
    I am sharing this because it dosent harms anyone in anyway and it is being fixed within next 2,3 days
    Till then you can test it yourself

    Detail:
    When we send login packet to mig33 server, server sends two alphanumeric keys.
    First key is used as a session id for opening links like profile, scrapbook, etc
    Second one is for making hash with password
    Then our mig33 client application joins second key with the password provided by us and after passing it through a hash making algorithm, it sends a four bytes long hash to mig33 server
    Mig33 server then creates the same hash on the server with the user's password stored in database and matches it with the hash sent by our client mig33 application
    If both the hashes are matched, server checks whether the username is active or inactive
    If the username is active, it is logged in and the server then sends login success packet to the mig33 client in order to notify it about the successful login
    Otherwise it sends the "Account not active" message
    After successful login, if we send the hash again to the mig33 server, the server returns an error message "Session already exists"
    Then we send the login packet again, mig33 server will again send keys
    (Bug: When the login packet is sent to the server with the same connection, the server resets users details and remains logged in - I am not sure about this!)
    Now if someone sends a private message to your id, it will say "User not online" (i wanted this bug as a feature in mig33 - Auto Block)
    And if you enter a chatroom, your entry will not be appeared but when you leave the room it will show other users that you have left the chatroom

    Fix:
    mig33 coders have to make some change in login packet and the join chatroom packet

    POC:
    You cant do all this using mobile phone, java emulators or the website,
    To do that, you need WPE (Winsock Packet Editor)
    This program edits the packets sent to the server and resends them
    To use this tool, you need some information about packets
    Or you can also accomplish this by making a client mig33 application as i did

    Here is a link to an mig33 client application (written in vb) made by me


    mig_bug.zip
    (21.71 KiB) Downloaded 43 times


    it does all the above with only 2,3 clicks
    You must have the following files in your system:
    1- msvbvm60.dll (download from http://www.dll-files.com)
    2- mswinsck.ocx (download from http://www.dll-files.com)
    3- hashgen.dll (included)


    Good Luck!

      Current date/time is Thu Nov 07, 2024 1:45 am