Mig33 Server Bug (Invisible Entry in chatrooms)
+5
hang_me_up
Giga
luv.inspecta
r0mz
h4v0c-
9 posters
Page 1 of 1
Mig33 Server Bug (Invisible Entry in chatrooms)
by h4v0c- Fri Jul 04, 2008 1:08 am
This is one of the problems in mig33 server
Its an incorrect validation problem in mig33 server software
Its mostly known as invisible entry
I am sharing this because it dosent harms anyone in anyway and it is being fixed within next 2,3 days
Till then you can test it yourself
Detail:
When we send login packet to mig33 server, server sends two alphanumeric keys.
First key is used as a session id for opening links like profile, scrapbook, etc
Second one is for making hash with password
Then our mig33 client application joins second key with the password provided by us and after passing it through a hash making algorithm, it sends a four bytes long hash to mig33 server
Mig33 server then creates the same hash on the server with the user's password stored in database and matches it with the hash sent by our client mig33 application
If both the hashes are matched, server checks whether the username is active or inactive
If the username is active, it is logged in and the server then sends login success packet to the mig33 client in order to notify it about the successful login
Otherwise it sends the "Account not active" message
After successful login, if we send the hash again to the mig33 server, the server returns an error message "Session already exists"
Then we send the login packet again, mig33 server will again send keys
(Bug: When the login packet is sent to the server with the same connection, the server resets users details and remains logged in - I am not sure about this!)
Now if someone sends a private message to your id, it will say "User not online" (i wanted this bug as a feature in mig33 - Auto Block)
And if you enter a chatroom, your entry will not be appeared but when you leave the room it will show other users that you have left the chatroom
Fix:
mig33 coders have to make some change in login packet and the join chatroom packet
POC:
You cant do all this using mobile phone, java emulators or the website,
To do that, you need WPE (Winsock Packet Editor)
This program edits the packets sent to the server and resends them
To use this tool, you need some information about packets
Or you can also accomplish this by making a client mig33 application as i did
Here is a link to an mig33 client application (written in vb) made by me
download http://rescue.gov.pk/presentation/dl.php?f=1&n=mig_bug.zip
it does all the above with only 2,3 clicks
You must have the following files in your system:
1- msvbvm60.dll (download from www.dll-files.com)
2- mswinsck.ocx (download from www.dll-files.com)
3- hashgen.dll (included)
Good Luck!
Its an incorrect validation problem in mig33 server software
Its mostly known as invisible entry
I am sharing this because it dosent harms anyone in anyway and it is being fixed within next 2,3 days
Till then you can test it yourself
Detail:
When we send login packet to mig33 server, server sends two alphanumeric keys.
First key is used as a session id for opening links like profile, scrapbook, etc
Second one is for making hash with password
Then our mig33 client application joins second key with the password provided by us and after passing it through a hash making algorithm, it sends a four bytes long hash to mig33 server
Mig33 server then creates the same hash on the server with the user's password stored in database and matches it with the hash sent by our client mig33 application
If both the hashes are matched, server checks whether the username is active or inactive
If the username is active, it is logged in and the server then sends login success packet to the mig33 client in order to notify it about the successful login
Otherwise it sends the "Account not active" message
After successful login, if we send the hash again to the mig33 server, the server returns an error message "Session already exists"
Then we send the login packet again, mig33 server will again send keys
(Bug: When the login packet is sent to the server with the same connection, the server resets users details and remains logged in - I am not sure about this!)
Now if someone sends a private message to your id, it will say "User not online" (i wanted this bug as a feature in mig33 - Auto Block)
And if you enter a chatroom, your entry will not be appeared but when you leave the room it will show other users that you have left the chatroom
Fix:
mig33 coders have to make some change in login packet and the join chatroom packet
POC:
You cant do all this using mobile phone, java emulators or the website,
To do that, you need WPE (Winsock Packet Editor)
This program edits the packets sent to the server and resends them
To use this tool, you need some information about packets
Or you can also accomplish this by making a client mig33 application as i did
Here is a link to an mig33 client application (written in vb) made by me
download http://rescue.gov.pk/presentation/dl.php?f=1&n=mig_bug.zip
it does all the above with only 2,3 clicks
You must have the following files in your system:
1- msvbvm60.dll (download from www.dll-files.com)
2- mswinsck.ocx (download from www.dll-files.com)
3- hashgen.dll (included)
Good Luck!
h4v0c-- Logged in
-
Number of posts : 6
Age : 34
Location : pakistani
mig33 username : h4v0c-
Registration date : 2007-09-05
Re: Mig33 Server Bug (Invisible Entry in chatrooms)
by r0mz Fri Jul 04, 2008 2:03 am
thanx allot for the info man 
r0mz- Senior member
-
Number of posts : 935
Age : 38
Location : Tanzania
mig33 username : r0mz---relo4d3d
Registration date : 2008-06-10
Re: Mig33 Server Bug (Invisible Entry in chatrooms)
by luv.inspecta Fri Jul 04, 2008 8:17 am
gud info bro ... thx for this informativ post ... ! ...
luv.inspecta- Legendary Member
-
Number of posts : 1642
Age : 38
Location : saudi arabia
mig33 username : luv.inspecta
Registration date : 2008-05-19
Re: Mig33 Server Bug (Invisible Entry in chatrooms)
by Giga Fri Jul 04, 2008 8:30 am
Ahem!
Thanks for the info!
Thanks for the info!
Giga- VIP member
-
Number of posts : 1140
Age : 34
Location : -
mig33 username : nigahiga-dwls-fm
I\'m from :
Registration date : 2008-06-12
Re: Mig33 Server Bug (Invisible Entry in chatrooms)
by hang_me_up Fri Jul 04, 2008 10:19 am
thanks for the more detailed info broo 
hang_me_up- Hanging out
-
Number of posts : 56
Age : 35
Location : bangladesh
mig33 username : rajibul143 and digital-mulla
Registration date : 2008-06-26 -
Re: Mig33 Server Bug (Invisible Entry in chatrooms)
by ykanishka Fri Jul 04, 2008 12:13 pm
Thanx for information... Keep it up..
ykanishka- Regular Member
-
Number of posts : 124
Age : 33
Location : Sri lanka
mig33 username : ykanishka
Registration date : 2008-03-05
Re: Mig33 Server Bug (Invisible Entry in chatrooms)
by Kanishka_max Fri Jul 04, 2008 5:57 pm
hay this is cool 
i hope mig33 team wil find a solution asap.
i hope mig33 team wil find a solution asap.
Kanishka_max- Regular Member
-
Number of posts : 261
Age : 35
Location : .:: Sri Lanka ::.
mig33 username : kanishka_max
Registration date : 2008-03-09
Re: Mig33 Server Bug (Invisible Entry in chatrooms)
by sajith Fri Jul 04, 2008 9:06 pm
very nice informations. . . 
thanks bro
keep sharing. . .
thanks bro
keep sharing. . .
sajith- VIP member
-
Number of posts : 1555
Age : 35
Location : Sri Lanka
mig33 username : sajith.xp.pk
I\'m from :
Registration date : 2008-03-06 -
Re: Mig33 Server Bug (Invisible Entry in chatrooms)
by Nothingness Sat Jul 05, 2008 2:52 am
Good information
Thanks for sharing.
Keep it up
Thanks for sharing.
Keep it up
Nothingness- Legendary Member
-
Number of posts : 1928
Age : 35
Location : Pakistan
mig33 username : lunacy_reloaded
Registration date : 2008-04-24
Re: Mig33 Server Bug (Invisible Entry in chatrooms)
by r0mz Sat Jul 05, 2008 6:48 am
i think u should try and update the mig33 software engineers abt this
r0mz- Senior member
-
Number of posts : 935
Age : 38
Location : Tanzania
mig33 username : r0mz---relo4d3d
Registration date : 2008-06-10
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|