Morphues Exploit Question Answered

[Tortured Spirit]

Originally posted by guerrillase7en
so running easy exploits on webservers that do what there supose to do just have really no if any security isn't really an exploit? no cgi exploits are real exploits? no exploits are real exploits? damn then there is no such thing as an exploit. in your mind.....

Ok..Let me see if I can explain this in a way that you can understand.

1) The original intention of Morpheus is to allow users to share files, ANY kind of files.
2) As long as the user puts the files they want to share in a specific directory and follows directions,
AFAIK you cannot access any other directory other than the shared one. If you can find a way of
accessing a directory that the user is not sharing then THAT would be an exploit.

Just because some idiot users choose to share their entire hard drives and you can access them, it does not mean you
have found an unintended use for the program.

Whereas if you are able to exploit a webserver that has a bug that hasn't been patched, you could say
that you have exploited the admin's laziness/the programmer's incompetence since the specifications
on the server never called for the program to be unable to deal with buffer overflow or whatever means
you would be using to access it.

There is a big difference between what happens with Morpheus and what a true exploit is..and if my explanation or that of the other
posters here telling you don't help you understand...I dont know what else to tell you.
Sheesh!!

[guerrillase7en]

Originally posted by Matty_Cross
...Now, if you could upload to their computer through this method... I'd say its an exploit... but you can't....

u can.

so using this to d/l there .passwd file and telnet into root isn't going to give u the power you want inorder for it to be an exploit?

[guerrillase7en]

Originally posted by Tortured Spirit
...Whereas if you are able to exploit a webserver that has a bug that hasn't been patched, you could say
that you have exploited the admin's laziness/the programmer's incompetence since the specifications on the server never called for the program to be unable to deal with buffer overflow or whatever means you would be using to access it...

so exploiting a sys admin's stupidity(if they don't chek for security updates) and exploiting a sys user's stupidity(by shareing evrything) isn't the same?

[Tortured Spirit]

Originally posted by guerrillase7en


so exploiting a sys admin's stupidity(if they don't chek for security updates) and exploiting a sys user's stupidity(by shareing evrything) isn't the same?

Basically, yes. Security updates are released to patch a bug/security hole that was never intended to be there in the first place.

With a P2P program like Morpheus, they original intention of the program was to allow ppl to
share files from a specific directory or directories.

AFAIU, an exploit by definition is finding a way to take advantage of a bug or security hole that
should not exist in the first place.

And that, to me anyway, is the difference.

[guerrillase7en]

Originally posted by Tortured Spirit
...take advantage of a bug or security hole that should not exist in the first place.
...

it shouldn't allow you to share the holde hard drive/nor let it list *.pwl/.passwd files



that's a security hole that shouldn't exist....

[the_JinX]

dunno if it work though...

It's a perl script wich is supposed to be a Kazaa/Morpheus Denial of Service Attack..

(rename .txt to .pl if u wanna try)

[Matty_Cross]

--------------------------------------------------------------------------------
Originally posted by guerrillase7en

quote:
--------------------------------------------------------------------------------
Originally posted by Matty_Cross
...Now, if you could upload to their computer through this method... I'd say its an exploit... but you can't....
--------------------------------------------------------------------------------

u can.

so using this to d/l there .passwd file and telnet into root isn't going to give u the power you want inorder for it to be an exploit?

--------------------------------------------------------------------------------

Since when can you UPLOAD to their computer through this 'exploit'?

I just re-read the 'exploit' tutorial you posted, nothing about being able to upload up there....

guerrillase7en...
It SHOULD let you share your whole hard-drive.. its is a file SHARING program.. the key word here is SHARING... Have you noticed, that when your using Morpheus, there is a search option to search EVERYTHING? Does it not dawn upon you that this is there because they didn't really want to create a search category for every single type of file?

Its meant to be able to share any type of file.

If a user shares their whole hard drive, that is their choice.... it may not be the best choice, but its their choice.. it isn't an exploit in the software... its doing what it was intented to do....

I personally am going to stop (or at least try to stop) posting to this thread, as I seem to just be repeating myself...

I feel kinda like this...

[ac1dsp3ctrum]

The Morpheus/KaZaA exploit is not really a exploit..... How can you exploit someones inability to check what files a specific program is sharing with the internet ? If those people just spend 5 seconds and click on a button on a toolbar they could see which files K/M is sharing.... But I guess there too busy for that... So we should just let them have all their personal files on the internet for the world to see
Although I have been sending messages to the people who do have *.pwl or other system files shared..... There are many more... This non-exploit doesnt only exist in K/M it exists in other file sharing programs... Its just that we choose to publicize these programs.....

Alll they need to do is get hacked or something or other and then thell be more concerned with security... Thell be picking away at the files with tweezers
Nothing is REALLY an exploit... Its all human error... if someone had taken the time to add a few more lines of code to prevent K/M from sharing system files.... Then we wouldnt be here.

[akanicknick]

First off) that is not hacking that is just newbie sh*t
Second) like almost everyone said its only files in your shared folder
Third) You are ******n stupid to even think of this as an exploit

[Tortured Spirit]

I personally am going to stop (or at least try to stop) posting to this thread, as I seem to just be repeating myself...

I feel kinda like this... :

Amen !! My post(s) above were my last attempts to explain this..It can't be explained any clearer than has already been. SO I am gonna quit : with these kids and go on...