Budabot 4.0 denial of service (poc) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-12-03 |
Type : dos |
Platform : linux
This exploit / vulnerability Budabot 4.0 denial of service (poc) is for educational purposes only and if it is used you will do on your own risk!
# 1. Description
# In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation
# allows remote attackers to perform a command injection attack against the
# PHP daemon with a crafted command, resulting in a denial of service or
# possibly unspecified other impact. In versions before 3.0,
# modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above,
# modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code.
# 2. Proof of Concept
Start the Budabot listener, set valid configuration options, and wait for
the chatbot to announce it's ready in-game.
Send the chatbot a private message containing "!calc 5 x 5", and the
Budabot listener will terminate.