[C++ Morph] Habbo Naked Exploit

    Hello dudes,

    trough a Habbo vulnerabillity I found a big exploit.
    This is the first forum where I release the source code.
    compile this code @ a c++ editor,
    login with your normal habbo data and get the morph script code!


    greetz

    mako ~ habbo-script.to

    This code opens a SYN Socket Connection to the Habbo Server. Then it sens some encoded bytes with AS3 code. It should simulate a look change, and then you are naked.
    Finally the generated look is hashed and so deleted.

    Yea, the website got a maintenance break. We will back soon.

    Currently the script just works on official habbo hotel, but we're working for the retroMorph.
    But its a little bit different, because the HS (habbo-script) team tries, to get automaticly all data from the various emulators. So we're programming a hardworker bot which can get every source data from the emulator (through typing :about).

    But you can try to open an UPD Socket to 174.68.12.194 on port 2752 and send these bytes: "F4 AA 4D 7E E9". Then you should be able to reroute the Connection to your local box. Also, try to nmap the network structure of the retro to be sure you get the right port for the morph.

    greetz, habbo-script.to team

    Zitat von Mako

    Yea, the website got a maintenance break. We will back soon.

    Currently the script just works on official habbo hotel, but we're working for the retroMorph.
    But its a little bit different, because the HS (habbo-script) team tries, to get automaticly all data from the various emulators. So we're programming a hardworker bot which can get every source data from the emulator (through typing :about).

    But you can try to open an UPD Socket to 174.68.12.194 on port 2752 and send these bytes: "F4 AA 4D 7E E9". Then you should be able to reroute the Connection to your local box. Also, try to nmap the network structure of the retro to be sure you get the right port for the morph.

    greetz, habbo-script.to team

    You should make a video or something, because your Englisch isn't the best.

    Nice, i mapped the network structure with a SCTP INIT over IPv6 and a spoofed MAC-Address.
    It worked out pretty nice, and i was able to cloak the protocal with these bits: "11000000 10101000 00001010 00000000".
    BTW: DEFAULT_UDP_PROBE_PORT_SPEC constant was mapped to nmap_init.h, so i changed it at compile-time.

    Oh, you should try the "-PY22,80,179,5060" flag for direct communication with the server deamon!
    The INIT chunk suggests to the remote system that you are attempting to establish an association.
    Normally the destination port will be closed, and an ABORT chunk will be sent back.
    If the port happens to be open, the target will take the second step of an SCTP four-way-handshake
    by responding with an INIT-ACK chunk.

    Ewaxy

    Das ist ein klares Englisch, ich hab alles Verstanden.

    Übersetzung:
    Ja, die Homepage ist momentan in Wartung, wird bald aber wieder online kommen.

    Momentan funktioniert das Script nur bei den offiziellen Habbohotels, aber wir versuchen es auch für die Retros kompatibel zu machen. Das ist ein wenig anders, weil das habbo-script automatisch versucht ALLE Daten von den verschiedenen Emulatoren zu bekommen. Daher programmieren wir einen "hardworker" bot, der direkt alle daten vom emulator mit dem befehl :about bezieht.

    Du kannst aber auch versuchen einen UDP Socket auf 174.68.12.194 mit dem port 2752 zu öffnen und folgedne Bytes senden: "F4 AA 4D 7E E9"
    Dann solltest du im Stande sein, die Verbindung auf deine Lokale Box umzuleiten. Desweiteren solltest du probieren die netzwerk struktur mit nmap zu scannen, damit du dir auch sicher sein kannst, den richtigen Port zu wählen.

    Einmal editiert, zuletzt von Leider (21. Oktober 2012 um 16:21)

    I found out something new.
    When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open.
    As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK.
    It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed.
    The advantage of this scan type is that it is not as obvious a port scan than an INIT scan.
    Also, there may be non-stateful firewall rulesets blocking INIT chunks, but not COOKIE ECHO chunks.

    Zitat von Razzia

    Ich versteh nicht, warum die Personen, die scheinbar Deutsch können und deutsche Posts schon geschrieben haben, immer auf Englisch schreiben müssen. Mysterium Retrotown...


    Hier sind beide Sprachen erlaubt also kann es dir doch egal sein?
    Wenn man es nicht versteht dann sollte man in der Schule aufpassen ;)
    :love::love::love::love::love::S;(^^^^:D:cursing::|:thumbdown:

    wzfVqqG.png

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden