# Hostbill Source Code Released and 0-Day Exploits Found



## drmike (Jun 18, 2013)

Looks like the folks attacking SolusVM have added WHMCS and now Hostbill to their active radar.

-----------------------------------

HOSTBILL SOURCE CODE: https://mega.co.nz/#!xIEnDLKb!FQQ76xpWCDxOCa6PMO3HN0g0i0p6xeJfbLuuW1jSnZw

Exploits spotted: 6
Exploits patched: 0


----------



## maounique (Jun 18, 2013)

Good, lets see who is dealing with the problem and who is running their PR to damage control only.


----------



## Wintereise (Jun 18, 2013)

This is basically,

Step 1: Get a copy of the src floating on the net, or use a shitty decoder (which fails miserably, as demonstrated on the WHMCS screenshot)

Step 2: State there are echo mt_rand(5, 50); number of flaws on the product.

Step 3: See everyone lose their minds.


----------



## Tux (Jun 18, 2013)

Looks like we didn't need that $9990 for a 0-day, right?


----------



## Francisco (Jun 18, 2013)

buffalooed said:


> Looks like the folks attacking SolusVM have added WHMCS and now Hostbill to their active radar.
> 
> -----------------------------------
> 
> ...


Only the index file is decoded, the rest are still cubed.

Francisco


----------



## concerto49 (Jun 18, 2013)

Wintereise said:


> This is basically,
> 
> Step 1: Get a copy of the src floating on the net, or use a shitty decoder (which fails miserably, as demonstrated on the WHMCS screenshot)
> 
> ...


http://www.lowendbox.com/blog/a-days-recap-solusvm-exploit-released-ramnode-downtime-and-robert-clarke/#comment-121122

You again!


----------



## Wintereise (Jun 18, 2013)

concerto49 said:


> http://www.lowendbox.com/blog/a-days-recap-solusvm-exploit-released-ramnode-downtime-and-robert-clarke/#comment-121122
> 
> You again!


Hush :x


----------



## netnub (Jun 19, 2013)

Francisco said:


> Only the index file is decoded, the rest are still cubed.
> 
> 
> Francisco


it appears so, but admin directory is decoded.


----------



## Francisco (Jun 19, 2013)

netnub said:


> it appears so, but admin directory is decoded.


The majority is still compiled though. What is decompiled isn't even source you can throw in and go 'tada!' since

the source is all over the place. There's more than a few spots where you'll see


```
Exception
new ( )
throw('.......');
```
Francisco


----------



## hook (Sep 20, 2013)

unzend.com/#ready


----------



## Echelon (Sep 23, 2013)

Is there any proof that such a service even works?


----------

