telegram bug that discloses user's hidden phone number (still unpatched) (exploit included)

Related tags

Security related resourcespythonmobiletelegramexploitphonebruteforcefindernumbertelethoncve-2019-15514
Overview

CVE-2019-15514

Type: Information Disclosure

Affected Users, Versions, Devices: All Telegram Users

Still not fixed/unpatched. brute.py is available exploit written under python.

Description

Suppose ali is hacktivist. His telegram user ID is 21788973 and mobile number is hidden. He lives in pakistan (+92). We can add any user to contact by phone number. We will add phones numbers from range +92-0000000000 to +92-9999999999. So if any number successfully added and that user ID is 21788973, that's mean ali number is successfully exposed !

Note: All above information supplied is hypothetical.

Remember, current example range was 9 digits long. We can reduce it more by social engineerring, sim code knowledge, password resets (specially gmail,paypal)... The more low range, the more less time will it take.

Background

This bug been exploited in wild from long. This appreciated us to investigate and open source its exploit for making telegram to patch it soon.

Proof Of Concept

Generate wordlist:

Suppose, we have an telegram victim that number starts with 92313, ends with 89 and in between there are 5 unknown digits We will generate all comibnations of number list within range 92313-xxxxx-89.

Use num_gen.py. It will write numbers to 92313xxxxx89.txt. Before, must edit following:

  • prefix: a number should starts with. Here example, its 92313
  • middle_range: total digits of unknown middle range. Here example, its 5
  • suffix: a number should ends with. Here example, its 89

Brute force:

  • *phone: insert your phone number including country code, without including spaces or +(plus)

  • *api_id: create app and insert api id. learn more

  • *api_hash: create app and api hash. learn more

  • *numlist : the path to your numbers list or wordlist

  • *username_or_id: insert numeric id or username without @ of victim. Better use kotatogram as it supports showing user id in profile.

  • use_proxy: Enable or Disable proxy

  • proxy_server: domain or ip of proxy DNS

  • proxy_secret: hex encoded secret of proxy that serves as password

  • proxy_port: numeric port, mostly 443

  • should_resume: resume capability. whether to start from where numbers left ?

  • threads: # numbers to be tried on each try, don't increase else won't work

  • delay: delay in seconds on each try to lower telegram block time interval

Features:

  1. multi-threaded i.e checks 19 numbers at time
  2. resume capability
  3. waits when blocked, time it waits equals to time telegram blocks
  4. accurate results

Credits:

I Love ALLAH + Holy Prophet + Islam and Pakistan.

Owner
Gray Programmerz
I'm day time programmer and night time thinker.
Gray Programmerz
GitHub Repository https://github.com/graysuit/CVE-2019-15514
Kunyu, more efficient corporate asset collection

Kunyu(坤舆) - More efficient corporate asset collection English | 中文文档 0x00 Introduce Tool introduction Kunyu (kunyu), whose name is taken from , is act

Knownsec, Inc. 772 Jan 05, 2023
proof-of-concept running docker container from omero web

docker-from-omero-poc proof-of-concept running docker container from omero web How-to Edit test_script.py so that the BaseClient is created pointing t

Erick Martins Ratamero 2 Jan 22, 2022
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

22 Nov 09, 2022
Searches filesystem for CVE-2021-44228 and CVE-2021-45046 vulnerable instances of log4j library, including embedded (jar/war/zip) packaged ones.

log4shell_finder Python port of https://github.com/mergebase/log4j-detector log4j-detector is copyright (c) 2021 - MergeBase Software Inc. https://mer

Hynek Petrak 33 Jan 04, 2023
Quickstart resources for the WiFi Nugget, a cat themed WiFi Security platform for beginners.

Quickstart resources for the WiFi Nugget, a cat themed WiFi Security platform for beginners.

HakCat 62 Jan 08, 2023
domato but as a website

ROFL-FUZZER Ths is Domato, a DOM Fuzzer from Google, but hosted as an website It generates a instance of a newtab on the template given by the user ,

Swapnadeep Som 18 Nov 22, 2021
Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. (Released due to exposure)

HCaptcha-Bypass Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. Not working? If it is not seeming to work for you

Dropout 17 Aug 23, 2021
neo Tool is great one in binary exploitation topic

neo Tool is great one in binary exploitation topic. instead of doing several missions by many tools and windows, you can now automate this in one tool in one session.. Enjoy it

Hamza Elansari 4 Oct 10, 2022
IDA plugin for quickly copying disassembly as encoded hex bytes

HexCopy IDA plugin for quickly copying disassembly as encoded hex bytes. This whole plugin just saves you two extra clicks... but if you are frequentl

OALabs 46 Oct 30, 2022
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Víctor García 187 Jan 03, 2023
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the conte

hashlookup 96 Dec 20, 2022
Everything I needed to understand what was going on with "Spring4Shell" - translated source materials, exploit, links to demo apps, and more.

springcore-0day-en These are all my notes from the alleged confirmed! 0day dropped on 2022-03-29. This vulnerability is commonly referred to as "Sprin

Chris Partridge 105 Nov 26, 2022
GitGuardian Shield: protect your secrets with GitGuardian

Detect secret in source code, scan your repo for leaks. Find secrets with GitGuardian and prevent leaked credentials. GitGuardian is an automated secrets detection & remediation service.

GitGuardian 1.2k Dec 27, 2022
Attack SQL Server through gopher protocol

Attack SQL Server through gopher protocol

hack2fun 17 Nov 30, 2022
A guide to building basic malware in Python by implementing a keylogger application

Keylogger-Malware-Project A guide to building basic malware in Python by implementing a keylogger application. If you want even more detail on the Pro

Noah Davis 1 Jan 11, 2022
A BurpSuite extension to parse 5GC NF OpenAPI 3.0 files to assess 5G core networks

5GC_API_parse Description 5GC API parse is a BurpSuite extension allowing to assess 5G core network functions, by parsing the OpenAPI 3.0 not supporte

PentHertz 57 Dec 16, 2022
Script checks provided domains for log4j vulnerability

log4j Script checks provided domains for log4j vulnerability. A token is created with canarytokens.org and passed as header at request for a single do

Matthias Nehls 2 Dec 12, 2021
Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Axel Souchet 220 Dec 14, 2022
👑 Discovery Header DoD Bug-Bounty

👑 Discovery Header DoD Bug-Bounty Did you know that DoD accepts server headers? 😲 (example: apache"version" , php"version") ? In this code it is pos

KingOfTips 38 Aug 09, 2022
About Hive Burp Suite Extension

Hive Burp Suite Extension Description Hive extension for Burp Suite. This extension allows you to send data from Burp to Hive in one click. Create iss

7 Dec 07, 2022