A proof of concept bot to reveal full JID upon requesting list of Ad-Hoc commands.
Find a file
2024-03-02 23:55:30 +00:00
iq_exploit.py Upload New File 2024-03-02 23:36:26 +00:00
README.md Add instructions for Gajim 2024-03-02 23:55:30 +00:00

About

This is a "proof of concept" XMPP Bot which showcase an IQ exploite found in XEP-0045: Multi-User Chat.

Instructions

Tested with Gajim.

  1. Start the bot: python iq_exploit.py -j JID -p PASSWORD;
  2. Send the bot a message with groupchat address: join JID_OF_MUC;
  3. Open groupchat;
  4. Select the bot;
  5. Right-click;
  6. Execute command...;
  7. Select Ad-Hoc command "Start".

Recommendations

Server operators are advised to disable PMs in XEP-0045 MUC.

Use XEP-???? for groupchat instead of XEP-0045.