Habbo client remote code execution exploit for private habbo servers.
An exploit which gives you remote code execution inside the flash sandbox on users that visit your room. Even though it is sandboxed, you can still log usernames, IPs and client SSO tokens. That is because your authenticated cookies are used when you make an HTTP request from within the executed SWF.
This is an unique exploit created by myself and it does only work on private servers. The reason this only works on private servers is because of the PNG camera implementation being bad.
Most private habbo servers modify the client in such a way that it sends the Raw PNG of the client instead of a json string containing all furni data. What they don’t do is check this PNG. By taking advantage of this, we can upload our own file, an SWF file.
I will not explain how to upload this file exactly. I wrote custom tools to automate the process but if you can not do this you should be fine with Tanji. Modify the packet that sends the PNG file to the server and make it send your SWF binary data instead.
This will give you a black photo in-game that looks broken. However, when you place it inside your room it will execute the SWF file for everyone in that room and those that join it later.
This does also work for room thumbnails and it should also work when previewing photos during a trade. Most hotels have incorrectly implemented photo previews which causes it to not work there.
Contains the Actionscript 3 code that loads and executes a SWF file from a remote server. This can be used instead of the malicious SWF so you have the ability to update it without needing to reupload your SWF to the hotel.
This contains the “malicious” code, which fetches information about the current user from the hotel website and submits it to a backend.
There is also a proof of concept for messing with the client directly inside Habbo.as
. This only works when the SWF gets uploaded the the same domain as the Habbo.swf
client. This has to do with cross-site scripting and crossdomain configuration.