1 /* Worked on latest version for me
2 * http://midas.psi.ch/elog/download/tar/elog−latest.tar.gz
3 * elog−latest.tar.gz 26−Jan−2005 21:36 519K
4 * Default port 8080.
5 * str0ke */
6
7 /*
8
9 Hi there, someone has brought to u a gift.
10
11 ELOG Remote Shell Exploit <= 2.5.6 (Also for future Versions)
12
13 Updated On 18/April/2004
14
15 LOCK YOUR LOGBOOKZ, THERE IS A SPY IN THE WILD!
16
17 Bug: Sorry, we do not support fool−disclosure.
18
19 Characteristicz : Fully Automated Filling Mechanism ,steal/decode base_64 ELOG _write_ passwordz.
20 (breakin into write password protected servers,)
21
22 Targeting : objdump −t elogd | grep _mtext <−−−−− your magic jumping addres.
23 change that value with one of the targets below .If The ret lookz like 0x09..
24 then that means elogd version is 2.5.5 or greater.If 0x8.. then < 2.5.5
25 NOte: The buffer−length in linux, varies from one distro to other, like the BSD one.
26 so do not add shit to the target area unless as well as u know what u r doing.
27
28 Tricks i : Some hosts using Elog daemon under Apache mod_proxy module,
29 so u’d better force a bit yourself port scan that host in order to get the elog port.
30 (Be warned , most of the serverz we owned had at least 2 running elog http servers.)
31
32 ii : If U can _not_ get the write pazzword for logbook, then try other logbooks.
33
(especially, happens when the background mode enabled).
34
35
36 iii : If u happen to meet logbook which has more than 10 attribute/optionz
37 then add more globalz to the global sectionz of this code,now it supportz
38 10 att/opt, i haven’t seen more than this Yet!.
39
40 Challange: Find the other 2 heap and a 1 url traversal bugs in elogd.(Both exploitable)
41
42 Finally A big FUCK to the Sn2 for leaki